Markus, my foggy memory tells me that Country-Chain was designed to be
US-centric, and is designed to trigger on suspicious routing for, say,
"US -> Brazil -> US".
It wasn't designed to figure out the destination country and work
backwards, nor was it designed to merely count the number of countri
You'll want to read up on the IPBYPASS directive that would go in your
declude.cfg
e.g.
IPBYPASS 65.39.182.251
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Sent: Wednesday, March 23, 2005 11:13 AM
To: Declude.JunkMail@declude.com
Sub
EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, March 21, 2005 2:56 PM
To: [EMAIL PROTECTED]; Colbeck, Andrew
Subject: Re: RE: [Declude.JunkMail] OT: Help with AOL Filtering Bulk
Mail for a Client
Colbeck, Andrew,
This is Joseph Trimboli, System Administrator, Cyberlink, Inc. I am
ru
I've never seen this problem before.
There are certainly a lot or URLs in that message. Do you know somebody
with an AOL address that you can use as a test subject? Do a binary
search, and cut the message in half. Send the message and repeat until
you've succeeded in sending the message, in whi
ge-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, March 08, 2005 4:25 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Legit Ebay message failing spamdomains
Thanks for the heads-up, Markus.
Based on that, I've added a coun
Thanks for the heads-up, Markus.
Based on that, I've added a counterweight for them in my system for
their /19 subnet.
http://www.senderbase.org/search?searchString=216.113.168.141
REMOTEIP -20 CIDR 216.113.160.0/19
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PR
Keith, you've got 3 things going on here:
1) RFC compliance. Maybe it's a requirement, maybe not. I think RFC
compliance is a red herring. Both sides are not playing nice.
2) .local isn't a legitimate Internet domain; there are legitimate extensions
recognized as being private, like .test
3
END IS mybackupmxiphere
That it would end at that point if the message was received from my
backup MX.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Beh
Listed in the global.cfg how, John?
I'm assuming that you use IPBYPASS, so I'm wondering how the question
came up...
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Sunday, March 06, 2005 11:59 PM
To: Declude.JunkM
Chipping in my two cents, I'd say you've received excellent advice for
tuning Declude so far.
As a busy sysadmin myself, I'll add some less specific "advice from the
field". Hopefully others will see fit to add their observations.
Go with the weighted system.
You're busy, but resist the urge to
(Pete isn't here much)
I remember this thread from a long time back. Messsage Sniffer doesn't
take any particular efforts to lock the log file to prevent collisions.
And he agreed that Microsoft Windows had the nasty habit of not always
serializing writeln statements to a text file.
Scott wasn't
I had the opposite experience. Back at, oh, 1.7x I ran on LOGLEVEL
HIGH, and had lots of log corruption. I had to drop down to MID. The
increase in spam volume made it such that at MID, I had lots of log
corruption again.
With 2.x and the lines being written in a batch, I noticed an immediate
d
Indeed. Hypothetically, of course, one could do add these lines to a
filter:
#Sep-12-2003 AC The ISP everyone loves to hate, always has a weight of 8
due to NOABUSE:3 NOPOSTMASTER:3 IPNOTINMX:2
#Sep-23-2003And is always on someone's shit list; added another 10
to the counterweight
#Feb-28-200
Sure thing, Dan.
IMail always retries at 10 minute intervals, so you set the duration of
the retries by multiplying out the value at: localhost, Services, SMTP,
"x tried before returning to sender".
If you want more flexibility, invest the time to implement Microsoft
Windows Server IIS SMTP for y
Well, John. I'm sure that's a rhetorical question, but I'm feeling a
little chatty while I listen to hold music.
SpamCop and pretty well every other blacklisting service make no
allowance for how much good mail is coming from an IP address. They
only do blacklisting.
The funny thing is that sin
Title: Message
True,
dat.
Most
of the high-tech business is in Vancouver and Victoria, which are the biggest
cities in BC.
The
Vancouver Stock Exchange was scrapped after a decade of scams perpetrated on it;
in a nutshell, investors were not protected and disclosure rules were far more
Title: Message
I've
noticed quite a few spams, possibly from the same outfit, that are including an
old date in the header, which is possibly static:
Received: from minusplus.com [83.195.193.238] by
mail.bentall.com (SMTPD32-8.14) id A3013C2E00CE; Sat, 26 Feb 2005
15:15:13 -0800Date: 1 De
Goran and Scott... John probably hit the nail on the head. I was going
to make the same comment, actually.
Since you have the message, turn on HIGH or DEBUG level logging and send
the message to yourself.
I bet that there are other tests in that same filter file that are
triggered, and that the
be held.
Kevin Bilbee
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Colbeck,
> Andrew
> Sent: Wednesday, February 23, 2005 5:39 PM
> To: Declude.JunkMail@declude.com
> Subject: RE: [Declude.JunkMail] SmarterMail Held email
Well, I guess our goals differ.
So although with IMail+Declude you can re-queue without scanning (your
way) as well as re-queue with scanning (my way), I choose to re-queue
with scanning AND fix the reason why the message was held.
Re-queuing with scanning forces me to fix it, and I also try to f
I don't know anything about how SmarterMail works, so let me take a
different angle on this question.
I never simply re-queue for delivery a message that was held. I always
re-queue such that Declude would scan it again.
Which implies that I must also do something about my Declude
configuration
I understood the lingo. Others have used similar notation and asked
similar questions on the list.
After checking out the webpage, I did remember something about this.
Another guy tried the same thing years and years ago, with alter.net
(?); he argued that Network Solutions (the only registrar a
In similar circumstances, I had the same problem with IMail and
SimpleDNS Plus; of the two, I narrowed it down to just IMail being
broken, i.e. that IMail would try to deliver to secondary MX records of
it's own accord.
I would see long delivery times, for example to HotMail & MSN to name
names.
Title: Message
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19276
Ref:
SBL19276200.80.64.0/30
is listed on the Spamhaus Block List (SBL)08-Sep-2004 05:10 GMT | SR02widenmywallet.comwidenmywallet.com
MX 10 mail.widenmywallet.comwidenmywallet.com NS
ns1.widenmywallet.comwidenmywallet.com
stopped. No software firewall, we use
SonicWall.
Thanks,
Chris Patterson, CCNA
Network Engineer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Thursday, February 17, 2005 12:17 PM
To: Declude.JunkMail@declude.com
Subject: RE
Chris, Declude is not the culprit. Your IMail installation likely has
syslog turned on. Check your IMail Administrator under localhost,
Services, and see if Syslogd is running.
Barring that, do you have a personal firewall installed that may need
you to approve Kiwi to use network services?
And
... and the current version. I should note that with a new
counter-counter section at the top, I'm seeing very few false positives.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Thursday, February 17, 2005 6:26 AM
To: Declu
Title: Message
I can
add a few bits.
Packeteer.com and Net-Reality.com both have swissarmy-like products that
will fit the bill, but they don't come at a pricepoint that fits your
budget. If their licencing scheme fits, and you can get a bargain on eBay,
I'd recommend them. And they do w
That is an interesting site; for hardening up a specific user's IE on a
specific machine, I like: SpywareBlaster from
http://www.javacoolsoftware.com
It won't stop the user from going to a "bad website", but will help that
IE from getting infected with junk. I believe SpywareBlaster is free
for p
For your configuration, you've got it exactly, Matt. Allow me to
explain it a different way:
The Relay for Addresses is to allow specific hosts to send mail to your
IMail server and have that IMail server deliver the message to the
Internet (i.e. addresses that are not on your IMail server).
The
I suggest "Management by Walking Around".
Software isn't the solution. People can goof off in all kinds of ways,
not just from IM, email, or websurfing.
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Patrick
Childers
Sent: Tuesday, February 1
d it would be rather
straightforward to code.
Matt
Colbeck, Andrew wrote:
>Pete I agree with you. Graylisting or greylisting would be a great add
>on to Declude.
>
>I've hoped for this in an MTA, but it doesn't look like CPHZ will go
>that way, and since Ipswitch only ad
That's another thing I want to see in a "next generation" MTA; I want to
incrementally punish a message that is destined for multiple addresees
who are not in my addresss book.
Right now, I can manually do it because I have a gateway scenario, so
all addresses are currently allowed by the MTA. I
I meant to also add that I recently had many hours of planned downtime
on my MTA in my absolute lowest ham window - late Saturday evening
through early Sunday morning. I saw very little spam increase once the
MTA was back up.
This tells me that the spammers have not yet implemented full MTAs that
Pete I agree with you. Graylisting or greylisting would be a great add
on to Declude.
I've hoped for this in an MTA, but it doesn't look like CPHZ will go
that way, and since Ipswitch only adopts antispam measures that Declude
already has , it won't be coming from them. SmarterMail may well
be m
Title: Message
It's
either. You download one InstallShield-style installer, which asks if you
want the automated method, or whether you just want to extract the files to a
folder you specify. I chose the latter; the application then looked like
it was installing, but as promised, all it di
Hello, all.
Aside from the usual Internet Explorer and Office patches, this patch
cycle also includes an update to the October update MS04-035 which
affects a DNS query vulnerability in the SMTP handling in Windows
2000/2003 as well as Exchange 2003.
http://www.microsoft.com/technet/security/bull
Yes, that's the HELO variable.
Your configuration should already be triggering HELOBOGUS on the sample
you provided; if you want to be particular about the problem you
specified
HELO 1 NOTCONTAINS .
would do the trick. You will probably penalize as much spam as ham this
way, though. Lots of m
riginal Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Monday, February 07, 2005 12:51 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] BOUNCEONLYIFYOUMUST is looping on a gateway
Our internal users send mail to a partner domain, bu
Our internal users send mail to a partner domain, but they commonly
misspell that domain and send the mail to a valid domain that is a
completely different party.
Since we have no reason to send mail to that completely different party,
I wrote a Declude JunkMail Pro filter that checked for that do
:)
Goran Jovanovic
The LAN Shoppe
2345 Yonge Street, Suite 302
Toronto, Ontario M4P 2E5
Phone: (416) 440-1167 x-2113
Cell: (416) 931-0688
E-Mail: [EMAIL PROTECTED]
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail
Well, Goran, "why" is a big question.
The answer is essentially that the MIME format does not require any
particular adherence to the encoding for any particular file type. The
application/octet-stream format you're seeing is very very common for
"binary" attachments (i.e. not plain text).
The r
Title: Message
It's a
very good point Keith (and Dave). I only commented on the OS
licencing; as it is the only software I knew of that
enforces licencing which is CPU dependent.
I've
also run into the hyperthreading licencing problem with SQL server, and can
confirm that it is a paper l
Title: Message
I've
no comment to offer on the suitability of flavour of Windows 2003 for IMail, but
I can comment on how the Hyperthreading is treated.
On all
Windows 2003 servers with hyperthreading enabled, you will see double the number
of physical CPUs in the Task Manager, in the Devi
Kevin, I would suggest that you wait a short while for v2.0 (currently
in beta), as it contains an update to the HOLD command which will let
you specify a path, i.e.
WEIGHT20HOLDc:\imail\spool\weight20
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTE
You decide, Kim.
If you decide that Message Sniffer is wrong, and you are a licenced
user, then report it to SortMonster as per their false positive
reporting procedure. Perhaps a particular bulk mailer is using a web
bug or some other small bit of text that is the same as a spammer's.
http://ww
I just saw this in the header of a random spam (well blocked, emanating
from Brazil):
Content-Type: text/plain;
charset="iso-%DIGITS%LCVALUES%DIGITS%DIGITS%LCVALUES"
Content-Transfer-Encoding: quoted-printable
The assumption there is that the spammer's software was supposed to
replace tho
Well, I was pretty sure that MyWay and IWon were the sample people.
Check out:
http://www.senderbase.org/search?searchString=208.45.133.134
Which shows their reverse DNS are indeed right beside each other, in a
ARIN block registered to "The Excite Network-iWon"
So it looks to me that Excite own
Title: Message
... a
decline in the good guys making the MAILFROM some other domain, like the target
addressee itself?
I have
a simple filter file called Spoof which triggers when an inbound mail has a
MAILFROM in my domain instead of theirs. Typical
good-but-clueless senders included:
Goran, I have no experience with SmarterMail, but I would generally
suggest that doing your antispam content filtering on a box with which
your end users have direct experience is bad.
In other words, I would suggest always having a gateway configuration,
with your mailboxes on an "internal" serve
Joshua, if I remember correctly, the IMail daily report shows you the
number of messages inbound to your mailserver, but it does not show the
number of recipients.
You may be getting hit with a "dictionary attack". Others on this list
have seen this before in various guises. On my own mailserver
Title: Message
I like
CMDSPACE a lot, but find that the false positives are far too high, due to
mainstream software manufactures' software that triggers it. After trying
it for a short while, I dropped it down to a small weight, and used it only in
combo filters (e.g. CMDSPACE and SNIFFER
Title: Message
I can
contribute a complementary test. In this forum we've harangued over
whether SPFPASS is useful and generally agreed that the bulk mail companies
can use it, yet you don't want their mail. Also, that anybody that
implements SPF probably runs their mailserver and DNS conf
Aside from EMERGENCYBYPASS there is another compromise with JunkMail
Pro:
1) Take out the WHITELIST TO statement
2) Add ALLRECIPS -100 IS [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Assuming that you have a weighted system and no tests that have HOLD or
DELETE that this guy would want to see, this will
But, Rick, Postini does a fabulous job of spam and virus control. Just
ask them! You won't need to IPBYPASS them at all.
Andrew (tongue firmly in cheek)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Davidson
Sent: Thursday, December 16, 2004 7:4
Title: Message
FWIW
Kami, there is an all_list.dat dated October 1st, 2004 in the "manual
installation" zip file for Declude v1.81, which I recently downloaded from
signing into "My Account" on the Declude.com website.
A few
weeks ago I tried the old URLs that were specifically for the in
In the latest version of IMail, 8.14.x they've updated the ISplCln.exe
application so that it actually does what the command line parameters say it
does (previous to this update if you specified one type of cleaning to do,
it would do both anyway, thus throwing your LOGS away when all you wanted
wa
Thanks, Matt. That script contibution is very much appreciated.
I took a look and I'm happy to say that you've set the bar at a new high for
commented code. This mailing list has never seen such riches!
Andrew 8)
p.s. I'll chip in a complementary script of my own.
-Original Message-
F
I agree, Darin.
For the benefit of discussion, there is no "rename" method, just the move.
So the rename should be very fast indeed when the source and target have the
same path. I noted that there was no error checking, so a small loop there
might be useful.
Also, if someone really wanted to do
Darin, as Sandy suggested, using a filter file will probably be more use to
you.
Aside from any issue with nested quotation marks, your existing command
isn't doing for you what you think it's doing.
Right now, it's matching any of the words, not matching the phrase. Take a
close reading of the
One of the current spam tricks (coming from zombies, I think) is to not use
the www. or the http:; here are two examples:
uhpvoegq.portable7attachable[munged].info
irzvu.adventist7announcer[munged].info
and this next technique has become popular, and the messages are so similar
it has to be the s
Sandy, that's a nifty idea. It looks like it got lost in a blizzard of SA
talk, though.
I did a very similar thing the last time we talked about using shells as
external tests. I did much as you're suggesting here, but I used a .cmd
batch file and the GNU utils egrep. After verifying that it wo
Title: Message
Thank
you for the "heads up" Barry, your communication are very much appreciated
on this list.
Andrew Colbeck
Bentall Capital
LP
-Original Message-From: Barry Simpson
[mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 7:11
AMTo: [EMAIL PROTECT
One "new" obfuscation behaviour I'm seeing in a non-Declude-protected
account is that the bad guys are typing the URL as h t t p : \ \ instead
of http:// (I've added spaces to evade anybody else's filter) and a
second one where they omit the http:// entirely and just tell the
recipient to paste the
Title: Message
It's
also been noted that every time there's a hurricane in Florida, spam drops
considerably.
-Original Message-From: Michael Jaworski
[mailto:[EMAIL PROTECTED] Sent: Friday, November 26, 2004 10:06
AMTo: [EMAIL PROTECTED]Subject:
[Declude.JunkMail] Vacati
Another consideration in the "distributed dictionary attack" is that it
may simply be viral behaviour from infectees who have multiple
addressees in your domain in their address book or elsewhere on their
hard drive.
There are several viruses that fake the left hand side of the mailfrom
address, w
Yeah, what Pete said!
This is especially true with monster log files being moved around on the same
spindle(s).
And it's a great tip when you want to delete or update a file that is in use,
even if it's running. Rename it, and you're done. I've had to use this tip
many times when patching a
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4
ae7-96ee-b18c4790cffd&displaylang=en
The "free" Windows Server 2003 Resource Kit. I use these things all the
time.
It seems weird to shell out of a .vbs script to run a command line tool,
though.
Andrew 8)
-Original M
Yeah, what Matt said.
Chipping in another 2 cents, the "?stderr." in particular I find in bulk
mail as opposed to spam mail, and they are more likely to have a a valid
opt-out routine that works like you expect it to work.
I believe that is a built-in feature with Postfix and SendMail.
Andrew 8)
192.0.1/cn=users,dc=bentall,dc=local
mydomain.com mydomain.com
Going for a test ride tomorrow.
Thanks for the aid,
Keith
-Original Message- From:
[EMAIL PROTECTED] on behalf of Colbeck, Andrew
Sent: Sat 11/13/2004 11:04 PM To:
'[EMAIL PROTECTED]
Thank you for the help, Sandy. It's greatly appreciated, especially at this
late hour.
Andrew 8)
-Original Message-
From: Sanford Whiteman [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 13, 2004 8:53 PM
To: Colbeck, Andrew
Subject: Re: [Declude.JunkMail] [OT] exchange2aliase
ng. Also, I
introduced the alias loop because after failing to get it to work, I cribbed
the idea of the alias from the recent ldap2alias discussion.
Andrew 8(
-Original Message-
From: Colbeck, Andrew
Sent: Saturday, November 13, 2004 8:05 PM
To: '[EMAIL PROTECTED]'
Subject: [D
Sandy, I'm having problems in getting this working on a test machine. I'm
missing some obvious step...
Recap:
My production environment is such that I run IMail+Declude as my gateway, in
front of an Exchange 2000 environment, so I'm a good candidate for using
your exchange2aliases script. We ga
Title: Message
Or if
this guy's email address is an indicator of spam
ALLRECIPS 480 CONTAINS [EMAIL PROTECTED]
so if
the president of the company and [EMAIL PROTECTED] are in the To:, CC: or BCC:,
the message will still get held or deleted for everyone.
That
might be handy for you, but
I give it a small negative weight, and then a big positive weight with the
HIL IP4R test.
I see very little of bad-guy spammers using the Habeas warrant. I also see
very little in the way of useful mailers taking advantage of the warrant.
So from my traffic, Habeas is a failure.
Andrew 8)
For what it's worth, I don't have the Declude Virus product. The Declude
Virus product may catch the IFRAME technique in HTML, but you won't see this
technique in HTML, which is why Dave probably thought it was a useful
heads-up in the antispam forum.
I can add to Dave's description:
Trend Micro
And if you *really* have horsepower to spare (and some of your own time),
implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL.
Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing
URI tests in the multi.surbl.org cover a lot of fresh phishing domains.
An
Well, Glen, there's a LOT more that you could be doing. I see that you've
only put forward the names of built-in tests and IP4R tests. Do you have
Declude Junkmail Lite, Standard or Pro? And have you upgraded to the
current version of the declude.exe application?
The manual is here: http://www.
Yeah, what Matt said.
In my own words: Everybody has a custom configuration, so what works for
them WON'T work for you.
Since you've only just re-joined the list, I'll mention that Markus Gufler
and Pete McNeil have collaborated on the back-end for a nifty graph
indicating just how useful the tes
mber 05, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] OT: expanding beyond one mailhost
Colbeck, Andrew wrote:
>Thanks, everyone.
>
>I was hoping for more war stories, or specific gotchas with more ornate
>configurations, so I'm suprised at the few responses.
Thanks, everyone.
I was hoping for more war stories, or specific gotchas with more ornate
configurations, so I'm suprised at the few responses. For example, I've
noted that IMail has a queuing problem with HotMail advertising MX servers
that don't actually accept mail, or that don't exist, which
An Off Topic thread ...
On various domains I administer, a single point of failure mailhost has been
good enough, but I'm shortly going to add a second host on a second network
for redundancy.
Now, I understand *how* to do that, but what I would like to hear from those
who've been there before me
Keith, I think you've caught a bug in Declude.
I've verified what you found, and I'm enclosing a sample GMail with complete
header (not mangled through a mail client).
What I think Declude is doing is finding the text "subject:" in the domain
keys header, instead of the the subject: line that fol
Title: Message
Of
course! It's a free country. Oh wait. I'm in
Canada.
Andrew
8)
-Original Message-From: Kevin Bilbee
[mailto:[EMAIL PROTECTED] Sent: Wednesday, November
03, 2004 1:13 PMTo: [EMAIL PROTECTED]Subject:
RE: [Declude.JunkMail] OT: [EMAIL PROTECTED]
Th
Title: Message
tip:
if you don't trust a requestor but need to supply a valid address and would
prefer to simply filter the mail, rather than clutter the requestor's database,
you can use SpamHole instead. SpamHole will give you a time-limited valid
address on their domain, so that you can
John, why are you worried about viruses being held in your spam folder? If
they're held, they're effectively quarantined and the user isn't bothered by
it, just as they're not bothered by the spam in that folder.
Please share,
Andrew 8)
-Original Message-
From: John Carter [mailto:[EMAI
The RelayWatcher RBL hosted by number13.com is dead. The domain expired two
weeks ago. The "business domain" at n13mbl.com is still valid, but the
website is dead, as it redirects to the dead domain.
I don't know where Richard Sloman has gone or why the second site hasn't
come back, but the list
2 GB is the danger zone for .pst files. They can be bigger, but if they do
get corrupted, the Inbox Repair Tool will truncate it just short of 2 GB. I
don't know if there is a fixed maximum of messages.
Andrew 8)
-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Frid
According to their "lists" page, I don't see any other lists that are:
a) small enough to reasonably search with declude BODY filters
b) differentiated enough from the SpamCop-derived info to be worth the cost
For example, the Outblaze list is ten times the size of the SpamCop list.
This may cha
No, I haven't seen this.
But I have meant to ask if others on the list are seeing that their spam
volumes are up in the last week. I have, by a 10% increase. What I'm
seeing is not more spam getting to mailboxes, just more spam volume. Viral
activity has been constant.
Andrew 8)
-Original
Title: Message
They
go in the body because ... that's where they go.
Take a
look at a message in your spam folder. The header ends where you see a
blank line (two carriage returns, or two line feeds). The attachment type
line descriptions do not appear in the header.
I
don't understan
Title: Message
Microsoft software is probably the "most guilty" for using the vague
application-octet-stream MIME type instead of something more explicit, like
application/msexcel. PDF is also very likely to come as a stream. I
place viruses and malware as a distant 3rd for using
stream.
No, you can't do this directly with Declude, but indirectly, heck yes.
I just wrote a piddling batch file that will let you do this. You can use
it for any external test, not just sniffer.
You should read it carefully, and then edit your global.cfg accordingly, in
particular to put in the correc
Yes. For that matter, a BODY filter could also catch text that is in an
attached document.
Andrew 8)
-Original Message-
From: Danny K [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 19, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] WordFilter BODY
Will a wordfilter B
Scott, you have far less ham on weekends. Hypothetically, a company like
yours might use the day of week test to add a little weight on the weekend,
on the basis that your false positives from doing so will be fewer.
I have a similar volume pattern.
And to answer Mark's initial question, another
I'm getting spam from the following netblock, but with zero ip4r tests
triggering.
I haven't seen any legitimate mail coming here, so I'm putting a
conservative weight on this, and you might find it useful too in a filter
file:
REMOTEIP 4 CIDR 69.200.64.0/19
Matt from MailPure.com has a DYNAMIC
... And she inflicts a lot of collateral damamge while trying to kill them.
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=49900272
At least, that's my take on it.
Andrew ;)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail c
END NOTENDSWITH .postcards.com
- Original Message -
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 07, 2004 3:20 PM
Subject: [Declude.JunkMail] Spyware alert - fake postcards.com invitation
> A dozen users in my domain h
A dozen users in my domain have received a fake invitation to pick up a
postcard from postcards.com since 8 PM PDT. It came from a clean ADSL IP,
so it didn't get caught.
It's actually an HTML page with a URL that says one thing and takes the user
somewhere different (another dynamic IP, and yet
... If you're going to go nuts on this, I'd also suggest the accented
characters, and case folding e.g.
Ò -> o
Á -> a
Andrew 8)
-Original Message-
From: Darin Cox [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 07, 2004 12:34 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Fi
301 - 400 of 708 matches
Mail list logo