Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 26/09/1999, at 03:52,
Alexander V. Kiselev (mailto:[EMAIL PROTECTED])
went and see the gods, and told them:

Anti-spam filters (was:Re[5]: List Administration Note) 

AVK> Hi there!

AVK> On 25 Sep 99, at 16:29, Steve Lamb wrote
AVK> about "Re: Anti-spam filters":

>> Other filtering involves methods that produce a high amount of
>> false-positives.  When you (sex) get a lot of (erotic) mail in your spam
>> folder (make money fast) that it gets more mail than your ($$$) inbox, then
>> you have a problem, don't you?

AVK> Yup, as for me, I now see that Claude has never got involved in 
AVK> Mathematical research, for example.
That's not the kernel of my research work but, sorry, I'm developing a
new kind of factorial analysis :-)))

AVK>  If *I* started to filter out 
AVK> the messages containing dollar signs, I would have filtered out 
AVK> *absolutely all* the scientific-related messages I receive:-)) You 
AVK> know, these are all in TeX, and in TeX all the mathematical 
AVK> notation is preceeded either with a single dollar sign or a 
AVK> doubled one, and succeeded in the same manner. For 
AVK> example, x=y would be $x=y$. I mean, "dollars" not *always* 
AVK> mean bux:-)
Of course, if your anti-spam filter is the first. If we were working
together (why not?), I would have a filter signaled on "spb.edu" in
the sender, to route your mail in a "StPetersbourg" folder, like I have
one for each University I work with.

Well, I have a "friends" folder, too, a "business" also, etc... each
filtered with the sender.

As I don't think my usual senders are going to spam me, the anti-spam
comes after.

My task force don't shot everything which is moving. It asks for
password before :)

No password : go to jail (spam folder) ; then, ask the judge - me ;-)
- for death or freedom.

I agree that the "not me in TO" is the most powerful *by now*, but my
(small) experience with that system don't give as many false positive
as you and SL seem to think :)))


-- 
Best regards,

Claude.
mailto:[EMAIL PROTECTED] 

Thought of the day (randomly french or english)
Certes, il mérite la mort, 
mais combien meurent qui mériteraient la vie ? 
Pouvez-vous la leur donner ? - Tolkien.



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.
<mailto:[EMAIL PROTECTED]>
--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 26/09/1999, at 08:21,
Ali Martin (mailto:[EMAIL PROTECTED])
facing the crowd, asked the gods to bless them and said:

AM> I wish to hear how you'd deal with his peculiar situation of having to
AM> deal with spammers who seem to stupidly believe in quality and not
AM> quantity.

My way...

First : never give your regular address to a suspected zone before
having checked it with a temporary one. We could call that a "french
jacket" ;-)
Second : filter your regular senders (individuals and lists) in some
folders like "girl (boy) friends", "academics", "business", "general",
"NameOfTheList" and so on. BTW, it's also useful for having
different templates.
Third : filter the spams, with the "I'm no in TO", even if this is for
5% in your case, that's 5% less, *and* with the specific filters like
"$", "SEX", and so on.
Fourth : browse your "spam" folder and choose what to kill and what to
keep.
Fifth : improve your filters used in third point.

For me, it works rather well, try it out and tell us the results...


-- 
Best regards,

Claude.
mailto:[EMAIL PROTECTED] 

Thought of the day (randomly french or english)
Monica has a headache ; Monica has semen on her skirt : what's the link ? 
First, she's got the sun of the beach on her head ; 
second, she's got a son of a bitch in her bed. 
Maître Claude.



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 11:39:27 PM, Thomas wrote:
SL>> I just press the delete key because any filtering would invariably cause
SL>> false-positives and a loss of mail.

> Thank you! Now we have the solution to this problem and can end the
> thread.

The thread would have ended two days ago if you and several others had,
once again, read what was written instead of what you thought was written.  It
takes more than one person to perpetuate a thread.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Thomas Fernandez]

Hallo Steve,

On Sunday, September 26, 1999, 2:35:13 PM, Steve Lamb wrote:

>> I wish to hear how you'd deal with his peculiar situation of having to
>> deal with spammers who seem to stupidly believe in quality and not
>> quantity.

SL> I just press the delete key because any filtering would invariably cause
SL> false-positives and a loss of mail.

Thank you! Now we have the solution to this problem and can end the
thread.

-- 

Cheers,
Thomas mailto:[EMAIL PROTECTED]

Message reply created with The Bat! 1.36 Beta/4
under Chinese Windows 98 4.10 Build 1998  
using an Intel Celeron 366 Mhz, 128MB RAM



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 11:21:34 PM, Ali wrote:
>> You have missed the point.  He wasn't looking for discussion.  He was
>> refuting advice I had given.  There is a difference.

> But Steve, if your method doesn't work in his particular case, what
> other recourse does he have but to put up his hand and say that it won't
> work? I'd have done the same.

   But would you have started off by refuting the advice I had given?  That is
what he did.  He didn't start off with "Well, in my experience this happens,
what do you suggest."  No, here is the exact words of the first sentence from
him, "This was true perhaps 6-8 months ago."  The implication is that "this"
is not true now.

Since he was replying to my large post on spam filtering.  That is a point
blank rebuttal, pure and simple.  It is not a plea for help.  It is not an
observation of a different viewpoint, it is a direct challenge to what I had
said.

> I wish to hear how you'd deal with his peculiar situation of having to
> deal with spammers who seem to stupidly believe in quality and not
> quantity.

I just press the delete key because any filtering would invariably cause
false-positives and a loss of mail.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Ali Martin]

Hi all,

On Sunday, September 26, 1999, 12:44:43 AM (-5 GMT), Steve scribbled:

>> You missed the point. My point was that someone has a real problem,
>> which is off the norm, and you refuse to discuss it. Well then, don't.
>> But don't tell the author of that post, or the list, that this
>> shouldn't be discussed.

> You have missed the point.  He wasn't looking for discussion.  He was
> refuting advice I had given.  There is a difference.

But Steve, if your method doesn't work in his particular case, what
other recourse does he have but to put up his hand and say that it won't
work? I'd have done the same.

Do you have any advice for him at this juncture. I think that you've
succeeded in getting the point across that his situation is not the norm
and that his method of dealing with spam shouldn't be generally adopted.

I wish to hear how you'd deal with his peculiar situation of having to
deal with spammers who seem to stupidly believe in quality and not
quantity.

-- 
Regards,
 -=Ali=-   

   >>> In mathematics or physics, simplifying can be complicated. <<<
*---*
 Using The Bat! 1.36 Beta/4 on Windows NT 4.0 (Service Pack 5)
*---*

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 10:34:44 PM, Thomas wrote:
SL>> Please state where I have ridiculed it.  It is anecdotal information.
SL>> Please don't make me to go m-w.com just to look up anecdote and information
SL>> for you, then explain why those two words combined mean exactly what I am
SL>> trying to convey without being a ridicule.

> You missed the point. My point was that someone has a real problem,
> which is off the norm, and you refuse to discuss it. Well then, don't.
> But don't tell the author of that post, or the list, that this
> shouldn't be discussed.

You have missed the point.  He wasn't looking for discussion.  He was
refuting advice I had given.  There is a difference.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Thomas Fernandez]

Hallo Steve,

On Sunday, September 26, 1999, 7:25:34 AM, Steve Lamb wrote:

SL> Saturday, September 25, 1999, 6:37:57 AM, Thomas wrote:
>> That may well be. We have all unerstood what you are saying and are
>> thankful for it. And now, we are looking for a solution for a problem
>> that is *not* the norm. Why silence a minority voicing their problems
>> by reasoning that the majority does not have this problem?

SL> Because it could lead to problems or incorrect action taken by the
SL> majority.

The majority is not stupid. At least not on this list. I don't think
there is anyone on this list who cannot tell a spam addressed to
him/her from a spam in which he/she is only BBC'ed.

>> And, by the way, his "anecdotal information" is his actual reality.
>> Don't ridicule it.

SL> Please state where I have ridiculed it.  It is anecdotal information.
SL> Please don't make me to go m-w.com just to look up anecdote and information
SL> for you, then explain why those two words combined mean exactly what I am
SL> trying to convey without being a ridicule.

You missed the point. My point was that someone has a real problem,
which is off the norm, and you refuse to discuss it. Well then, don't.
But don't tell the author of that post, or the list, that this
shouldn't be discussed.

-- 

Cheers,
Thomas mailto:[EMAIL PROTECTED]

Message reply created with The Bat! 1.36 Beta/4
under Chinese Windows 98 4.10 Build 1998  
using an Intel Celeron 366 Mhz, 128MB RAM



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 6:52:39 PM, Alexander wrote:
> doubled one, and succeeded in the same manner. For
> example, x=y would be $x=y$. I mean, "dollars" not *always* 
> mean bux:-)

Good example.  Another good one would be anyone working with perl or shell
scripts on unix and transferring them back and forth through mail.  In perl
all scalar references are preceeded by a $.  So a scalar would be $foo, a
reference to a value inside an array is $foo[1] and a reference to a value
inside a hash is $foo{key}.  It gets fun when you intermix the three.  ;)

$foo{$foo[$foo]}

Shell scripts are the same way.  Variables are retrieved with a $
preceeding the appropriate variable.  :)

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Alexander V. Kiselev]

Hi there!

On 25 Sep 99, at 16:29, Steve Lamb wrote
about "Re: Anti-spam filters":

> Other filtering involves methods that produce a high amount of
> false-positives.  When you (sex) get a lot of (erotic) mail in your spam
> folder (make money fast) that it gets more mail than your ($$$) inbox, then
> you have a problem, don't you?

Yup, as for me, I now see that Claude has never got involved in 
Mathematical research, for example. If *I* started to filter out 
the messages containing dollar signs, I would have filtered out 
*absolutely all* the scientific-related messages I receive:-)) You 
know, these are all in TeX, and in TeX all the mathematical 
notation is preceeded either with a single dollar sign or a 
doubled one, and succeeded in the same manner. For 
example, x=y would be $x=y$. I mean, "dollars" not *always* 
mean bux:-)



SY, Alex
(St.Petersburg, Russia)
-- 
Thought for the day:
  Communist (n): one who has given up all hope
 of becoming a Capitalist.

--- 
PGP public keys on keyservers:
0xA2194BF9 (RSA);   0x214135A2 (DH/DSS)
fingerprints:
F222 4AEF EC9F 5FA6  7515 910A 2429 9CB1 (RSA)
A677 81C9 48CF 16D1 B589  9D33 E7D5 675F 2141 35A2 (DH/DSS) 
--- 

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Ali Martin]

Hi all,

On Saturday, September 25, 1999, 6:29:17 PM (-5 GMT), Steve scribbled:

> Other filtering involves methods that produce a high amount of
> false-positives.

This is exactly why I wasn't using spam filters initially. Jokes from
friends would get 'nuked' and promotional male from software vendors
with whom I have registered software. Too many false positives. I have
to agree here.

>   When you (sex) get a lot of (erotic) mail in your spam
> folder (make money fast) that it gets more mail than your ($$$) inbox, then
> you have a problem, don't you?

LOL

-- 
Regards,
 -=Ali=-   

   >>> Some things have got to be believed to be seen. <<<
*---*
 Using The Bat! 1.36 Beta/4 on Windows NT 4.0 (Service Pack 5)
*---*

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 7:14:10 AM, Claude wrote:
> Why not fighting both ?

Because the aberration is such a small number it isn't worth fighting on a
mass scale.  Because the simple numbers of it all suggest that it cannot nor
will it ever become the norm.  Because when spammers do it they lose >90% of
the addresses they can send to.  Spamming is all about *volume*, nothing more.

>  Some others are "$", "MONEY", "SEX", "erotic", and other french
>  and english words or sentences, and do fine bloody job, too.
>  Note that if *this* post go thru your shield, you've got a
>  weakness in it :)))

No, it means that the filters don't generate false positives.  I do not
advocate and rarely ever will advocate filters that are set off by content
because no matter what you think about those words, they can and do come up in
casual conversation, causing false-positives.  I mean because of them you
could be filtering a discussion about spam filters.  Ironic, isn't it?

>  6. light artillery group (LAG) :
>  From time to time, I spam back. But I think this is a bit
>  inefficient.

Also illegal in most places, immoral, unethical and 100% wrong.

>  7. psychological operations operational force (PSYOPS OPFOR) :
>  Well, ideas like forwarding spams to the root, admin, webmaster
>  and something like that may be useful to make them more angry
>  against the terrs who use their sovereign country as a base
>  camp. All ideas of this kind are welcome.
>  Forwarding it to some [EMAIL PROTECTED] make me laugh a
>  bit, too.

Unless you know what you're doing (most people don't) all you're doing is
pissing off people who are not at all related with the spam at all.  In fact,
this is a common denial of service attack.  Someone spams a bunch of people
with indications of the mail coming from somewhere else.  All the knee-jerk
ignorant people who think they are doing good complain to who they think is in
charge of where the spam is coming from.  End result, that person now has a
few hundred email in his inbox that he has to wade through.

So when someone suggested creating bounces, that is why I said it is a bad
idea and completely ineffective.  All it does is create more work for people
who are most likely not involved esp. since the fake bounce goes to the person
in the from: field, not the actual sender.  When someone else said that they
forward it to root at all domains that they can find, the above is why I said
it was a bad idea.  In most cases most of the domains listed aren't involved.

> My []small, []local, []individual, []young, []weak, []unexperienced,
> []other(s) [You can check all the boxes and add some]... opinion is that
> the EWST is *very* useful. I don't know a lot of people using it.
 
It is useful.  In fact some ISPs do a variation of it.  They post fake
addresses in places as spam traps.  Anyone sends a message to it, they are
filtered.  *shrug*

SL>> No.  I have not met such an individual yet.

>>From time to time, I wonder if you're a cold blood joking man, or if
> you really think what you're writing ;-)

What part of "I have not met such an individual yet" is a joke?  It isn't.
I have not met a spammer that knew the system better than I do.  I doubt that
such a person exists.  If they are sending messages that are generated
individually the volume of messages they are sending out is so low that it is
pushing towards being economically unviable to do it.  Further, if they were
to get a faster connection it costs more.  Finally, if they decided to get a
very large pipe they have to deal with the national ISPs who are willing to
take them to court, and win, to have them stop their crap.  See the case of
Stanford Wallace.

At the same time I feel that any time an individual makes a stupid choice
based on what someone else *might* do which creates more work for them instead
of reducing it I am going to vehemently oppose such a action for the general
populace and explain as clearly as I can the reasons why.

Again, in all of this I feel that the burden of proof is at your feet, not
mine.  I have explained why certain methods are good and certain methods are
not.  That means you have to come up with something more than "Well, I do it
this way."  Now you've got to come up with why my assertations of how things
work and why certain methods are more harmful than others are not the case and
do so with something more than "Well, I don't mind doing it."

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

---

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 7:35:28 AM, Claude wrote:
> I think that a minority problem may grows to a majority problem. When
> most of the people will filter with the *very good by now* "not me in
> TO", the spammers will, of course, change their way of acting...

Other filtering involves methods that produce a high amount of
false-positives.  When you (sex) get a lot of (erotic) mail in your spam
folder (make money fast) that it gets more mail than your ($$$) inbox, then
you have a problem, don't you?

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-


-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Saturday, September 25, 1999, 6:37:57 AM, Thomas wrote:
> That may well be. We have all unerstood what you are saying and are
> thankful for it. And now, we are looking for a solution for a problem
> that is *not* the norm. Why silence a minority voicing their problems
> by reasoning that the majority does not have this problem?

Because it could lead to problems or incorrect action taken by the
majority.

> And, by the way, his "anecdotal information" is his actual reality.
> Don't ridicule it.

Please state where I have ridiculed it.  It is anecdotal information.
Please don't make me to go m-w.com just to look up anecdote and information
for you, then explain why those two words combined mean exactly what I am
trying to convey without being a ridicule.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[3]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 25/09/1999, at 15:37,
Thomas Fernandez (mailto:[EMAIL PROTECTED])
facing the crowd, asked the gods to bless them and said:

TF> That may well be. We have all unerstood what you are saying and are
TF> thankful for it. And now, we are looking for a solution for a problem
TF> that is *not* the norm. Why silence a minority voicing their problems
TF> by reasoning that the majority does not have this problem?

I think that a minority problem may grows to a majority problem. When
most of the people will filter with the *very good by now* "not me in
TO", the spammers will, of course, change their way of acting...

Better to begin our training against that *now*, isn't it ?

What about a medical doctor saying, ten years ago, that the majority
got caught, and just a minority AIDS, so, put all the effort on caught
and nothing to do about AIDS (no research, no prevention, nothing...)?

What about an IT engineer saying, ten years ago too, that most of the
problems are hardware generated, second most software generated, so,
as just a minority has to deal with "viruses", there is no reason to
fight against them ?


-- 
Best regards,

Claude.
mailto:[EMAIL PROTECTED] 

Thought of the day (randomly french or english)
As it in Russian saying:  
" If 3 men speak, that you are drunk - go and be overslept " 
- Alexander Leschinsky.

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 25/09/1999, at 14:18,
Steve Lamb (mailto:[EMAIL PROTECTED])
climbed up a big rock and began to chant:


>> Do you think all the spammers *must* operate the same way ?
>> That is not haw your spammers operate, but, well, why an other one
>> couldn't do that ?

SL> What he has done, however, was bring in his limited experience as a
SL> countermand to my sound advice.  Advice that I have clearly explained and is
SL> based on my professional experience of 4+ years in the industry.  Let me draw
SL> an analogy for you.

SL> A rocket scientist gives a lecture on how rockets work, why they work, to
SL> what use they are put to, why they are used in that manner and what benefits
SL> all of that bring the people he is speaking to.  At the end of his lecture, a
SL> man stands up and says, "You know, when I was a kid I built model rockets and
SL> launched them.  Some of them exploded.  I don't think that your rockets do
SL> much good for me."

Let the analogy go closer to our matter :
1. The rocket doesn't try to get the better way to explode for
running around its builder willing. The spammer do try.
2. Something happening "when you were a kid", and fixed up by now,
is different than something rather new, which may grow -or not-.

I do think that if a rocket hobbyists club tell a rocket scientist
that 95% of their models are destroyed by the counter rockets
hobbyists kids club, using a new type of low energy hand made
microwave emitter, and the scientist doesn't give an alert to the
security officer of his factory, to make the industrial rockets
resist to this new thing, even if they *never* had *any* problem with
it before, this scientist will be fired away from his job, won't he ?

SL> IE, just because *HIS* spammers are acting in an manner not consistent
SL> with the norm does not mean the norm is invalid.  I have not stated that his
SL> experience is wrong.  I have stated, however, that his experience is not the
SL> norm and that people are better advised to combat the norm than the
SL> aberration.

Why not fighting both ?

Here is the main system of my anti-spam task force :))

 1. early warning scout teams (EWST) :
 I have some [EMAIL PROTECTED] addresses I give to any list or
 commercial site, or anything of this kind.
 After a while, if there is no spam traces, I subscribe with a
 regular address.
 When an early warning address is spam surrounded, I just forgot
 it (cruel world, isn't it ?), and create a new one.
 So I near never go to death zones.

 2. main force security light infantry units (SLIU) :
 I use filters to redirect potential spam to a specific folder.
 The "not my name in the TO" is one of them, of course and -agreed
 with SL- a good killers team.
 Some others are "$", "MONEY", "SEX", "erotic", and other french
 and english words or sentences, and do fine bloody job, too.
 Note that if *this* post go thru your shield, you've got a
 weakness in it :)))

 3. close combat knife fighters (CCKF) :
 Well, when the foe brakes the line and comes in, I just use the
 DEL key :)
 
 4. tactical intelligence team (TIT) :
 When a spam from a new source is killed by the CCFK, the
 information found with it is managed and a new SLUI is trained to
 kill its brothers outside the lines.

 5. strategic intelligence unit (SIU) :
 I do think about what the foe *will* do against me, not just how he
 works by now. So *thanks* to the people whose spammers "are acting
 in an manner not consistent with the norm" because their
 informations may help me to prevent new kinds of practices.

 6. light artillery group (LAG) :
 From time to time, I spam back. But I think this is a bit
 inefficient.

 7. psychological operations operational force (PSYOPS OPFOR) :
 Well, ideas like forwarding spams to the root, admin, webmaster
 and something like that may be useful to make them more angry
 against the terrs who use their sovereign country as a base
 camp. All ideas of this kind are welcome.
 Forwarding it to some [EMAIL PROTECTED] make me laugh a
 bit, too.

 8. civil affairs operational force (CI OPFOR) :
 There is some "slow" spammers who stays days, instead of hours,
 in the same point. Officially advising their admin may work.
 Notice they are also weaker when shelled by the LAG.

My []small, []local, []individual, []young, []weak, []unexperienced,
[]other(s) [You can check all the boxes and add some]... opinion is that
the EWST is *very* useful. I don't know a lot of people using it.
 
 
>> Don't you think there is at least *one* spammer in the whole world,
>> who knows that better than you ;-)

SL> No.  I have not met such an individual yet.

>From time to time, I wonder if you're a cold blood joking man, or if
you really think what you're writing ;-)




-- 
Best regards,

Claude.  

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Thomas Fernandez]

Hallo Steve,

On Saturday, September 25, 1999, 8:18:00 PM, Steve Lamb wrote:

>> So *I* trust his experience *and* yours. They are different. What's
>> the matter ?

SL> One is the norm, one is not.  One is based on personal anecdotal
SL> information, the other on years of indirect experience and months of direct
SL> experience with the protocols and procedures at hand.

That may well be. We have all unerstood what you are saying and are
thankful for it. And now, we are looking for a solution for a problem
that is *not* the norm. Why silence a minority voicing their problems
by reasoning that the majority does not have this problem?

And, by the way, his "anecdotal information" is his actual reality.
Don't ridicule it.

-- 

Cheers,
Thomas mailto:[EMAIL PROTECTED]

Message reply created with The Bat! 1.36 Beta/4
under Chinese Windows 98 4.10 Build 1998  
using an Intel Celeron 366 Mhz, 128MB RAM



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Ali Martin]

Hi all,

On Saturday, September 25, 1999, 7:06:42 AM (-5 GMT), Steve scribbled:

> Regardless of your personal experience, that is not how the majority of
> the spammers operate.  By replying and stating "Well, I don't see that" you
> cast doubt on my position and damage people's perceptions of the most accurate
> way to handle the situation.

I applied your way of dealing with spam and it works beautifully for me.
Nothing has gotten through so far. That's my anecdotal experience. :)


-- 
Regards,
 -=Ali=-   

   >>> Real men don't set for stun. <<<
*---*
 Using The Bat! 1.36 Beta/4 on Windows NT 4.0 (Service Pack 5)
*---*

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Friday, September 24, 1999, 10:16:08 PM, Thomas wrote:
SL>>> And in that same 35 minutes they could pump out ~120% more addresses. So
SL>>> if 5 is a "good" return, then 690 must be much better.
C>> There is a little difference between a post which is *sent* and a post
C>> which is *read*.

C>> But some actually pay housewives to hand write addresses. Why ?
C>> Because they actually know that this seems *personal* snailmail, and
C>> a very bigger amount of receivers will open the envelope instead of
C>> sending everything in the litter box *before*.

> In snailmail, this increases the probability of a positive return from
> 1 in 1,000 to 1 in (I don't remember, school was a long time ago, I
> think it was:) 200.

If we take that ratio, the 5 becomes 25.  Again, clearly for any spammer
that isn't desperate they would go with bulk over personal.  Quantity over
quality.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Friday, September 24, 1999, 5:14:46 PM, Claude wrote:
> May be not, but it seems that *he* has 95% of spam different than
> yours :)

And an anecdotal aberration isn't something to give or countermand advice
upon.

> Do you think all the spammers *must* operate the same way ?
> That is not haw your spammers operate, but, well, why an other one
> couldn't do that ?

No.  I never said that.  What I did do was explain how the mail system
works in detail, what ISPs do and do not do and why spammer behavior is the
way it is.  That, then, was to further explain the logic behind the filtering
system I described and why it works, why the false hits are so low and why the
positive hits are so high.

What he has done, however, was bring in his limited experience as a
countermand to my sound advice.  Advice that I have clearly explained and is
based on my professional experience of 4+ years in the industry.  Let me draw
an analogy for you.

A rocket scientist gives a lecture on how rockets work, why they work, to
what use they are put to, why they are used in that manner and what benefits
all of that bring the people he is speaking to.  At the end of his lecture, a
man stands up and says, "You know, when I was a kid I built model rockets and
launched them.  Some of them exploded.  I don't think that your rockets do
much good for me."

What the man says is true.  What the scientist said is true.  However,
what the man said has no bearing on what the scientist has said though it is
presented in a manner which other people in the room will construe as a
challenge that has some merit because they superficially have some
resemblance.

IE, just because *HIS* spammers are acting in an manner not consistent
with the norm does not mean the norm is invalid.  I have not stated that his
experience is wrong.  I have stated, however, that his experience is not the
norm and that people are better advised to combat the norm than the
aberration.

> Why does someone may not trust you ? You've nothing to earn lying, I
> think, and your "" post proved that you know the point.
> But why don't you trust the others ?

I never said I didn't trust people.  Please point out where I stated that
I didn't trust his account.

> Do you think there's any interest for Arunas in writing fairies about
> the kind of spams *he* get ?

No.  I am merely stressing that his case is not the norm, why they aren't
the norm and why it is better that he not press the issue.

> So *I* trust his experience *and* yours. They are different. What's
> the matter ?

One is the norm, one is not.  One is based on personal anecdotal
information, the other on years of indirect experience and months of direct
experience with the protocols and procedures at hand.

> Don't you think there is at least *one* spammer in the whole world,
> who knows that better than you ;-)

No.  I have not met such an individual yet.  If there is such an
individual that is addressing each message, he has lost for, as I
demonstrated, the number of messages he sends out is dropped but the order of
a magnitude.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Friday, September 24, 1999, 5:34:40 PM, Claude wrote:
> Nobody told you this is *your* case :-))

No.  OTOH, I am giving advice based on my professional and personal
experience.  I'd rather not have it countermanded by mere personal anecdotes
which run contrary to the established norm of the industry and is, for all
intents and purposes, bad advice to be given.

Regardless of your personal experience, that is not how the majority of
the spammers operate.  By replying and stating "Well, I don't see that" you
cast doubt on my position and damage people's perceptions of the most accurate
way to handle the situation.

In short, while you are speaking for yourself, I am stepping up and
speaking for more than just myself.  Because of that I will repeat what
information my professional experience has given me until such a time that you
realize that you must either come up with more than anecdotal information and
that you are unwittingly causing damage and problems.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[3]: Anti-spam filters (was:Re[5]: List Administration Note)

[Thomas Fernandez]

Hallo Claude,

On Saturday, September 25, 1999, 8:34:40 AM, Claude wrote:

SL>> Friday, September 24, 1999, 11:12:39 AM, Thomas wrote:
>>> I still think that overhead is not necessarily the concern of
>>> spammers. If they want to get the spam out, and it takes 35 minuters
>>> to do so instead of june 1 minute, but the chances are that they are
>>> read, they'll have success. Empirical data says one in 1,000 is a
>>> positive response for them.

SL>> And in that same 35 minutes they could pump out ~120% more addresses.  So
SL>> if 5 is a "good" return, then 690 must be much better.
C> There is a little difference between a post which is *sent* and a post
C> which is *read*.

C> But some actually pay housewives to hand write addresses. Why ?
C> Because they actually know that this seems *personal* snailmail, and
C> a very bigger amount of receivers will open the envelope instead of
C> sending everything in the litter box *before*.

In snailmail, this increases the probability of a positive return from
1 in 1,000 to 1 in (I don't remember, school was a long time ago, I
think it was:) 200.

-- 

Cheers,
Thomas mailto:[EMAIL PROTECTED]

Message reply created with The Bat! 1.36 Beta/4
under Chinese Windows 98 4.10 Build 1998  
using a Celeron-MMX 366 Mhz, 128MB RAM



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 24/09/1999, at 22:32,
Steve Lamb (mailto:[EMAIL PROTECTED])
took a mike and sang on a blues tempo:

SL> Friday, September 24, 1999, 1:05:30 PM, Arunas wrote:
>>  I,  sure, am aware that it takes ALOT less resources when BCCing addresses.
>> However,  as I told before, _I_ am getting only ~5% of spam this way.

SL> *sigh*  Does your experience as a user counter mine as a postmaster of an
SL> entire domain for 6 months?  Where I monitored a system that moved, I would
SL> wager, 100k messages per day?  Did you have a filtering system on said domain
SL> in place that blocked 5-10k spam per day?
May be not, but it seems that *he* has 95% of spam different than
yours :)

>> Today, with leased line, sending 50MB of info is matter of minutes, if not
>> seconds, therefore this is not and couldn't be a problem.

SL> That is not how a spammer operates.
Do you think all the spammers *must* operate the same way ?
That is not haw your spammers operate, but, well, why an other one
couldn't do that ?


SL> Incidentally, the 10-20
SL> pieces I see per day across all my accounts, very few are directly addressed.
SL> Please, just trust me on this.
Why does someone may not trust you ? You've nothing to earn lying, I
think, and your "" post proved that you know the point.
But why don't you trust the others ?
Do you think there's any interest for Arunas in writing fairies about
the kind of spams *he* get ?

SL> While you're talking your experience I am
SL> talking about my job for 6 months and my continuing involvement in the
SL> industry spammers exploit.
So *I* trust his experience *and* yours. They are different. What's
the matter ?

SL> I had to, and do know how spammers operate, what the technical side of
SL> the matter is, what measures are being taken and the relative strengths and
SL> weaknesses of each.
I'm very sure of that.
Don't you think there is at least *one* spammer in the whole world,
who knows that better than you ;-)



-- 
Best regards,

Claude.
mailto:[EMAIL PROTECTED] 

Thought of the day (randomly french or english)
Seul l'impensable peut être créé - Maître Claude.



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 24/09/1999, at 22:38,
Steve Lamb (mailto:[EMAIL PROTECTED])
regrouped the troops and said:

Anti-spam filters (was:Re[5]: List Administration Note) 

SL> Friday, September 24, 1999, 11:12:39 AM, Thomas wrote:
>> I still think that overhead is not necessarily the concern of
>> spammers. If they want to get the spam out, and it takes 35 minuters
>> to do so instead of june 1 minute, but the chances are that they are
>> read, they'll have success. Empirical data says one in 1,000 is a
>> positive response for them.

SL> And in that same 35 minutes they could pump out ~120% more addresses.  So
SL> if 5 is a "good" return, then 690 must be much better.
There is a little difference between a post which is *sent* and a post
which is *read*.

I think that, when a commercial company send me its "snailspam", they
may print a lot more addresses with an ink-jet or a laser printer than
by hand, don't you think so ? And most of them actually use huge quick
printer to do the job.

But some actually pay housewives to hand write addresses. Why ?
Because they actually know that this seems *personal* snailmail, and
a very bigger amount of receivers will open the envelope instead of
sending everything in the litter box *before*.

*Some* spammers may have the same idea. And, for *some* of us (not me,
at this time), they are more numerous than the standard ones.

It is possible that they share the addresses of their targets, so,
when one begin to individually spam you, all the family act the same
way some time after. And this may give, to this particular address,
more 'TO' spam than 'BCC' spam.

Nobody told you this is *your* case :-))



-- 
Best regards,

Claude.
mailto:[EMAIL PROTECTED] 

Thought of the day (randomly french or english)
...au pire, [le monde] est l'image réfléchie 
de nos fantasmes et de nos souhaits - MJB.



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.
<mailto:[EMAIL PROTECTED]>
--

Re[3]: Anti-spam filters (was:Re[5]: List Administration Note)

[Claude]

Hi, all,
On 24/09/1999, at 20:12,
Thomas Fernandez (mailto:[EMAIL PROTECTED])
as the numerous people stopped applausing, told them:

F> I know that a mail
TF> from "Svetlana, the Russian Beauty" will be spam,

Really :-(

Did u know that, writing that, u was braking me poor little heart.
Cruel world. No more hope, no more love. Life is too hard.

;-)

-- 
Best regards,

Claude.
mailto:[EMAIL PROTECTED] 

Thought of the day (randomly french or english)
...au pire, [le monde] est l'image réfléchie 
de nos fantasmes et de nos souhaits - MJB.

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Friday, September 24, 1999, 11:12:39 AM, Thomas wrote:
> I still think that overhead is not necessarily the concern of
> spammers. If they want to get the spam out, and it takes 35 minuters
> to do so instead of june 1 minute, but the chances are that they are
> read, they'll have success. Empirical data says one in 1,000 is a
> positive response for them.

And in that same 35 minutes they could pump out ~120% more addresses.  So
if 5 is a "good" return, then 690 must be much better.

> This was very educational, thanks. But how does this help the machine
> to tell spam from legit mail?

It doesn't.  That is the point.  All of the spam filtering is on the
technical specifications.  Even the points I made on my filter are on
technical patterns and leave the final judgement to the end user.

However, the whole reason I wrote that message was to educate people on
exactly how mail works, what steps ISPs normally take, why they take them and,
mort importantly, what steps they most likely will not take.  I was, and still
am, trying to quell FUD from various sources who aren't informed in the
operations of email in any capacity and are, for all intents and purposes,
guessing.

> I have to say that I started following Leif Gregory's "How to avoid
> spam" and have forwarded spams to the "root@" of all domains that I
> could find in the headers, and the number of spams have decreased
> tremendously.

And the number of Postmasters who are pissed at you have increase
tremendously.

> I believe spammers have a list, equivalent to ORB, that lists email
> addresses known as "hostile" and have me taken off most their "One million
> email adresses" I got offered earlier.

Hmmm-mmm, they don't, trust me.  Considering the number of bounces they
generate and the fly-by-night tactics they use they really don't *CARE* if
someone is hostile.  The whole economics of it is that they know they are
going to be shut down in ~1-2 hours anyway and are willing to lose a small
modicum of cash to get as many addresses out as possible.  Good addresses,
bad addresses, friendly addresses, hostile addresses all are nothing.
Addresses, pure and simple.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Friday, September 24, 1999, 1:05:30 PM, Arunas wrote:
>  I,  sure, am aware that it takes ALOT less resources when BCCing addresses.
> However,  as I told before, _I_ am getting only ~5% of spam this way.

*sigh*  Does your experience as a user counter mine as a postmaster of an
entire domain for 6 months?  Where I monitored a system that moved, I would
wager, 100k messages per day?  Did you have a filtering system on said domain
in place that blocked 5-10k spam per day?

> Today, with leased line, sending 50MB of info is matter of minutes, if not
> seconds, therefore this is not and couldn't be a problem.

That is not how a spammer operates.  Getting a leased line set up costs a
few hundred dollars.  Even a cable connection costs a good $100.  Why set
those up when they are going to be shut down in about a day.  It is not
profitable.  They get an account at the large national providers with bogus
names and send spam out through open relays.  They cram as much as they can
through before they are shut down.  When that happens, the get another account
elsewhere and continue.  You can get dial-up connections about once an hour.
You'd be lucky to get ISDN/DSL/Cable/Leased line/Etc once a week.

> [EMAIL PROTECTED], second one from [EMAIL PROTECTED] - note
> different numbers. They are surely doing this to make filtering more
> difficult. This indirectly confirms my thesis of the progress in their mail
> clients and 'preparing' each mail individually.

No, it confirms that each run they change the address.  The spam that I
see across my personal accounts and the several work accounts are often sent
out 2-3 times because of duplicate addresses in the list.  Some have different
from addresses, some don't.  Those that do only have software that changes the
address every run or every few thousand addresses.  Incidentally, the 10-20
pieces I see per day across all my accounts, very few are directly addressed.
Please, just trust me on this.  While you're talking your experience I am
talking about my job for 6 months and my continuing involvement in the
industry spammers exploit.

I had to, and do know how spammers operate, what the technical side of
the matter is, what measures are being taken and the relative strengths and
weaknesses of each.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Arunas Norvaisa]

On Thursday, September 23, 1999, 22:59:49 PM +0200, Steve Lamb <[EMAIL PROTECTED]>
composed profoundly about 'Anti-spam filters (was:Re[5]: List Administration Note)':

SL> In short, the way that spammers operate, they aren't going to put the
SL> address in there with everyone else's since it doesn't put the ad up front and
SL> it increases the size of the data block.  They aren't going to address them
SL> individually because that requires them to send the data block once for each
SL> individual message.  If you are getting hit by spammers that do that, rest
SL> assured that they are newbie script kiddies who will get caught in short order
SL> and most likely never do it again.  Those who do it repeatedly, however, will
SL> not do it that way and those are the ones that will spam you multiple times on
SL> different ads.

 Steve,

 I,  sure, am aware that it takes ALOT less resources when BCCing addresses.
However,  as I told before, _I_ am getting only ~5% of spam this way. Today,
with leased line, sending 50MB of info is matter of minutes, if not seconds,
therefore  this  is  not  and  couldn't  be  a  problem.  What  I've noticed
additionally:  spammers  are changing their email addresses on the fly, with
each  individual  mail.  It's  quite often for me to get few same spams with
interval   of   few   minutes,   first   of   which  came  from,  let's  say
[EMAIL PROTECTED],  second  one  from  [EMAIL PROTECTED]  - note
different  numbers.  They  are  surely  doing  this  to  make filtering more
difficult.  This indirectly confirms my thesis of the progress in their mail
clients and 'preparing' each mail individually.



--
   Greetz, Arunas Norvaisa - Little Guy, The Masses Inc.
Composed in Kaunas, Lithuania on Friday, September 24, 1999 22:05 +0200
Best file compressor around: DEL *.* (100% compression!)



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.
<mailto:[EMAIL PROTECTED]>
--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Thomas Fernandez]

Hallo Steve,

On Saturday, September 25, 1999, 12:24:48 AM, Steve Lamb wrote:

SL> To Ron:
SL>  Most likely not, the overhead is too high.  When running on a short time
SL> frame are you really going to cut your throughput by 90+% just on the off
SL> chance that some ISPs may be filtering in a very restrictive manner?  No.

I still think that overhead is not necessarily the concern of
spammers. If they want to get the spam out, and it takes 35 minuters
to do so instead of june 1 minute, but the chances are that they are
read, they'll have success. Empirical data says one in 1,000 is a
positive response for them.

>> That puts subscribed to announcements type mail and user discussion list
>> type mail at risk since all these types of mail are not addressed
>> directly to anyone.  These would get filtered out.

SL> To Ali:
SL> This is not true.

I agree with this. I have a filter putting posts from TBUDL into this
folder, and I could have another one saying that mail not addressed to
me .AND. not addressed to TBUDL is spam.

SL> 

This was very educational, thanks. But how does this help the machine
to tell spam from legit mail? I don't think there is a way, since it
is the *content* of a mail that makes it a spam. I know that a mail
from "Svetlana, the Russian Beauty" will be spam, and I know that a
subject "Want to get rich quickly?" is a spam, but my machine does
not.

I have to say that I started following Leif Gregory's "How to avoid
spam" and have forwarded spams to the "root@" of all domains that I
could find in the headers, and the number of spams have decreased
tremendously. I believe spammers have a list, equivalent to ORB, that
lists email addresses known as "hostile" and have me taken off most
their "One million email adresses" I got offered earlier.

-- 

Cheers,
Thomas mailto:[EMAIL PROTECTED]

Message reply created with The Bat! 1.36 Beta/4
under Chinese Windows 98 4.10 Build 1998  
using a Celeron-MMX 366 Mhz, 128MB RAM



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Friday, September 24, 1999, 6:23:51 AM, Ali wrote:
> On Friday, September 24, 1999, 8:18:56 AM (-5 GMT), Ron scribbled:
>> Yes, I'm getting a lot more spam addressed to me individually
>> recently.  I'd say that half is now addressed to me directly.  My
>> guess is that some spammers have found that people (or
>> ISPs) are filtering out messages not addressed directly to individuals,
>> so they are doing this to get around that (even if it increases their
>> overhead).

To Ron:
 Most likely not, the overhead is too high.  When running on a short time
frame are you really going to cut your throughput by 90+% just on the off
chance that some ISPs may be filtering in a very restrictive manner?  No.

> That puts subscribed to announcements type mail and user discussion list
> type mail at risk since all these types of mail are not addressed
> directly to anyone.  These would get filtered out.

To Ali:
This is not true.



Email is like snailmail in that the contents of the mail has little
bearing on the routing of the mail.  So let me explain how email works by
drawing an analogy to snailmail.

When you write a letter to a fried, CC it to another and BCC it to a
third in snailmail, here is the process.  You write the letter.  In the letter
you have your greetings, body, signature, a little thing to denote a CC.  You
write/print it out three times, place it in three separate envelopes, and drop
them in the post office box.  The post office then looks at the envelope,
postmarks the stamp, sends it to the right post office for delivery.  That
post office looks at the envelope, snds it to the letter carrier on the right
route who looks at the envelope and drops it off at the right house.  Each
person then opens up the letter and reads what is written.  Two seeing that it
was sent to two people, the third seeing he was BCC'd.

When you write an email to a friend, CC it to another and BCC it to a
third in email, here is the process.  You write the letter.  In your client
you tell it to send it TO one, CC it to another and BCC it to a third.  You
write the body, it appends the signature.  You tell it to send.  *It* is the
one that decides how to divide it up, if needed, and send separate copies if
needed (only when content is different).  It then sticks it into an envelope
that you never see and fires it to the SMTP server you've got configured.  The
SMTP server is like the post office, it looks at the envelope, postmarks it
with a Received line and fires it off to the other end.  That end looks at
the envelope and drops it in the right mail box.  Then your friends respective
email clients use (most likely) POP3 to retrieve the letter.

Here's the important part, the headers we see are not the address
information, they are part of the body.  IE, they are not the envelope and
aside from information are pretty much there for humans only in the bulk of
today's email structure.  So where is the envelope that I am talking about?

Well, earlier I had posted a joke message that contained a fake SMTP
session.  Here it is again.  I won't post the whole body of the message.

-
helo rpglink.com
mail from: [EMAIL PROTECTED]
rcpt to: Chris Adams <[EMAIL PROTECTED]>
data
From: Steve Lamb <[EMAIL PROTECTED]>
To: Chris Adams <[EMAIL PROTECTED]>
Subject: Groking SMTP
Date: Mon Sep 13 16:21:40 PDT 1999 (-0700)

Oh, trust me, I know quite well how easy SMTP is to use.  I also know POP3
-

From helo to data is the envelope of the message.  The From line to the
Date line are the header.  After that is the body.  SMTP data blocks are ended
with a single period (.) without anything else on the line.

On the helo line the SMTP server checks the IP of who is connecting it and
does a reverse lookup.  Most places will allow email through even if the
domain in the "helo" line does not match the domain that it is coming from.
Most servers, however, will not allow mail from a machine that it isn't
configured to accept mail from and it goes by the IP *only*.  It then uses the
"mail from" line as another basic check.  Some SMTP servers will allow mail
from the outside world even if it isn't from a configured IP.  Finally, the
"rcpt to" line is used to know where to send the mail to.  If the user is
local, the mail is generally accepted.  If it isn't, then it is considered a
relay and the machine sending it must be on the authorized list of IPs to send
it.

All of that information goes into the Received line prepended to the data
block.  Here is an example of a Received line from my SMTP server on a message
I sent to TBUDL from work.

Received: from antelope.it.earthlink.net [207.217.90.52] (morpheus) by
rpglink.com with esmtp (Exim 3.03 #1 (Debian)) id 11UENp-0001wX-00; Thu, 23 Sep
1999 12:18:21 -0700

My machine is antelope.it.earthlink.net and its IP follows.  I claimed to
be morpheus from that machine.  It was received by rpglink.com using the esmtp
protocol running Exim 3.03, package buil

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Ali Martin]

Hi all,

On Friday, September 24, 1999, 8:18:56 AM (-5 GMT), Ron scribbled:

> Yes, I'm getting a lot more spam addressed to me individually
> recently.  I'd say that half is now addressed to me directly.  My
> guess is that some spammers have found that people (or
> ISPs) are filtering out messages not addressed directly to individuals,
> so they are doing this to get around that (even if it increases their
> overhead).

That puts subscribed to announcements type mail and user discussion list
type mail at risk since all these types of mail are not addressed
directly to anyone.  These would get filtered out.

Virtually all the spam that I get is not addressed directly to me.

-- 
Regards,
 -=Ali=-   

   >>> Of all the things I've lost, I miss my mind the most. <<<
*---*
 Using The Bat! 1.36 Beta/4 on Windows NT 4.0 (Service Pack 5)
*---*

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re[2]: Anti-spam filters (was:Re[5]: List Administration Note)

[Ron]

On Thursday, September 23, 1999, Arunas Norvaisa <[EMAIL PROTECTED]> wrote:
>  This  was  true  perhaps 6-8 months ago. I don't know what kind of spam you
> are   getting,  but  mine  is addressed to me (well, 95 mails out of 100).

Yes, I'm getting a lot more spam addressed to me individually
recently.  I'd say that half is now addressed to me directly.  My
guess is that some spammers have found that people (or
ISPs) are filtering out messages not addressed directly to individuals,
so they are doing this to get around that (even if it increases their
overhead).

Ron
[EMAIL PROTECTED]

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Syafril Hermansyah]

Hello Steve Lamb,

On Friday, September 24, 1999, 2:17:08 AM you told us:

Great Explanation Steve!

Now  I  will  share  how  do  I  identify  spam  and create anti-spam,
especially for Dial Up User.

TF>> Now,  how  do  you actually set the filter to identify spam, i.e.
TF>> make TB tell it apart from legitimate mail?

Long time ago, before I can't "read" message header well; I ask to the
Maillist  or  someone  who I guess have capability to read the message
header well (I was prefering send it to Postmaster of my ISP).

With this approach, I will know who done it.

I  noticed,  if  the  spammers  came  from individuals, it's simple to
counter;  just  make filter as Steve or Leif mentioned. The problem is
if  the spammers came from List Processor or he/she using telnet trick
via open Relay Mail Server,

At  first,  I  sent  message  to spammers (if I do not want to receive
further  msg  from him), if no answer; sent msg again to list owner or
[EMAIL PROTECTED] (domain.com = the mail domain of the spammers).

Then, if the spammers keep spam me, I do as follow :
- Create filter to filter out message from Spammers.
- Create  auto  action, redirected those message to non-existent mail
  address (but existent mail domain).

What happen then ?
The  spammers  will  receive  Transient Delivery Failure Message every
4-hours   in   5-days from our ISP Mailer-Daemon (this is standard RFC
for Internet SMTP mail server).

Because  I  have my own Mail Server and I do as Postmaster here, I can
set in my Mail Server to sent bounce message back to the spammers plus
full  message  and  attachment  every 5 minutes for 5-days (actually I
never  do  this, because my Mail Server already equipt with Anti-Spam,
just put the spammers on the list, and my Mail Server do the rest).

Honestly,   even   the  stronght List Server such MajorDomo, ListServ,
Ezmlm, ListBoot give up with these approach.
If  the spam came from Open Relay Mail Server, at least the postmaster
or  Sysadmin  will contact us (or maybe to spam us as well :-)), so at
the end he (postmaster) will knows if his Mail Server have a whole and
will corrected.

Asking  the  spammers  message  header  to  the  Maillist give another
advantage,  other  list member can give you legitimate of the spammers
plus  (commonly) will help us to listed on his Black List Mail Server;
or  (if  still  did)  sent abuse mail to Anti-Spam Organization such :
MAPS-RBL, ORBS etc.

BTW.  I  ever seen someone redirected spam message to the owner of M$,
he  thinks  M$  will  have  good  anti-spam on his system, but I don't
recommend this for you :-)

-- 
- syafril -


Name: Syafril Hermansyah | Company : Duta Integrasi Pratama 
Mailto  : [EMAIL PROTECTED]  | Voice   : (62) (21) 385-1600
URL : www.dutaint.co.id  | FAX : (62) (21) 351-9241  



I am using The Bat! 1.36 Beta/4  at
Windows NT Workstation 4.0 built 1381, Service Pack 5
Created : Friday, September 24, 1999, 9:52:35 (GMT + 07:00)



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Thursday, September 23, 1999, 1:32:39 PM, Arunas wrote:
> This was true perhaps 6-8 months ago. I don't know what kind of spam you are
> getting, but mine is addressed to me (well, 95 mails out of 100). I think
> this is because their mailagents are getting updated and are capable of
> addressing each mail individually. The most constant thing, appeared lately
> in spam messages, is senders address with some erratic numbers, some- thing
> like: [EMAIL PROTECTED] And this is possible to filter using
> procmail (I hope you, being *nix specialist, don't need further
> instructions..).

It is still true today.  Here's why.  If they are addressing the message
individually but not doing so with a huge to/cc they are sending the body of
the message for each address on their list.  So give, say, a list of 5,000
addresses and a spam message that is, oh, 1k long.  That is 5,000k or just shy
of 5Mb.  Call it 5Mb for a nice round number (the extra is made up in headers,
for example).  So, to transfer out that an SMTP connection is made and it goes
through the motions mail from, rcpt to, data, close, repeat.  On a 56k modem
it would take ~35 minutes to transfer all that data.

Now, make it a BCC list.  Same 5000 messages.  An SMTP connection is made,
mail from goes through, then 5000 rcpt tos, one data, one close, that's it.
Notice the difference, the data is passed over that link only once.  So now
instead of transferring the 1k of data 5000 times with the 5000 addresses, you
just transfer the 5000 addresses and the SMTP server then divvies it up as
needed.  Net savings is that you go from ~5Mb down to, oh  HMMM, well...
50k, maybe?  All of 1 minute on a 56k modem.  Or to put it another way, given
the average length of an address at a whopping 40 bytes (liberal, really), you
could send 131000 spam in the same time as sending the data block to 5000
customers.

In short, the way that spammers operate, they aren't going to put the
address in there with everyone else's since it doesn't put the ad up front and
it increases the size of the data block.  They aren't going to address them
individually because that requires them to send the data block once for each
individual message.  If you are getting hit by spammers that do that, rest
assured that they are newbie script kiddies who will get caught in short order
and most likely never do it again.  Those who do it repeatedly, however, will
not do it that way and those are the ones that will spam you multiple times on
different ads.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Arunas Norvaisa]

On Thursday, September 23, 1999, 21:17:08 PM +0200, Steve Lamb <[EMAIL PROTECTED]>
composed profoundly about 'Anti-spam filters (was:Re[5]: List Administration Note)':

SL> Thursday, September 23, 1999, 10:49:59 AM, Thomas wrote:
>> Now, how do you actually set the filter to identify spam, i.e. make TB
>> tell it apart from legitimate mail?

SL> Spam basically has one constant, they are usually large BCC lists because
SL> spammers learned early on that people won't page through hundreds or thousands
SL> of addresses in the TO or CC fields to get to the actual advertisement.  It
SL> quickly became a marker of spam.  They want their advertisement front and
SL> center in the smallest package possible to get it in front of your eyeballs
SL> before you have a chance to delete it.

 Steve,

 This  was  true  perhaps 6-8 months ago. I don't know what kind of spam you
are   getting,  but  mine  is addressed to me (well, 95 mails out of 100). I
think  this  is because their mailagents are getting updated and are capable
of  addressing  each  mail  individually.  The most constant thing, appeared
lately in spam messages, is senders address with some erratic numbers, some-
thing  like:  [EMAIL PROTECTED] And this is possible to filter
using  procmail  (I  hope  you,  being  *nix  specialist, don't need further
instructions..).

 Good luck !


--
   Greetz, Arunas Norvaisa - Little Guy, The Masses Inc.
Composed in Kaunas, Lithuania on Thursday, September 23, 1999 22:23 +0200
Hey look, guys! Its Hillary! The b...  -- Famous Last Words



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.
<mailto:[EMAIL PROTECTED]>
--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Steve Lamb]

Thursday, September 23, 1999, 10:49:59 AM, Thomas wrote:
> Now, how do you actually set the filter to identify spam, i.e. make TB
> tell it apart from legitimate mail?

The one that I use which is actually quite simple takes some time to set
up but once done it works fine.  It also takes a bit to understand how it
works, so I'll try to explain as best as I can.

Spam basically has one constant, they are usually large BCC lists because
spammers learned early on that people won't page through hundreds or thousands
of addresses in the TO or CC fields to get to the actual advertisement.  It
quickly became a marker of spam.  They want their advertisement front and
center in the smallest package possible to get it in front of your eyeballs
before you have a chance to delete it.

What all that means is that the messages are rarely addressed to you
directly *or* have any of the markers of mail that is destined to you.  Those
markers are either your email address in the to/cc field (IE, direct
addressing), from people that you know (normally associated with direct
addressing) and either to/cc'd or bcc'd to a list you're on.  The last one is
the tricky part.

I think that most people who use TB filter out mailing lists into separate
folders.  These filters will activate and then stop.  This forms the bases of
the spam filtering system.  You simply create filters for everything that you
may get.  It sounds like a lot of work, but if you're already filtering out
email lists, it is mostly over.


Step 1: Filter your email lists out and have those filters stop.

I'm not familiar enough with TB's internal filtering to say what is the
best way to filter mailing lists specifically, but in general, it is best to
filter on the "sender" header.  That header tells you who sent the mail and
all reputable mailing lists will put in the list owner as the sender.  For
example, here is the sender for this list:

Sender: [EMAIL PROTECTED]

Filter on that string and you will get list mail into the list folder.
Mail not for that list will not.  This will work better than to/cc/subject
filters because it will only catch mail from the list server.  The others will
catch mail which may be directed to you and CCd to the list, have the subject
of the list but be a private message, or miss it in the case of a BCC.  The
last point is the important one.


Step 2: Filter out anyone that *may* send you BCC mail.

I generally put on close friends and relatives to this filter.  It just
leaves mail in the inbox but stops filtering.


Step 3: Filter out anything that is directly addressed to you.

Again, spammers don't directly address anything.  It takes to long for
individual messages and they don't want 20k worth of headers that people will
not skip past.  That is why you see things like "[EMAIL PROTECTED]" and such.
So, if it is addressed directly to you, chances are it really is to you.  Stop
filtering again.


Step 4: Create a filter that is after all other filters.  If it hits this
filter, move the message to a spam folder.


So here are the 4 steps in something of a logic diagram?

Is it from a list?  If yes, stop.  If no, continue.
Is it from someone I know?  If yes, stop.  If no, continue.
Is it directly addressed to me?  If yes, stop.  If no, continue.
Possible spam, move to a separate folder.

When I was beta testing for PMMail in '97 I developed that series of
filters.  In the time that I used them from late '97 to early '99, about a
year and a half, I saw *maybe* a grand total of 10 spam ever hit my inbox.
That is less than 1 a month.  During the same time frame it would catch an
average of 3-5 a day.  Furthermore, *all* false hits were because I had not
added a filter for a mailing list when I signed up for it.  IE, operator
error.  So the end result, using the rough estimates is 2190 spam blocked in
15 months, 10 let through, for a total blockage of 99.54% of all spam to my
account with a 0% false-hit rate when you remove those due to my own laziness
(which is why I filtered to a folder, not straight to the trash).

TB does offer something nice that PMMail does not which is the ability to
limit the contents of a folder by age and/or a message number limit.  What you
can do is create a spam filter to move all the hits into, set it to delete
after 14 days, and let it sit.  Check it once a week for false-positives
(trust me, easier to look for legit mail in a sea of spam than the reverse)
and let TB take care of deleting them for you.

Of all the methods of blocking spam that I have seen over the years, this
is the one that I advocate the most.  Not because I came up with it (albeit
independently, I'm not saying I'm genius enough to be the only person to think
of it) but because it places the responsibility and control in the hands of
the end user.  I've worked for ISPs for over three years now.  I had a six
month stint as a postmaster at a regional ISP.  I really don't like the idea
of t

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Ali Martin]

Hi all,

On Thursday, September 23, 1999, 1:19:01 PM (-5 GMT), Marck scribbled:


> As  Steve  Lamb  pointed out in his reply, it is fairly academic since
> spammers  are  very briefly lived members of the community. However, I
> personally manually drag an offending message to the Anit-Spam account
> and  hit  reply. Even with a web presence and membership of many other
> lists,  I  see  very  little  spam  traffic and usually follow up each
> offence - reporting to the abused host and getting the culprit ousted.
> The Anti-Spam bounce *has* worked for me a couple of times though.

Aren't discussion lists private as TBUDL and TBBETA are? Public posting
of archives is a different thing isn't it. Be that as it may, I'm just
now enjoying some relative piece from spam since unsubscribing from a
couple usenet groups.

-- 
Regards,
 -=Ali=-   

   >>> Oxymoron: Reinvent. <<<
*---*
 Using The Bat! 1.36 Beta/4 on Windows NT 4.0 (Service Pack 5)
*---*

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Re: Anti-spam filters (was:Re[5]: List Administration Note)

[Marck D. Pearlstone]

On 23 September 1999 at 18:49, [EMAIL PROTECTED] told the list:

TF>>> The only spam filter I could think of is a kill filter for
TF>>> messages addressed to [EMAIL PROTECTED] I'd appreciate some tips.

MDP>> There was a posting to the old list from Leif Gregory which detailed a
MDP>> 'Hard Core' solution to spam handling.

MDP>> .. and here is the content of that missive (a bit big, but worth it).
TF> [...]

TF> That was quite some idea. Thanks.

TF> Now, how do you actually set the filter to identify spam, i.e.
TF> make TB tell it apart from legitimate mail?

As  Steve  Lamb  pointed out in his reply, it is fairly academic since
spammers  are  very briefly lived members of the community. However, I
personally manually drag an offending message to the Anit-Spam account
and  hit  reply. Even with a web presence and membership of many other
lists,  I  see  very  little  spam  traffic and usually follow up each
offence - reporting to the abused host and getting the culprit ousted.
The Anti-Spam bounce *has* worked for me a couple of times though.

Cheers,
Marck
-- 
Marck D. Pearlstone, Consultant Software Engineer
Co-moderator TBUDL / TBBETA discussion lists
www: http://www.silverstones.com
PGP key: 
-
Using The Bat! 1.36 Beta/4
under Windows 98 4.10 Build 1998  

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--

Anti-spam filters (was:Re[5]: List Administration Note)

[Thomas Fernandez]

Hallo Marck,

On Friday, September 24, 1999, 1:30:53 AM, Marck D. Pearlstone wrote:

TF>> The only spam filter I could think of is a kill filter for
TF>> messages addressed to [EMAIL PROTECTED] I'd appreciate some tips.

MDP> There was a posting to the old list from Leif Gregory which detailed a
MDP> 'Hard Core' solution to spam handling.

MDP> .. and here is the content of that missive (a bit big, but worth it).
[...]

That was quite some idea. Thanks.

Now, how do you actually set the filter to identify spam, i.e. make TB
tell it apart from legitimate mail?

-- 

Cheers,
Thomas mailto:[EMAIL PROTECTED]

Message reply created with The Bat! 1.36 Beta/4
under Chinese Windows 98 4.10 Build 1998  
using a Celeron-MMX 366 Mhz, 128MB RAM



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To Unsubscribe from TBUDL, click below and send the generated message.

--