RE: [Declude.JunkMail] Combo Filter
Hi John, Yup that was a typo. File name is Combo_CMDSPACE_Sniffer.txt as per the line in GLOBAL.CFG That is what happens when I type in stuff late at night and don't copy/paste... Yesterday this combo filter triggered on COMBO-CMDSPACE-SNIFFER34.79% Of my mail. This is a typical rate. Goran Jovanovic Omega Network Solutions > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of John Carter > Sent: Saturday, February 11, 2006 12:25 PM > To: Declude.JunkMail@declude.com > Subject: RE: [Declude.JunkMail] Combo Filter > > Goran, is it possible there is a typo in the filter file name? Shouldn't > the file name be Combo_CMDSPACE_Sniffer.txt instead of > COMBO_CMD_SPACE.TXT? > > But thanks for the filter. Also plan to try it out in coming week. > > John C > > -- Original Message -- > From: "Goran Jovanovic" <[EMAIL PROTECTED]> > Reply-To: Declude.JunkMail@declude.com > Date: Fri, 10 Feb 2006 22:30:55 -0500 > > >You don't put that in the GLOBAL.CFG > > > >In GLOBAL.CFG > > > >COMBO-CMDSPACE-SNIFFER filter > >C:\IMail\Declude\Filters\Combo_CMDSPACE_Sniffer.txt X > 0 0 > > > > > >In the file called COMBO_CMD_SPACE.TXT > > > >TESTSFAILED END CONTAINS BYPASS > ># Did it Fail CMDSPACE > >TESTSFAILED END NOTCONTAINS CMDSPACE > ># It failed CMDSPACE now check Sniffer > >TESTSFAILED 10 CONTAINSSNIFFER > > > > > >And in all the $DEFAULT$.JUNKMAIL.TXT files > > > >COMBO-CMDSPACE-SNIFFER WARN > > > > > >I Tag @ 10 and Delete @ 30. Adjust paths as required. > > > >Goran Jovanovic > >Omega Network Solutions > > > >____ > > > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems > >Eng. (Karl Drugge) > >Sent: Friday, February 10, 2006 2:43 PM > >To: Declude.JunkMail@declude.com > >Subject: RE: [Declude.JunkMail] Combo Filter > > > > > > > >Where do I put these lines in my config files ? > > > > > > > >Karl Drugge > > > > > > > > > > > > > > > > > > > > > > > > > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Robert > >Grosshandler > >Sent: Friday, February 10, 2006 1:45 PM > >To: Declude.JunkMail@declude.com > >Subject: RE: [Declude.JunkMail] Combo Filter > > > > > > > >You the Man! > > > > > > > > > > > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic > >Sent: Friday, February 10, 2006 11:39 AM > >To: Declude.JunkMail@declude.com > >Subject: RE: [Declude.JunkMail] Combo Filter > > > >Here you go > > > > > > > >TESTSFAILED END CONTAINS BYPASS > > > > > > > ># Did it Fail CMDSPACE > > > >TESTSFAILED END NOTCONTAINS CMDSPACE > > > > > > > ># It failed CMDSPACE now check Sniffer > > > >TESTSFAILED 10 CONTAINSSNIFFER > > > > > > > >Goran Jovanovic > > > >Omega Network Solutions > > > >-- > > > >PLEASE NOTE : Florida has a very broad public records law. Most written > >communications to or from City officials regarding City business are > >public records available to the public and media upon request. Your > >E-mail communications may be subject to public disclosure. > > > >PLEASE NOTE : Florida has a very broad public records law. Most written > >communications to or from City officials regarding City business are > >public records available to the public and media upon request. Your > >E-mail communications may be subject to public disclosure. > > > > > > > > > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Combo Filter
Goran, is it possible there is a typo in the filter file name? Shouldn't the file name be Combo_CMDSPACE_Sniffer.txt instead of COMBO_CMD_SPACE.TXT? But thanks for the filter. Also plan to try it out in coming week. John C -- Original Message -- From: "Goran Jovanovic" <[EMAIL PROTECTED]> Reply-To: Declude.JunkMail@declude.com Date: Fri, 10 Feb 2006 22:30:55 -0500 >You don't put that in the GLOBAL.CFG > >In GLOBAL.CFG > >COMBO-CMDSPACE-SNIFFER filter >C:\IMail\Declude\Filters\Combo_CMDSPACE_Sniffer.txt X 0 > 0 > > >In the file called COMBO_CMD_SPACE.TXT > >TESTSFAILED END CONTAINS BYPASS ># Did it Fail CMDSPACE >TESTSFAILED END NOTCONTAINS CMDSPACE ># It failed CMDSPACE now check Sniffer >TESTSFAILED 10 CONTAINSSNIFFER > > >And in all the $DEFAULT$.JUNKMAIL.TXT files > >COMBO-CMDSPACE-SNIFFER WARN > > >I Tag @ 10 and Delete @ 30. Adjust paths as required. > >Goran Jovanovic >Omega Network Solutions > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems >Eng. (Karl Drugge) >Sent: Friday, February 10, 2006 2:43 PM >To: Declude.JunkMail@declude.com >Subject: RE: [Declude.JunkMail] Combo Filter > > > >Where do I put these lines in my config files ? > > > >Karl Drugge > > > > > > > > > > > > > >-----Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Robert >Grosshandler >Sent: Friday, February 10, 2006 1:45 PM >To: Declude.JunkMail@declude.com >Subject: RE: [Declude.JunkMail] Combo Filter > > > >You the Man! > > > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic >Sent: Friday, February 10, 2006 11:39 AM >To: Declude.JunkMail@declude.com >Subject: RE: [Declude.JunkMail] Combo Filter > >Here you go > > > >TESTSFAILED END CONTAINS BYPASS > > > ># Did it Fail CMDSPACE > >TESTSFAILED END NOTCONTAINS CMDSPACE > > > ># It failed CMDSPACE now check Sniffer > >TESTSFAILED 10 CONTAINSSNIFFER > > > >Goran Jovanovic > >Omega Network Solutions > >-- > >PLEASE NOTE : Florida has a very broad public records law. Most written >communications to or from City officials regarding City business are >public records available to the public and media upon request. Your >E-mail communications may be subject to public disclosure. > >PLEASE NOTE : Florida has a very broad public records law. Most written >communications to or from City officials regarding City business are >public records available to the public and media upon request. Your >E-mail communications may be subject to public disclosure. > > > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Combo Filter
Title: Message You don’t put that in the GLOBAL.CFG In GLOBAL.CFG COMBO-CMDSPACE-SNIFFER filter C:\IMail\Declude\Filters\Combo_CMDSPACE_Sniffer.txt x 0 0 In the file called COMBO_CMD_SPACE.TXT TESTSFAILED END CONTAINS BYPASS # Did it Fail CMDSPACE TESTSFAILED END NOTCONTAINS CMDSPACE # It failed CMDSPACE now check Sniffer TESTSFAILED 10 CONTAINS SNIFFER And in all the $DEFAULT$.JUNKMAIL.TXT files COMBO-CMDSPACE-SNIFFER WARN I Tag @ 10 and Delete @ 30. Adjust paths as required. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Friday, February 10, 2006 2:43 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter Where do I put these lines in my config files ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, February 10, 2006 1:45 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter You the Man! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 10, 2006 11:39 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter Here you go TESTSFAILED END CONTAINS BYPASS # Did it Fail CMDSPACE TESTSFAILED END NOTCONTAINS CMDSPACE # It failed CMDSPACE now check Sniffer TESTSFAILED 10 CONTAINS SNIFFER Goran Jovanovic Omega Network Solutions -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
RE: [Declude.JunkMail] Combo Filter
Title: Message Where do I put these lines in my config files ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, February 10, 2006 1:45 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter You the Man! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 10, 2006 11:39 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter Here you go TESTSFAILED END CONTAINS BYPASS # Did it Fail CMDSPACE TESTSFAILED END NOTCONTAINS CMDSPACE # It failed CMDSPACE now check Sniffer TESTSFAILED 10 CONTAINS SNIFFER Goran Jovanovic Omega Network Solutions -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
Re: [Declude.JunkMail] Combo Filter
Title: Message I like to run combos with Sniffer. It's very effective to combine two high percentage spam tests. I have 10 combo filters that include Sniffer: Sniffer and my internal IP blacklist Sniffer and SBL Sniffer and CBL Sniffer and MailPolice Block Sniffer and Spamcop Sniffer and my DUL filter Sniffer and my Proxy filter Sniffer and my automated IP blacklist Sniffer and CMDSPACE Sniffer and ASSP Greylist scores of 90%+ - Original Message - From: Robert Grosshandler To: Declude.JunkMail@declude.com Sent: Friday, February 10, 2006 11:30 AM Subject: RE: [Declude.JunkMail] Combo Filter Would you be so kind as to post this filter? Thanks ahead of time Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, January 14, 2006 8:33 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message You the Man! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Friday, February 10, 2006 11:39 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter Here you go TESTSFAILED END CONTAINS BYPASS # Did it Fail CMDSPACE TESTSFAILED END NOTCONTAINS CMDSPACE # It failed CMDSPACE now check Sniffer TESTSFAILED 10 CONTAINS SNIFFER Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Here you go TESTSFAILED END CONTAINS BYPASS # Did it Fail CMDSPACE TESTSFAILED END NOTCONTAINS CMDSPACE # It failed CMDSPACE now check Sniffer TESTSFAILED 10 CONTAINS SNIFFER Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, February 10, 2006 12:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter Would you be so kind as to post this filter? Thanks ahead of time Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, January 14, 2006 8:33 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Would you be so kind as to post this filter? Thanks ahead of time Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, January 14, 2006 8:33 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message No, Markus, the CMDSPACE is not duplicated inside of Pete's Message Sniffer. What the Declude CMDSPACE test checks for is in the envelope (the Q*.SMD file) and what Message Sniffer checks is the content of the message itself (D*.SMD). Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Monday, January 16, 2006 1:01 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter Hi Goran, I write this because maybe Pete McNeil can clarify it easily. Does SNIFFER have something inside who can identify CMDSPACE? Only if it's not so it would be a good combo filter. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, January 14, 2006 3:33 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 4:47 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter That sounds about right from where I sit.You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits.MattGoran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, January 12, 2006 4:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter Definitely.One of the better points to this combination is that both tests are completely isolated from one another.The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this.MattGoran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
Re: [Declude.JunkMail] Combo Filter
Title: Message Perhaps this would be better asked on the sniffer forum? - Original Message - From: Markus Gufler To: Declude.JunkMail@declude.com Sent: Monday, January 16, 2006 3:00 AM Subject: RE: [Declude.JunkMail] Combo Filter Hi Goran, I write this because maybe Pete McNeil can clarify it easily. Does SNIFFER have something inside who can identify CMDSPACE? Only if it's not so it would be a good combo filter. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, January 14, 2006 3:33 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 4:47 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter That sounds about right from where I sit.You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits.MattGoran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, January 12, 2006 4:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter Definitely.One of the better points to this combination is that both tests are completely isolated from one another.The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this.MattGoran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Hi Goran, I write this because maybe Pete McNeil can clarify it easily. Does SNIFFER have something inside who can identify CMDSPACE? Only if it's not so it would be a good combo filter. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Saturday, January 14, 2006 3:33 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Combo Filter FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 4:47 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter That sounds about right from where I sit.You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits.MattGoran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Thursday, January 12, 2006 4:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter Definitely.One of the better points to this combination is that both tests are completely isolated from one another.The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this.MattGoran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message FYI All, I did my CMDSPACE and SNIFFER (all categories have not broken it up yet) combo filter an let it run all day yesterday. That filter triggered on 37.6% of my mail. I ran it yesterday with weight 0 and monitored, there were no false positives at all. Turning it on for real today. Looks like another good test that I am finally adding to my mix. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:47 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter That sounds about right from where I sit. You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits. Matt Goran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
Re: [Declude.JunkMail] Combo Filter
Title: Message My experience is that SNIFFER-GENERAL and SNIFFER-EXPERIMENTAL are the two common names for the tests that produce the most such false positives. SNIFFER-GENERAL contains user submitted spam that wasn't already tagged, and unfortunately the userbase tends to report what I consider to be legitimate advertising, and/or the rules generated are overly generic and can hit both the good and the bad. SNIFFER-EXPERIMENTAL is where most new rules are generated from the spamtraps, and due to the cross checking/qualifying primarily with SURBL, a domain that might have temporarily been a false positive in SURBL can end up living much longer in SNIFFER-EXPERIMENTAL than it does in SURBL. On my system in order to lessen the impact of these things, I have been collecting CIDR ranges and reverse DNS entries for bulk-mail services as well as individual bulk-mailers (such as amazon.com, etc.) so that I can treat this E-mail differently by disabling/crediting back points for certain tests. It was a huge undertaking, but it was very much worth it since there seemed to be a never ending stream of random false positives and I got sick of whitelisting E-mail campaigns one at a time. I still score Sniffer at full points for these things, but I credit back points for tests that are primarily targeted at zombies such as BADHEADERS. Essentially it takes a hit from at least two of SURBL, SNIFFER and SPAMCOP to block one of these whereas before just one of these would result in blocking when combined with the other types of tests. I also segregate blocked E-mail from this classification so that it isn't mixed in with the unspecified held messages, making it easier to do review. Matt Markus Gufler wrote: Matt for this case I recommend using TESTSFAILED END CONTAINS SNIFFER-TRAVEL TESTSFAILED END CONTAINS SNIFFER-INSUR TESTSFAILED END CONTAINS SNIFFER-AV TESTSFAILED END CONTAINS SNIFFER-MEDIA TESTSFAILED END CONTAINS SNIFFER-SWARE TESTSFAILED END CONTAINS SNIFFER-SNAKE TESTSFAILED END CONTAINS SNIFFER-SCAMS TESTSFAILED END CONTAINS SNIFFER-PORN TESTSFAILED END CONTAINS SNIFFER-MALWARE TESTSFAILED END CONTAINS SNIFFER-INK TESTSFAILED END CONTAINS SNIFFER-CREDIT TESTSFAILED END CONTAINS SNIFFER-CASINO TESTSFAILED END CONTAINS SNIFFER-OBFUSC TESTSFAILED END CONTAINS SNIFFER-GENERAL and maybe also TESTSFAILED END CONTAINS SNIFFER-RICH instead of TESTSFAILED 10 CONTAINS SNIFFER ...for the initial end statement(s) in the combo-filter. This because only two or tre SNIFFER exit codes seems not to bee very reliable (even if they are still good): 61, 63 and maybe also 57. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, January 12, 2006 10:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Matt for this case I recommend using TESTSFAILED END CONTAINS SNIFFER-TRAVELTESTSFAILED END CONTAINS SNIFFER-INSURTESTSFAILED END CONTAINS SNIFFER-AVTESTSFAILED END CONTAINS SNIFFER-MEDIATESTSFAILED END CONTAINS SNIFFER-SWARETESTSFAILED END CONTAINS SNIFFER-SNAKETESTSFAILED END CONTAINS SNIFFER-SCAMSTESTSFAILED END CONTAINS SNIFFER-PORNTESTSFAILED END CONTAINS SNIFFER-MALWARETESTSFAILED END CONTAINS SNIFFER-INKTESTSFAILED END CONTAINS SNIFFER-CREDITTESTSFAILED END CONTAINS SNIFFER-CASINOTESTSFAILED END CONTAINS SNIFFER-OBFUSCTESTSFAILED END CONTAINS SNIFFER-GENERAL and maybe also TESTSFAILED END CONTAINS SNIFFER-RICH instead of TESTSFAILED 10 CONTAINS SNIFFER ...for the initial end statement(s) in the combo-filter. This because only two or tre SNIFFER exit codes seems not to bee very reliable (even if they are still good): 61, 63 and maybe also 57. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, January 12, 2006 10:04 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Combo Filter Definitely.One of the better points to this combination is that both tests are completely isolated from one another.The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this.MattGoran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
Re: [Declude.JunkMail] Combo Filter
Title: Message That sounds about right from where I sit. You might also think about doing a combo with DUL lists and CMDSPACE, (timeout) with CMDSPACE, and [no reverse DNS] with CMDSPACE. All three of these things are highly associated with zombies, and they are also isolated in terms of the conditions that generate the hits. Matt Goran Jovanovic wrote: Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Ok I tag at 10 and delete at 30 Currently CMDSPACE is 8, SNIFFER is 7 so the combo of these two could be 10? That would make it 25 (not including the default -8 from IPNOTINMX and NOLEGIT) which would still require something else to delete the message. Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 12, 2006 4:04 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Combo Filter Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
Re: [Declude.JunkMail] Combo Filter
Title: Message Definitely. One of the better points to this combination is that both tests are completely isolated from one another. The only danger is that some bulk E-mail software/providers will trigger CMDSPACE, and Sniffer does have a moderate problem with false positives on bulk E-mail, IMO, so you might get a few false positives on this. Matt Goran Jovanovic wrote: Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo Filter
Title: Message Hi Goran, We use CMDSPACE and SNIFFER as a combo and push it to our delete weight; effective. Also we use CMDSPACE and INV-URIBL as a combo; effective but we weigh it slightly lower and push it to our spam weight. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran JovanovicSent: Thursday, January 12, 2006 9:40 PMTo: Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Combo Filter Hi, Would CMDSPACE and SNIFFER be a good combo test to have? I already have some other combos with SNIFFER. Thanx Goran Jovanovic Omega Network Solutions
RE: [Declude.JunkMail] Combo filter not working..
WOW... Matt you are a genius.. I have looked at that filter for over a week and did not even think of the tab.. YES there was a tab and that should explain it. Now lets see if it works.. Thanks again for seeing what could not be seen.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 20, 2004 9:06 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Combo filter not working.. That should work. Would you please include your Global.cfg lines for the involved tests just to see if there is an oversight there. I also noted that following the first TESTSFAILED entry, there is a tab character following [SPF.FAIL]. If that tab exists within your filter file, that would be the issue. You should of course check all of the lines and make sure that no stray unintended characters follow. Matt Kami Razvan wrote: >Hi; > >I have one filter that is killing me and it just does not make sense >for it not to work. > >Here is an example of a message that should have triggered it but it >has not. > > Log file === >12/20/2004 04:52:48 Qa0e1026302703444 NOT bypassing whitelisting of >E-mail with weight >=25 (34) and at least 2 recipients (1). >12/20/2004 04:52:49 Qa0e1026302703444 L1 Message OK >12/20/2004 04:52:49 Qa0e1026302703444 Subject: $250 Shopping Gift Card >is pending shipping authorization: confirmation needed X3SFG45 >12/20/2004 04:52:49 Qa0e1026302703444 From: [EMAIL PROTECTED] To: >Joanna@.org IP: 207.244.49.16 ID: 133E6507877 > >12/20/2004 04:52:49 Qa0e1026302703444 Tests failed [weight=34]: >[SPF.FAIL]=WARN [HELOBOGUS]=WARN [IPNOTINMX]=WARN [NOLEGITCONTENT]=WARN >[LONGSUBJ]=WARN [LINK.BODY]=IGNORE [COMBO.LINK]=WARN >[FILTER.SUBJECT.NUMBER]=IGNORE [SPAM.ENVELOPE]=WARN >WEIGHT-REDIRECT-SPAM-S=SUBJECT WEIGHT-REDIRECT-SPAM-R=ROUTETO >12/20/2004 04:52:49 Qa0e1026302703444 Last action = IGNORE. >== > >Here is the filter: > ># [Elevate.SPFFAIL] > >TESTSFAILEDEND NOTCONTAINS [SPF.FAIL] >TESTSFAILEDEND NOTCONTAINS [COMBO.LINK] > >TESTSFAILED0 CONTAINS[NOLEGITCONTENT] >TESTSFAILED0 CONTAINS[HEUR >TESTSFAILED0 CONTAINS[REVDNS] > >=== > >Based on the log file entries the following tests have failed: > >[SPF.FAIL]=WARN >[HELOBOGUS]=WARN >[IPNOTINMX]=WARN >[NOLEGITCONTENT]=WARN >[LONGSUBJ]=WARN >[LINK.BODY]=IGNORE >[COMBO.LINK]=WARN >[FILTER.SUBJECT.NUMBER]=IGNORE >[SPAM.ENVELOPE]=WARN >WEIGHT-REDIRECT-SPAM-S=SUBJECT >WEIGHT-REDIRECT-SPAM-R=ROUTETO > >Since [SPF.FAIL], [COMBO.LINK], and [NOLEGITCONTENT] have all failed >then I expect this filter to trigger. > >Any ideas why it is not? > >Regards, >Kami > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type >"unsubscribe Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > > > > -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Combo filter not working..
That should work. Would you please include your Global.cfg lines for the involved tests just to see if there is an oversight there. I also noted that following the first TESTSFAILED entry, there is a tab character following [SPF.FAIL]. If that tab exists within your filter file, that would be the issue. You should of course check all of the lines and make sure that no stray unintended characters follow. Matt Kami Razvan wrote: Hi; I have one filter that is killing me and it just does not make sense for it not to work. Here is an example of a message that should have triggered it but it has not. Log file === 12/20/2004 04:52:48 Qa0e1026302703444 NOT bypassing whitelisting of E-mail with weight >=25 (34) and at least 2 recipients (1). 12/20/2004 04:52:49 Qa0e1026302703444 L1 Message OK 12/20/2004 04:52:49 Qa0e1026302703444 Subject: $250 Shopping Gift Card is pending shipping authorization: confirmation needed X3SFG45 12/20/2004 04:52:49 Qa0e1026302703444 From: [EMAIL PROTECTED] To: Joanna@.org IP: 207.244.49.16 ID: 133E6507877 12/20/2004 04:52:49 Qa0e1026302703444 Tests failed [weight=34]: [SPF.FAIL]=WARN [HELOBOGUS]=WARN [IPNOTINMX]=WARN [NOLEGITCONTENT]=WARN [LONGSUBJ]=WARN [LINK.BODY]=IGNORE [COMBO.LINK]=WARN [FILTER.SUBJECT.NUMBER]=IGNORE [SPAM.ENVELOPE]=WARN WEIGHT-REDIRECT-SPAM-S=SUBJECT WEIGHT-REDIRECT-SPAM-R=ROUTETO 12/20/2004 04:52:49 Qa0e1026302703444 Last action = IGNORE. == Here is the filter: # [Elevate.SPFFAIL] TESTSFAILED END NOTCONTAINS [SPF.FAIL] TESTSFAILED END NOTCONTAINS [COMBO.LINK] TESTSFAILED 0 CONTAINS[NOLEGITCONTENT] TESTSFAILED 0 CONTAINS[HEUR TESTSFAILED 0 CONTAINS[REVDNS] === Based on the log file entries the following tests have failed: [SPF.FAIL]=WARN [HELOBOGUS]=WARN [IPNOTINMX]=WARN [NOLEGITCONTENT]=WARN [LONGSUBJ]=WARN [LINK.BODY]=IGNORE [COMBO.LINK]=WARN [FILTER.SUBJECT.NUMBER]=IGNORE [SPAM.ENVELOPE]=WARN WEIGHT-REDIRECT-SPAM-S=SUBJECT WEIGHT-REDIRECT-SPAM-R=ROUTETO Since [SPF.FAIL], [COMBO.LINK], and [NOLEGITCONTENT] have all failed then I expect this filter to trigger. Any ideas why it is not? Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
> i just get a message with the subject: "SEHBEHINDERTER VON > AUSLAENDERN VERPRUEGELT" > it looks like sober.h but i can not find this subject in any > decription of this thing. Hi Markus, Thank you for this information. Now this is my current list of subject filters. SUBJECT 200 CONTAINSASYLANT QUAELTE TIERE BRUTAL ZU TODE SUBJECT 200 CONTAINSASYLANTEN BEGRABSCHTEN DEUTSCHES MAEDCHEN SUBJECT 200 CONTAINSAuf Kosten der deutschen Beitragszahler und Rentner! SUBJECT 200 CONTAINSAugen auf! (So sieht es aus!) SUBJECT 200 CONTAINSAuslaender erschleichen sich zunehmend Sozialleistungen SUBJECT 200 CONTAINSAuslaenderanteile in Schweizer Gefaengnissen SUBJECT 200 CONTAINSAUSLAENDERGEWALT BEIM HAFENGEBURTSTAG SUBJECT 200 CONTAINSAuslaendergewalt: Herr Rau, wo waren Sie? SUBJECT 200 CONTAINSAuslaenderkriminalitaet steigt weiter! SUBJECT 200 CONTAINSBankrott des Gesundheitswesens durch Auslaender! SUBJECT 200 CONTAINSBin ich zu weltfremd? Ich glaube wohl kaum SUBJECT 200 CONTAINSDas kann unmoeglich sein -Leserbrief- SUBJECT 200 CONTAINSDEUTSCHES MAEDCHEN FAST VERGEWALTIGT SUBJECT 200 CONTAINSDie Deform der sozialen Ordnung SUBJECT 200 CONTAINSDiplomatische Zensur SUBJECT 200 CONTAINSEU Beitritt der Tuerkei ? SUBJECT 200 CONTAINSEU gibt Erwerbslosen volle Freizuegigkeit SUBJECT 200 CONTAINSGarather klagen ueber eskalierende Gewalt im Stadtteil! SUBJECT 200 CONTAINSGeschrieben von Margrit am 07. April 2004 SUBJECT 200 CONTAINSLibanesen in Berlin SUBJECT 200 CONTAINSMarokkanischer Wiederholungstaeter vergewaltigte 17-jaehriges Maedel SUBJECT 40 CONTAINS Medienzensur SUBJECT 200 CONTAINSMehr fuer Auslaender als fuer Deutsche tun! SUBJECT 200 CONTAINSMoschee-Bau in Deutschland SUBJECT 200 CONTAINSMULTI-KULTI-BANDE TYRANNISIERTE MITSCHUELER SUBJECT 200 CONTAINSNein zum Zuwanderungsgesetz ! SUBJECT 200 CONTAINSNeue Voelkerwanderung droht! SUBJECT 200 CONTAINSParadies Bundesrepublik - Rente fuer die Welt - SUBJECT 200 CONTAINSPolizei traute sich nicht, kriminellen Auslaender festzunehmen SUBJECT 200 CONTAINSRichter unterstuetzt kriminelle Auslaenderin SUBJECT 200 CONTAINSSEHBEHINDERTER VON AUSLAENDERN VERPRUEGELT SUBJECT 200 CONTAINSSkandal in Berlin SUBJECT 200 CONTAINSSkandalurteil in Darmstadt SUBJECT 200 CONTAINSSo sieht die Wahrheit aus! SUBJECT 200 CONTAINSTUERKEN-TERROR AM HIMMELFAHRTSTAG SUBJECT 200 CONTAINSWas Deutschland braucht, sind deutsche Kinder! SUBJECT 200 CONTAINSWer an ein Tabu ruehrt, muss und darf vernichtet werden SUBJECT 200 CONTAINSWir haben die Auslaender doch geholt?! I don't know what version of virus this zombies are running. All this spam messages are clean and contain only a text part. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
> Odd thing is I was nailing some of your email with > interbusiness.it and I don't see that anywhere in the headers > of your current messages This because I used our webmail interface to guarantee, that anyone can read this message even if he's blocking messages send from an IP that is listed in certain IP-blacklists. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi Markus! Getting your messages now, for me the solution was as simple as allowing email through with [declude in the subject, I don't like blocking by IP unless its a "legit" email marketing company who doesn't change IP addresses and with the nifty new remoteip 0 cidr filtering capability its easy to bypass the ip blocking. Odd thing is I was nailing some of your email with interbusiness.it and I don't see that anywhere in the headers of your current messages I do punish dot info and dot biz quite severely with weight, aside from your dot info domain the other 799,999 are suspect to me :-) your English is great its alot better than quite a few groups of people here in the US Rick Davidson National Systems Manager North American Title Group 440-953-9346 - Office 440-953-0925 - Fax 440-487-7344 - Mobile [EMAIL PROTECTED] - - Original Message - From: "Gufler Markus" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 5:45 PM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails > > Hopefully it's not because my email-address is an info domain. Over 2 years ago (march 2002) there was registered already over 80 info domains around the world. As I know on the IPSwitch website you can't subscribe to the newsletter because ".info is not a valid top level domain" > Looks like internet is old enough now to have also some conservative people inside ;-) > > I assume that most of my messages will be filtered because the dynamic IP addresses of our DSL-connection is listed in more or less IP-Blacklists. This not because we're an open relay but because this are dynamic IP's and the entire class B range seems to be blacklisted (at least temporary). > I can understand that most people in oversea can see more spam then legit messages comming from this IPs. And I can understand if someone decides to punish them. > We also assign a small weight to any message comming from the USA because from the 26% of all messages comming from the USA only 3% are legit messages. > This should not be a punishment for a country, but it's simple mathematic logic to improve our spam filters detection rate. > > > Maybe you can see this message only because I send them - for this time - trough the webmail interface and so from a "clean" IP address. > > What I would suggest is that anyone reading messages in this list should try to whitelist declude list messages. > There are several cases that declude list messages "contains" suspicious content: spam examples, filter definitions, or simple help request from an admin that has an IP blacklisted mailserver. > > If you don't whitelist declude list messages very probably you're missing some important information. > > As I can understand, the best way to whitelist declude messages is to whitelist the IP of the declude list server: > > Simply put > > WHITELIST IP 68.162.218.198 > > in your global.cfg line. > > Hope this helps, and you can understand my "english" > > --- > Gufler Markus > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hopefully it's not because my email-address is an info domain. Over 2 years ago (march 2002) there was registered already over 80 info domains around the world. As I know on the IPSwitch website you can't subscribe to the newsletter because ".info is not a valid top level domain" Looks like internet is old enough now to have also some conservative people inside ;-) I assume that most of my messages will be filtered because the dynamic IP addresses of our DSL-connection is listed in more or less IP-Blacklists. This not because we're an open relay but because this are dynamic IP's and the entire class B range seems to be blacklisted (at least temporary). I can understand that most people in oversea can see more spam then legit messages comming from this IPs. And I can understand if someone decides to punish them. We also assign a small weight to any message comming from the USA because from the 26% of all messages comming from the USA only 3% are legit messages. This should not be a punishment for a country, but it's simple mathematic logic to improve our spam filters detection rate. Maybe you can see this message only because I send them - for this time - trough the webmail interface and so from a "clean" IP address. What I would suggest is that anyone reading messages in this list should try to whitelist declude list messages. There are several cases that declude list messages "contains" suspicious content: spam examples, filter definitions, or simple help request from an admin that has an IP blacklisted mailserver. If you don't whitelist declude list messages very probably you're missing some important information. As I can understand, the best way to whitelist declude messages is to whitelist the IP of the declude list server: Simply put WHITELIST IP 68.162.218.198 in your global.cfg line. Hope this helps, and you can understand my "english" --- Gufler Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
found it, the .info wasnt helping but I was blocking interbusiness.it he is getting thru now thanks for your help guys Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 1:11 PM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails he's a .info could that be it? Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/10/04 11:50AM >>> Thanks again, Can you send me the headers from Markus's email so I can figure out whats grabbing his email, over the years he has been a useful contributor here so I would like to see his posts thanks for your time Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Franco Celli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 12:30 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails > >> I think it's easyer for you to download them from the author > >> Markus Gufler: > >> http://www.zcom.it/decludeupdater/polit_filter.zip > >> > > > >Please forward him also the part he need's for the global.cfg file > > > > > >POLIT-CONTENT filter C:\IMail\Declude\filter_polit_content.txt x 0 0 > >POLIT-QMAIL filter C:\IMail\Declude\filter_polit_qmail.txt x 0 0 > >POLIT-COMBO filter C:\IMail\Declude\filter_polit_COMBO.txt x 0 0 > > > > > >Markus > > --- > Extract from the first message from Markus > (Someone could have missed it) > --- > > POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 > # contains different tipical body keywords > # in any case 0 points > > POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 > # all this messages contains ".qmail@" in the header (message-id part) > # in any case 0 points > > POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 > # All messages doesn't contain any german "umlaut" and special characters > (ä, ö, ü, ß) > # in any case 0 points > # should avoid false positives > > POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 > # The logic behind this filter: > # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was > found > # skip if any special german character (POLIT-UMLAUT) was found > # Add 100 points if HELOBOGUS has failed (all this messages has a random > generated helo string) > -- > > Franco Celli > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Sorry I can't post headers, I was reading the list in digest mode (no headers) and followed the post through the web archive. Franco Celli - Original Message - From: "Scott Fisher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 7:11 PM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails he's a .info could that be it? Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/10/04 11:50AM >>> Thanks again, Can you send me the headers from Markus's email so I can figure out whats grabbing his email, over the years he has been a useful contributor here so I would like to see his posts thanks for your time Rick Davidson National Systems Manager North American Title Group --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
he's a .info could that be it? Scott Fisher Director of IT Farm Progress Companies >>> [EMAIL PROTECTED] 06/10/04 11:50AM >>> Thanks again, Can you send me the headers from Markus's email so I can figure out whats grabbing his email, over the years he has been a useful contributor here so I would like to see his posts thanks for your time Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Franco Celli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 12:30 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails > >> I think it's easyer for you to download them from the author > >> Markus Gufler: > >> http://www.zcom.it/decludeupdater/polit_filter.zip > >> > > > >Please forward him also the part he need's for the global.cfg file > > > > > >POLIT-CONTENT filter C:\IMail\Declude\filter_polit_content.txt x 0 0 > >POLIT-QMAIL filter C:\IMail\Declude\filter_polit_qmail.txt x 0 0 > >POLIT-COMBO filter C:\IMail\Declude\filter_polit_COMBO.txt x 0 0 > > > > > >Markus > > --- > Extract from the first message from Markus > (Someone could have missed it) > --- > > POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 > # contains different tipical body keywords > # in any case 0 points > > POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 > # all this messages contains ".qmail@" in the header (message-id part) > # in any case 0 points > > POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 > # All messages doesn't contain any german "umlaut" and special characters > (ä, ö, ü, ß) > # in any case 0 points > # should avoid false positives > > POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 > # The logic behind this filter: > # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was > found > # skip if any special german character (POLIT-UMLAUT) was found > # Add 100 points if HELOBOGUS has failed (all this messages has a random > generated helo string) > -- > > Franco Celli > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Thanks again, Can you send me the headers from Markus's email so I can figure out whats grabbing his email, over the years he has been a useful contributor here so I would like to see his posts thanks for your time Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Franco Celli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 12:30 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails > >> I think it's easyer for you to download them from the author > >> Markus Gufler: > >> http://www.zcom.it/decludeupdater/polit_filter.zip > >> > > > >Please forward him also the part he need's for the global.cfg file > > > > > >POLIT-CONTENT filter C:\IMail\Declude\filter_polit_content.txt x 0 0 > >POLIT-QMAIL filter C:\IMail\Declude\filter_polit_qmail.txt x 0 0 > >POLIT-COMBO filter C:\IMail\Declude\filter_polit_COMBO.txt x 0 0 > > > > > >Markus > > --- > Extract from the first message from Markus > (Someone could have missed it) > --- > > POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 > # contains different tipical body keywords > # in any case 0 points > > POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 > # all this messages contains ".qmail@" in the header (message-id part) > # in any case 0 points > > POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 > # All messages doesn't contain any german "umlaut" and special characters > (ä, ö, ü, ß) > # in any case 0 points > # should avoid false positives > > POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 > # The logic behind this filter: > # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was > found > # skip if any special german character (POLIT-UMLAUT) was found > # Add 100 points if HELOBOGUS has failed (all this messages has a random > generated helo string) > -- > > Franco Celli > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
>> I think it's easyer for you to download them from the author >> Markus Gufler: >> http://www.zcom.it/decludeupdater/polit_filter.zip >> > >Please forward him also the part he need's for the global.cfg file > > >POLIT-CONTENT filter C:\IMail\Declude\filter_polit_content.txt x 0 0 >POLIT-QMAIL filter C:\IMail\Declude\filter_polit_qmail.txt x 0 0 >POLIT-COMBO filter C:\IMail\Declude\filter_polit_COMBO.txt x 0 0 > > >Markus --- Extract from the first message from Markus (Someone could have missed it) --- POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points # should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) -- Franco Celli --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
> I think it's easyer for you to download them from the author > Markus Gufler: > http://www.zcom.it/decludeupdater/polit_filter.zip > Please forward him also the part he need's for the global.cfg file POLIT-CONTENT filter C:\IMail\Declude\filter_polit_content.txt x 0 0 POLIT-QMAIL filter C:\IMail\Declude\filter_polit_qmail.txt x 0 0 POLIT-COMBO filter C:\IMail\Declude\filter_polit_COMBO.txt x 0 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Many Thanks! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Franco Celli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 11:18 AM Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails > Rick, > I think it's easyer for you to download them from the author Markus Gufler: > http://www.zcom.it/decludeupdater/polit_filter.zip > > I just used his filters. > > > --- > Franco Celli > [EMAIL PROTECTED] > > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
> I apparently am blocking some IP space from some of you folks > over seas and did not see the email that started this thread > orget the filters that were posted. Please, can someone explain to people blocking certain IP addresses that they may loose/miss certain information? Rick, hopefully you can read this in a reply from someone other. The COMBO filter file you can download from http://www.zcom.it/decludeupdater/polit_filter.zip are the more complete solution. The simply solution would be to filter for a list of subject lines I've posted a hour ago. I've heard something about new subject lines and will try to keep you up-to-date... Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Rick, I think it's easyer for you to download them from the author Markus Gufler: http://www.zcom.it/decludeupdater/polit_filter.zip I just used his filters. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
I am seeing ALOT of these german emails here in the US, I just got a bunch of postmaster bounces containing info like this >>>> Invalid final delivery userid: [EMAIL PROTECTED] Command 'invalid' not recognized. >>>> Invalid final delivery userid: [EMAIL PROTECTED] Command 'invalid' not recognized. >>>> Invalid final delivery userid: [EMAIL PROTECTED] Command 'invalid' not recognized. >>>> Invalid final delivery userid: [EMAIL PROTECTED] Command 'invalid' not recognized. >>>> Invalid final delivery userid: [EMAIL PROTECTED] Command 'invalid' not recognized. I apparently am blocking some IP space from some of you folks over seas and did not see the email that started this thread orget the filters that were posted. Franco can you send me the filters for this german spam? Thanks! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: "Franco Celli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 9:38 AM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails > Hi, > I'm from Italy, > i receive such messages since past night as far as I can see it is spreading > with a pattern resembling a virus, messages arrived to postmaster, info and > similar mailboxes. I believe it is in effect the payload of a virus. > With the filter you sumbitted I see many messages still arriving to our > users, it seems also the sender is forged as I noticed a copy sent from a > local mailaddress (one of my collegues) but from an incompatible IP. > > BTW thanks for your filters, it would have been difficult to detect in a > foreign language. > > > --- > Franco Celli > [EMAIL PROTECTED] > > --- > [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] > [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi, I'm from Italy, i receive such messages since past night as far as I can see it is spreading with a pattern resembling a virus, messages arrived to postmaster, info and similar mailboxes. I believe it is in effect the payload of a virus. With the filter you sumbitted I see many messages still arriving to our users, it seems also the sender is forged as I noticed a copy sent from a local mailaddress (one of my collegues) but from an incompatible IP. BTW thanks for your filters, it would have been difficult to detect in a foreign language. --- Franco Celli [EMAIL PROTECTED] --- [Quipo ISP - Questa E-mail e' stata controllata dal programma Declude Virus] [Quipo ISP - This E-mail was scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
We are Italian, based in the north of Italy, .it domain, but german speaking and most german customers. So I wasn't sure if there is some "intelligent" delivery to german recipients. BTW: This messages comes from sober.G infected systems. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Thursday, June 10, 2004 3:15 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi, We are Dutch, based in the Netherlands and we have a .nl domain name. So it's at least more then just .de domains that get spammed. It looks like these mails are news reports which are sent to various addresses. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:23 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Same here. I've updated and simplyfied the initialy posted filters several times in the last hours. For best results please download the newest filter files from http://www.zcom.it/decludeupdater/polit_filter.zip I'm interested if this wave of spam mails is a global phenomenon, or if they are able to restrict delivery to recipientsof a certain language/country. Any info's? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Thursday, June 10, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi, Spammers are getting smart. This spam did not fail any of the test we have in place using (near) default Declude tests. It scored 0 points. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:15 AM Subject: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi all, Maybe interesting for german/european email admins: Some hours ago someone/something has started to send german messages trough the internet containing politic statements. At the first moment it seems very difficult to filter out this type of messages comming from different IPs But with the following COMBO filters I can see excellent results POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points# should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) Filter-files can be downloaded from http://www.zcom.it/decludeupdater/polit_filter.zip Markus
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Bonno Bloksma wrote: Hi, We are Dutch, based in the Netherlands and we have a .nl domain name. So it's at least more then just .de domains that get spammed. It looks like these mails are news reports which are sent to various addresses. Same here: Dutch based and .nl domain. Erminio
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Sorry, there are some new entries SUBJECT 0 CONTAINS ASYLANT QUAELTE TIERE BRUTAL ZU TODESUBJECT 0 CONTAINS ASYLANTEN BEGRABSCHTEN DEUTSCHES MAEDCHENSUBJECT 0 CONTAINS Auf Kosten der deutschen Beitragszahler und Rentner!SUBJECT 0 CONTAINS Augen auf! (So sieht es aus!)SUBJECT 0 CONTAINS Auslaender erschleichen sich zunehmend SozialleistungenSUBJECT 0 CONTAINS Auslaenderanteile in Schweizer GefaengnissenSUBJECT 0 CONTAINS AUSLAENDERGEWALT BEIM HAFENGEBURTSTAGSUBJECT 0 CONTAINS Auslaendergewalt: Herr Rau, wo waren Sie?SUBJECT 0 CONTAINS Auslaenderkriminalitaet steigt weiter!SUBJECT 0 CONTAINS Bankrott des Gesundheitswesens durch Auslaender!SUBJECT 0 CONTAINS Bin ich zu weltfremd? Ich glaube wohl kaumSUBJECT 0 CONTAINS Das kann unmoeglich sein -Leserbrief-SUBJECT 0 CONTAINS DEUTSCHES MAEDCHEN FAST VERGEWALTIGTSUBJECT 0 CONTAINS Die Deform der sozialen OrdnungSUBJECT 0 CONTAINS Diplomatische ZensurSUBJECT 0 CONTAINS EU Beitritt der Tuerkei ?SUBJECT 0 CONTAINS EU gibt Erwerbslosen volle FreizuegigkeitSUBJECT 0 CONTAINS Garather klagen ueber eskalierende Gewalt im Stadtteil!SUBJECT 0 CONTAINS Geschrieben von Margrit am 07. April 2004SUBJECT 0 CONTAINS Libanesen in BerlinSUBJECT 0 CONTAINS Marokkanischer Wiederholungstaeter vergewaltigte 17-jaehriges MaedelSUBJECT 0 CONTAINS MedienzensurSUBJECT 0 CONTAINS Mehr fuer Auslaender als fuer Deutsche tun!SUBJECT 0 CONTAINS Moschee-Bau in DeutschlandSUBJECT 0 CONTAINS MULTI-KULTI-BANDE TYRANNISIERTE MITSCHUELERSUBJECT 0 CONTAINS Nein zum Zuwanderungsgesetz !SUBJECT 0 CONTAINS Neue Voelkerwanderung droht!SUBJECT 0 CONTAINS Paradies Bundesrepublik - Rente fuer die Welt -SUBJECT 0 CONTAINS Polizei traute sich nicht, kriminellen Auslaender festzunehmenSUBJECT 0 CONTAINS Richter unterstuetzt kriminelle AuslaenderinSUBJECT 0 CONTAINS Skandal in BerlinSUBJECT 0 CONTAINS Skandalurteil in DarmstadtSUBJECT 0 CONTAINS So sieht die Wahrheit aus!SUBJECT 0 CONTAINS TUERKEN-TERROR AM HIMMELFAHRTSTAGSUBJECT 0 CONTAINS Was Deutschland braucht, sind deutsche Kinder!SUBJECT 0 CONTAINS Wer an ein Tabu ruehrt, muss und darf vernichtet werdenSUBJECT 0 CONTAINS Wir haben die Auslaender doch geholt?! is the current list of subject lines to filter for.
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
At the moment I can't detect additional new subject lines for this type of messages. So the best filter should be a simple subject filter file containing the following lines SUBJECT 0 CONTAINS ASYLANTEN BEGRABSCHTEN DEUTSCHES MAEDCHENSUBJECT 0 CONTAINS Auf Kosten der deutschen Beitragszahler und Rentner!SUBJECT 0 CONTAINS Augen auf! (So sieht es aus!)SUBJECT 0 CONTAINS Auslaender erschleichen sich zunehmend SozialleistungenSUBJECT 0 CONTAINS Auslaenderanteile in Schweizer GefaengnissenSUBJECT 0 CONTAINS Auslaendergewalt: Herr Rau, wo waren Sie?SUBJECT 0 CONTAINS Auslaenderkriminalitaet steigt weiter!SUBJECT 0 CONTAINS Bankrott des Gesundheitswesens durch Auslaender!SUBJECT 0 CONTAINS Bin ich zu weltfremd? Ich glaube wohl kaumSUBJECT 0 CONTAINS Das kann unmoeglich sein -Leserbrief-SUBJECT 0 CONTAINS Die Deform der sozialen OrdnungSUBJECT 0 CONTAINS Diplomatische ZensurSUBJECT 0 CONTAINS EU Beitritt der Tuerkei ?SUBJECT 0 CONTAINS EU gibt Erwerbslosen volle FreizuegigkeitSUBJECT 0 CONTAINS Garather klagen ueber eskalierende Gewalt im Stadtteil!SUBJECT 0 CONTAINS Geschrieben von Margrit am 07. April 2004SUBJECT 0 CONTAINS Libanesen in BerlinSUBJECT 0 CONTAINS Marokkanischer Wiederholungstaeter vergewaltigte 17-jaehriges MaedelSUBJECT 0 CONTAINS MedienzensurSUBJECT 0 CONTAINS Mehr fuer Auslaender als fuer Deutsche tun!SUBJECT 0 CONTAINS Moschee-Bau in DeutschlandSUBJECT 0 CONTAINS Moschee-Bau in DeutschlandSUBJECT 0 CONTAINS MULTI-KULTI-BANDE TYRANNISIERTE MITSCHUELERSUBJECT 0 CONTAINS Nein zum Zuwanderungsgesetz !SUBJECT 0 CONTAINS Neue Voelkerwanderung droht!SUBJECT 0 CONTAINS Paradies Bundesrepublik - Rente fuer die Welt -SUBJECT 0 CONTAINS Polizei traute sich nicht, kriminellen Auslaender festzunehmenSUBJECT 0 CONTAINS Richter unterstuetzt kriminelle AuslaenderinSUBJECT 0 CONTAINS Skandal in BerlinSUBJECT 0 CONTAINS Skandalurteil in DarmstadtSUBJECT 0 CONTAINS TUERKEN-TERROR AM HIMMELFAHRTSTAGSUBJECT 0 CONTAINS Was Deutschland braucht, sind deutsche Kinder!SUBJECT 0 CONTAINS Wer an ein Tabu ruehrt, muss und darf vernichtet werdenSUBJECT 0 CONTAINS Wir haben die Auslaender doch geholt?! except the line in red, containing only a single german word, it should be relative save to filter for one of this subject lines and assign a weight high enough for hold the message. Markus
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi, We are Dutch, based in the Netherlands and we have a .nl domain name. So it's at least more then just .de domains that get spammed. It looks like these mails are news reports which are sent to various addresses. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:23 PM Subject: RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Same here. I've updated and simplyfied the initialy posted filters several times in the last hours. For best results please download the newest filter files from http://www.zcom.it/decludeupdater/polit_filter.zip I'm interested if this wave of spam mails is a global phenomenon, or if they are able to restrict delivery to recipientsof a certain language/country. Any info's? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Thursday, June 10, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi, Spammers are getting smart. This spam did not fail any of the test we have in place using (near) default Declude tests. It scored 0 points. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:15 AM Subject: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi all, Maybe interesting for german/european email admins: Some hours ago someone/something has started to send german messages trough the internet containing politic statements. At the first moment it seems very difficult to filter out this type of messages comming from different IPs But with the following COMBO filters I can see excellent results POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points# should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) Filter-files can be downloaded from http://www.zcom.it/decludeupdater/polit_filter.zip Markus
RE: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Same here. I've updated and simplyfied the initialy posted filters several times in the last hours. For best results please download the newest filter files from http://www.zcom.it/decludeupdater/polit_filter.zip I'm interested if this wave of spam mails is a global phenomenon, or if they are able to restrict delivery to recipientsof a certain language/country. Any info's? Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno BloksmaSent: Thursday, June 10, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi, Spammers are getting smart. This spam did not fail any of the test we have in place using (near) default Declude tests. It scored 0 points. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:15 AM Subject: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi all, Maybe interesting for german/european email admins: Some hours ago someone/something has started to send german messages trough the internet containing politic statements. At the first moment it seems very difficult to filter out this type of messages comming from different IPs But with the following COMBO filters I can see excellent results POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points# should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) Filter-files can be downloaded from http://www.zcom.it/decludeupdater/polit_filter.zip Markus
Re: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails
Hi, Spammers are getting smart. This spam did not fail any of the test we have in place using (near) default Declude tests. It scored 0 points. Groetjes, Bonno Bloksma - Original Message - From: Markus Gufler To: [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:15 AM Subject: [Declude.JunkMail] COMBO-Filter solution for todays german polite emails Hi all, Maybe interesting for german/european email admins: Some hours ago someone/something has started to send german messages trough the internet containing politic statements. At the first moment it seems very difficult to filter out this type of messages comming from different IPs But with the following COMBO filters I can see excellent results POLIT-CONTENT filter C:\IMail\Declude\lists\filter_polit_content.txt x 0 0 # contains different tipical body keywords # in any case 0 points POLIT-QMAIL filter C:\IMail\Declude\lists\filter_polit_qmail.txt x 0 0 # all this messages contains ".qmail@" in the header (message-id part) # in any case 0 points POLIT-UMLAUT filter C:\IMail\Declude\lists\filter_polit_umlaut.txt x 0 0 # All messages doesn't contain any german "umlaut" and special characters (ä, ö, ü, ß) # in any case 0 points# should avoid false positives POLIT-COMBO filter C:\IMail\Declude\lists\filter_polit_COMBO.txt x 0 0 # The logic behind this filter: # skip if no POLIT-CONTENT body keyword and no POLIT-QMAIL header string was found # skip if any special german character (POLIT-UMLAUT) was found # Add 100 points if HELOBOGUS has failed (all this messages has a random generated helo string) Filter-files can be downloaded from http://www.zcom.it/decludeupdater/polit_filter.zip Markus