[Declude.JunkMail] Blocking the attached message
Title: Message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems "Helping You Meet Our Customers' Needs Through Better Information" -Original Message-From: Margo Terry [mailto:[EMAIL PROTECTED] Sent: Sunday, February 01, 2004 5:33 PMTo: [EMAIL PROTECTED]Subject: Re: Prescrip*tion Dr]ugs - Easy Ordering and Fast Delivery
AW: [Declude.JunkMail] Blocking the attached message
Title: AW: [Declude.JunkMail] Blocking the attached message hi sharyn, up to now i block this one with the following to filterlines ANYWHERE 30 CONTAINS .com/v9.gif ANYWHERE 30 CONTAINS .com/z7.gif i found one of those gifs in all spams from this sender, the url itselfe changes, but the gifs are the same all the time. mfg i.a. gez. guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: Sharyn Schmidt [mailto:[EMAIL PROTECTED]] Gesendet am: Dienstag, 3. Februar 2004 15:01 An: 'Declude Junkmail List' Betreff: [Declude.JunkMail] Blocking the attached message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems Helping You Meet Our Customers' Needs Through Better Information -Original Message- From: Margo Terry [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 01, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: Re: Prescrip*tion Dr]ugs - Easy Ordering and Fast Delivery
Re: [Declude.JunkMail] Blocking the attached message
Title: Message What about BODY 45 CONTAINS .listrc.comBODY 45 CONTAINS .madedcd.com - Original Message - From: Sharyn Schmidt To: 'Declude Junkmail List' Sent: Tuesday, February 03, 2004 9:01 AM Subject: [Declude.JunkMail] Blocking the attached message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~
RE: [Declude.JunkMail] Blocking the attached message
Try: BODY ## CONTAINS www.madedcd.com Thanks. That line only works for this particular email. The URLs contained in the body change, almost by the hour. I have dozens of URLs in my filter for this same message. Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged Best in the World at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) htmla href=http://www.cruzanrums.com;www.cruzanrums.com/a/html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blocking the attached message
Title: Message up to now i block this one with the following to filterlines ANYWHERE 30 CONTAINS .com/v9.gif ANYWHERE 30 CONTAINS .com/z7.gif Whatis the latest version of Declude that supports ANYWHERE? Although this would probably work as BODY30 CONTAINS etc.. Thanks! I'll try this.The URLS change faster than I can keep up, apparantly. Sharyn
Re: [Declude.JunkMail] Blocking the attached message
Sharyn Schmidt wrote: Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Try: BODY ## CONTAINS www.madedcd.com in a text filter, where ## is the weight you want to use. Of course, the next one could have a different URL, but it's a start. It would also be good to look at the headers for a possible IP filter. Mike Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems */Helping You Meet Our Customers' Needs Through Better Information /* -Original Message- *From:* Margo Terry [mailto:[EMAIL PROTECTED] *Sent:* Sunday, February 01, 2004 5:33 PM *To:* [EMAIL PROTECTED] *Subject:* Re: Prescrip*tion Dr]ugs - Easy Ordering and Fast Delivery http://www.madedcd.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] Blocking the attached message
Title: AW: [Declude.JunkMail] Blocking the attached message ups, just got one with .com/g9.gif so i have to extend my filter. but i still think the gif is the pattern. mfgi.a.gez. guhl***lds nrwdez. 235tel.: 0211 9449 2578fax.: 0211 9449 8344mailto:[EMAIL PROTECTED]*** -Ursprüngliche Nachricht-Von: Guhl, Markus (LDS) Gesendet am: Dienstag, 3. Februar 2004 15:19An: [EMAIL PROTECTED]Betreff: AW: [Declude.JunkMail] Blocking the attached message hi sharyn, up to now i block this one with the following to filterlines ANYWHERE 30 CONTAINS .com/v9.gif ANYWHERE 30 CONTAINS .com/z7.gif i found one of those gifs in all spams from this sender, the url itselfe changes, but the gifs are the same all the time. mfg i.a. gez. guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: Sharyn Schmidt [mailto:[EMAIL PROTECTED]] Gesendet am: Dienstag, 3. Februar 2004 15:01 An: 'Declude Junkmail List' Betreff: [Declude.JunkMail] Blocking the attached message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems "Helping You Meet Our Customers' Needs Through Better Information" -Original Message- From: Margo Terry [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 01, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: Re: Prescrip*tion Dr]ugs - Easy Ordering and Fast Delivery
RE: [Declude.JunkMail] Blocking the attached message
Title: Message BODY 45 CONTAINS .listrc.comBODY 45 CONTAINS .madedcd.com Thanks. Same deal as before.Filtering on URLS doesn't work as the URLs are constantly changing, even though that [EMAIL PROTECTED] pic of the pharmacist on cloud 9remains the same. Sharyn
Re: [Declude.JunkMail] Blocking the attached message
These folks pop up every few days with a dozen pair of new domains to use. They begin broadcasting all of these at once and we usually nail them in a single pass. They are very consistent about the way they do this. AFAIKT once we've nailed them they're not getting through... We're waiting for the next batch of domains to show up and we'll nail them again. If you have the time, you should be able to create rules in Declude to capture these guys pretty easily due to their consistency. Look for two domains in web links for each message. One generally for the click through and one for the image itself. Create a body rule for both of them... they mix and match these so grabbing both will get you versions you've not seen yet. If you do not have the time, then you could use Sniffer GRIN and we'll do it for you. If anybody's using Sniffer and still getting more than the occasional instance then please let us know because I want to kill it. _M At 09:01 AM 2/3/2004, you wrote: Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems Helping You Meet Our Customers' Needs Through Better Information -Original Message- From: Margo Terry [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 01, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: Re: Prescrip*tion Dr]ugs - Easy Ordering and Fast Delivery
Re: AW: [Declude.JunkMail] Blocking the attached message
The image files tend to change just slightly less often than the domains. The image files appear to change once per campaign so far - but that's likely to change in the near future I think. The IP source is broadly distributed through the internet - these folks are using zombies. HTH, _M At 09:29 AM 2/3/2004, you wrote: ups, just got one with .com/g9.gif so i have to extend my filter. but i still think the gif is the pattern. mfg i.a. gez. guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: Guhl, Markus (LDS) Gesendet am: Dienstag, 3. Februar 2004 15:19 An: [EMAIL PROTECTED] Betreff: AW: [Declude.JunkMail] Blocking the attached message hi sharyn, up to now i block this one with the following to filterlines ANYWHERE 30 CONTAINS .com/v9.gif ANYWHERE 30 CONTAINS .com/z7.gif i found one of those gifs in all spams from this sender, the url itselfe changes, but the gifs are the same all the time. mfg i.a. gez. guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] *** -Ursprüngliche Nachricht- Von: Sharyn Schmidt [mailto:[EMAIL PROTECTED]] Gesendet am: Dienstag, 3. Februar 2004 15:01 An: 'Declude Junkmail List' Betreff: [Declude.JunkMail] Blocking the attached message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems Helping You Meet Our Customers' Needs Through Better Information -Original Message- From: Margo Terry [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 01, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: Re: Prescrip*tion Dr]ugs - Easy Ordering and Fast Delivery
RE: [Declude.JunkMail] Blocking the attached message
Title: Message Here are a few more to add to the list: BODY 30 CONTAINS pharmacourt.bizBODY 30 CONTAINS thatrxstore.bizBODY 30 CONTAINS pharmashoppe.bizBODY 30 CONTAINS pharmawarehouse.bizBODY 30 CONTAINS fastactingpills.comBODY 30 CONTAINS gomedz.biz Bill Thanks! Sharyn
[Declude.JunkMail] Imail SPAM filter Declude
Hi; A while back I reported of a problem we had with spam getting through with no Declude headers. In going back and forth between Scott and IPSwitch the issue was not resolved.. IPSwitch kept saying it is Declude issue. Perhaps we are among the very few that were using the mixture of both software for spam. We had IMail run the IP4r tests and the REVDNS and HELO and then have Declude add weight to the headers added by IMail. 3 weeks ago, after getting fed up with the spam that was getting through I decided to get rid of one variable test. So we took all of our spam filtering off of IMail and use Declude for everything (with Matt's help getting his IP4r tests so I did not have to hunt them down). After 3 weeks of this new setting not a single spam has gotten through. All of our folks used to get 3+ spams with no Declude headers added and now not a single one. Conclusion: It is definitely IMail causing that issue. Just in case others are running this combination and are running into this problem. Regards, Kami
RE: [Declude.JunkMail] Blocking the attached message
Title: Message Sharyn: Were getting the same thing endlessly, but none of the links match what you have except the v*9.gif. Im trying to see if blocking only on the graphic name will work. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt Sent: Tuesday, February 03, 2004 8:01 AM To: 'Declude Junkmail List' Subject: [Declude.JunkMail] Blocking the attached message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems Helping You Meet Our Customers' Needs Through Better Information
RE: [Declude.JunkMail] Blocking the attached message
Title: Message Sharyn and others, you can make a big dent in the pharmacy spammers'campaigns by picking theapppropriate RBLs, particularly with a hold weight as low as 10. As the Chief SortMonster pointed out, these bad guys make heavy use of zombies, so a trip to http://www.declude.com/junkmail/support/ip4r.htm Would be well worth your time. I'm finding that these are very effective: XBL DSBL NJABL SORBS And more generally: FIVETENSRC SPAMCOP And last, everyone needs the: SPAMDOMAINS test that was introduced in April 2003 and is implemented in the current release (v1.75). Check the mailing archive for an excellent sd.txt to fuel it. As per the usual best-practice discussed on this list, I also recommend not putting a HOLD or DELETE action on any one test; give each test a low enough weight that you can be comfortable that it alone will not give you a false positive and hold the wrong mail. Start low and then raise the weights once you've evaluated each new test on it's own merits in your environment. Andrew 8) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn SchmidtSent: Tuesday, February 03, 2004 8:01 AMTo: 'Declude Junkmail List'Subject: [Declude.JunkMail] Blocking the attached message Sorry, folks, to attach spam to an email but this is driving me NUTS. No matter what I do, I can't seem to block this! Is anyone else successfully blocking this one? Thanks, ~Sharyn~ Network Administrator Todhunter Information Systems "Helping You Meet Our Customers' Needs Through Better Information"
RE: [Declude.JunkMail] Blocking the attached message
Title: Message Were getting the same thing endlessly, but none of the links match what you have except the v*9.gif. Im trying to see if blocking only on the graphic name will work. I'm trying that too (thanks to a post from earlier!). Blocking on URLS is useless. Let me know how it goes and I'll do the same. I'm going tobe put in jail if I ever come face to face with the pharmacist! Sharyn
RE: [Declude.JunkMail] Blocking the attached message
Title: Message http://www.declude.com/junkmail/support/ip4r.htm Would be well worth your time. I'm finding that these are very effective: XBL DSBL NJABL SORBS And more generally: FIVETENSRC SPAMCOP I'm using whatever was included by default in the global config, minus the ones that no longer work. These looks different than what I already havein there. Thanks...will try this too. Sharyn
RE: [Declude.JunkMail] Blocking the attached message
Title: Message Hi; We have the following in our filter file for BODY filters: 7.gif" border=0/a/center We have this for all numbers .. 0, 1, 2... we have another another weight just for this part: .gif" border=0/a/center it works.. there is another series of spam that is almost identical in format but different content.. it is about a Health pill .. We add the URL's constantly to our URL filter as well as the signature to the spam-html filter which blocks them quite effectively.. at least for now. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn SchmidtSent: Tuesday, February 03, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Blocking the attached message Were getting the same thing endlessly, but none of the links match what you have except the v*9.gif. Im trying to see if blocking only on the graphic name will work. I'm trying that too (thanks to a post from earlier!). Blocking on URLS is useless. Let me know how it goes and I'll do the same. I'm going tobe put in jail if I ever come face to face with the pharmacist! Sharyn
RE: [Declude.JunkMail] False spam - spam database
Hi Scott or anyone. Here is the entries from the log file. I was not receiving messages from @delphi.com addresses until I whitelisted them. How can I tell which tests it failed? Thanks Samantha 0248ca28 WARNING: Unknown filter type @titty-mail.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @web-stars.us. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @we-love-porn.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @wetwetwet.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @wickedescort.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @workingwithwood.net. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @xxxcorner.net. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @xxxoptins.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @xxx-payment.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @youngandhorny.us. 02/02/2004 14:36:43 Qa6be0c180248ca28 E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] False spam - spam database If I whitelisted it, will the logs still show which tests it failed? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] False spam - spam database
Hi Scott or anyone. Here is the entries from the log file. I was not receiving messages from @delphi.com addresses until I whitelisted them. How can I tell which tests it failed? If those are all the log file entries, it didn't fail any spam tests. However: 0248ca28 WARNING: Unknown filter type @titty-mail.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @web-stars.us. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @we-love-porn.com. it does indicate a problem. It looks like you have a filter file with invalid lines in it, such as just @web-stars.us (whereas it should be something like MAILFROM 0 CONTAINS @webstars.us). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] False spam - spam database
Is that my global.cfg file or the Declude$Junk$ file? How do I correct it? Should I get a new global.cfg file? Thanks Scott Samantha -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] False spam - spam database Hi Scott or anyone. Here is the entries from the log file. I was not receiving messages from @delphi.com addresses until I whitelisted them. How can I tell which tests it failed? If those are all the log file entries, it didn't fail any spam tests. However: 0248ca28 WARNING: Unknown filter type @titty-mail.com. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @web-stars.us. 02/02/2004 14:36:43 Qa6be0c180248ca28 WARNING: Unknown filter type @we-love-porn.com. it does indicate a problem. It looks like you have a filter file with invalid lines in it, such as just @web-stars.us (whereas it should be something like MAILFROM 0 CONTAINS @webstars.us). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] False spam - spam database
Is that my global.cfg file or the Declude$Junk$ file? Neither. Filter files are separate files. How do I correct it? Should I get a new global.cfg file? You should figure out how the file got there, and work from there. For example, if you were sent the file from someone else, you should check to see why the invalid lines were in there. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Goodbyespam.com
Has anyone used programs like these and can you tell me the pitfalls of them..I am testing this one now.. Richard FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech Support