TrendMicro also catches some phishing attempts:
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=citifrau
d&alt=citifraud
But I've no idea what exactly their triggering on. If it's a body URL,
their release updates are probably too far apart, but their CPR (Controlled
Pattern
I heavily depend on:
http://openrbl.org
Which lists dnsstuff and moenstad as similar services. For the last year,
they've been subject to on-again off-again Denial of Service attacks, and
now have many regional mirrors, and they've recently introduced a timeout on
the first lookup submission, pr
Title: Message
Trend
calls it something else and claims that it is 13 hours old. We haven't
seen any copies yet.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AM
Andrew
8)
-Original Message-From: Don Hickey
[mailto:[EMAIL PROTECTED] Sent: Tue
Title: Message
That
should be 512 bytes in the UDP packet, and only in the reply. Another good
tip is to tell your firewall that DNS over TCP is fine.
Usually if this is turned off, it is to prevent bad actors from doing a
"zone transfer" to scoop up all of your DNS hosts so that they c
Title: Message
Whups,
yeah, what John said.
Andrew
8)
-Original Message-From: John Tolmachoff
(Lists) [mailto:[EMAIL PROTECTED] Sent: Monday,
September 27, 2004 11:40 AMTo:
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Stop
one IP address
Andrew and Goran,
Title: Message
You
can hide the problem by going into your IMail configuration under SMTP, then the
SMTP Security tab and adding the IP address to the IMail Kill File. When
IMail sees a connection from that IP, it drops it, without returning an
error to the sender, and without logging the a
Title: Message
http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html
Friend
Greetings is the classic "greeting card virus", back in 2002. There were
hoaxes previous to that.
Andrew
8)
-Original Message-From: Sharyn Schmidt
[mailto:[EMAIL PROTECTED]
Kevin, I suspect that you're right, and that 99.9% of the time, your rule
would hold true.
I would suggest that the IP address in the HELO would have to match the
reverse DNS exactly, though.
I also think that it this observation would also hold true if the HELO is an
IP address and there is no r
Andy, Microsoft certainly is an important player.
I just wish that they would stick to the standards that everyone else does.
In order to get mail to them in an orderly fashion, I need to use a static
copy of their DNS record in the DNS server on my mailserver, that I've
cooked to know only about
Bill, I think the matter of the licensing and potential patent problems with
SPF are limiting factors only for the Open Source movement's software
development, as it affects developers, not implementors. As we see with the
Apache Software Foundations' letter to the MARID group, they won't put
supp
Putting my two cents in ...
I also would rather have both options. I would choose the keywords:
ABORT (same as END, and deprecate use of END as a keyword)
STOP (end processing with the accumulated weight, and the test status
status as having triggered, as requested by Matthew Bramble
Title: Message
Ok, so who's the
list member which is infected by the NetSky virus??? From:
stmary-1-306.atm-cip.trvnet.net
[64.71.64.38]
AS: 64.71.64.0/19 AS14814 Twin
Rivers Valley Internet Serv Livermore/Iowa
The virus
is being sent to the list and to the list
members.
Andrew.
Script schmipt!!
Use the Explorer Find/Search tool, look at only *.eml files and search the
body for the name of the domain that you're interested in.
I don't have any applications that use the .eml format, but I'm sure that
each message is a single file, unlike the Q*.smd + D*.smd files that IMa
Yes, Brad, the correct thing for him to do is to change the HELO greeting.
Here are the instructions for Exchange Server 2000, which I think will be
close enough for you.
http://support.microsoft.com/default.aspx?scid=kb;en-us;266686
Scroll down to the section:
"How to Change the Fully Qualifie
The "[EMAIL PROTECTED]" has been around for a long time.
Legitimate mailers (and others) use the format to encode very specific
information about their target, presumably so that they can effectively
determine the email address when a complaint is made or the sender receives
a bounce.
I rarely get
Title: Message
Not a virus, spam combined
with social engineering combined with a malware installation
attempt.
We've received spam from this
dynamic IP in Brazil:
200-153-121-39.customer.tdatabrasil.net.br
[200.153.121.39]
Which was HTML formatted with
the message:
"Hey...haven't t
Dear PayPal User,
We regret to inform you but due to recent suspicious activity regarding
your
account we are forced to ask you to verify your identity for security
purposes.
In order to continue using your PayPal account normally and avoid any
account
restrictions please provide us with your f
I submitted a copy to both McAfee and TrendMicro; McAfee already detects it
as W32/Bagle.aq
http://isc.sans.org/
Each copy I received had no subject line, and one word in the visible body
text, "price".
The virus was in a zip file, called price_new.zip and contained an HTML file
called price.htm
Title: Message
http://www.ftc.gov/opa/2004/07/creaghan.htmI
like the part about freezing his assets, as he tried to move his finances to a
bank in Latvia.Andrew 8)p.s.http://groups.google.ca/groups?q=%22Creaghan+A.+Harry%22+group:news.admin.net-abuse.*&hl=en&lr=lang_en&ie=UTF-8&group=news.admi
Definitely SpamAssassin. If you want these tests and more, check out the
signature at the bottom of one of Sanford Whiteman's recent posts.
Andrew 8)
-Original Message-
From: Scott MacLean [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 04, 2004 10:44 AM
To: [EMAIL PROTECTED]
Subject:
Another week, another variant.
http://isc.sans.org/
Judging from possible strings in the message body and subject, this virus
uses a password protected zip (or pretends to), and pretends to be about
security, possibly faking your own domain name, just like last week.
I don't know what it's tryin
but I think the
subject line randomization is bad software, or more deliberate antispam
measures. Only the spammer knows...
Andrew
8)
-----Original Message-From: Colbeck, Andrew
Sent: Tuesday, July 27, 2004 1:36 PMTo:
'[EMAIL PROTECTED]'Subject: [Declude.JunkMail] A bu
Title: Message
The actual URL in the href is:
http://www.secureusbank.com/internetBanking/RequestRouter/requestCmdId/DisplayLoginPage/login.htm
The sending IP is: 140.116.177.114 which is apparently belongs to
an educational institute in Taiwan.
Andrew 8)
Body text is as follows:
D
>From http://isc.sans.org/
Handlers Diary July 26th 2004
Updated July 26th 2004 16:04 UTC (Handler: Johannes Ullrich)
* latest MyDOOM search engine use
Latest MyDoom search engine use
(initial analysis. more details, and eventual corrections, will be posted as
they become available)
The lates
Edit the Q.smd file so that your own addressee information is listed
instead of the regular addressee. If it is delivered, it goes to your own
mailbox instead of the original user.
Then copy the Q.smd and and D.smd file into your C:\IMail\Spool
folder and wait for your IMail to notice
Brad, several of the ip4r tests list whole subnets, and I've seen hits from
IPs in that and similar subnets across the last week.
More likely is that your DNS didn't respond in time when Declude inspected
this particular message.
Andrew.
-Original Message-
From: Brad Morgan [mailto:[EMAI
Brute force works well for this particular virus, because it has so few
possibilities and doesn't use common enough attachment names for me to
consider it any risk for false positives:
#Jul-20-2004 AC broken BAGLE.AH and so forth
BODY 0 CONTAINS filename="cat.
BODY 0 CONTAINS filename="Cool_MP3.
B
It's perfectly legit, Dave. Go ahead and follow the instructions precisely.
You don't expect your OS to ship with a perfect database of second-level or
third level cert suppliers do you?
And no, clients making an SSL connection to your new server won't need to
jump through any special hoops at al
Hey, Bill. You've got your thinking cap on too tight!
> Find "@aol.com" \*\forward.ima >found.txt
>
> The idea is to search all subdirectories of the current director for
> forward.ima and look to see if @aol.com is in there.
fgrep -r -i -l "@aol.com" forward.ima *.
fgrep instead of egrep means
Serge, POP and IMAP are certainly available in Exchange, but if I read this
architecture correctly, what you client probably wants is the ETRN extension
to SMTP.
I used this once under Exchange 5.5 to fetch mail over dial up. Here's an
ancient article on the subject to get you started on some bas
Hey, Scott. If you'd like, send me a sample off-list. I could use a short
brain teaser this morning.
The general idea I think would be to do a grep and only look for lines with
well-formed IP addresses.
e.g. egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" sample.txt
>result.txt
[0-9] me
The results would have been the same. Declude searches the whole message
"raw", so the inside of attachments get scanned too. Using:
ANYWHERE 1 CONTAINS spam
is the same as using:
HEADERS 1 CONTAINS spam
BODY1 CONTAINS spam
So, the ANYWHERE filter can save you a line, but may open you to
No, the slashes have no special meaning. There is no regexp parsing in
Declude, every search expression is a literal, but is case-insensitive.
The most common item that arises as a result:
You can't search for a term with a leading space, e.g. BODY 1 CONTAINS "
spam" (remove the quotes).
On the
Dave, if you move your reporting level from MID to HIGH, you will see a log
line for every hit in your filter files.
Andrew 8)
-Original Message-
From: Dave Doherty [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 14, 2004 7:53 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Filter r
Title: Message
Thank you,
Barry.
In addition to a
community support channel, we've become accustomed to using this mailing list as
a communications channel to and from Computerized Horizons. You may
miss out on the pulse of your customer base if are not a
subscriber.
I'm sure we all
a
Meh. I think most angles on this incident have been covered. Stuff was
definitely done wrong, but with reasonable business goals behind Computing
Horizon's thinking. Some of those didn't mesh well with the active 10-20
power users on the mailing list. For example, I'm sure that a GUI featured
;t use the DUHL tests!
-Original Message-
From: Colbeck, Andrew
Sent: Thursday, July 08, 2004 6:19 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] IPBYPASS and WHITELIST IP
John, let's say that you have a Postfix gateway in front of your
IMail+Declude server.
If y
John, let's say that you have a Postfix gateway in front of your
IMail+Declude server.
If you whitelist the gateway, then all mail from that server or passed
through that server will be whitelisted. That would be *bad*. You would
instead use IPBYPASS, so that all the IP based tests are not again
Well, I'm late to the party!
I love Sandy's idea, it's a great way to "stem the tide".
Matt, absolutely, the problem with the "dir" based delete commands is
reading through the tree that NTFS creates, which on a busy disk will be
literally all over the hard drive. This would then be complicated
At the same volume level, I see thirty times more legitimate messages with a
leading space in the subject message. Most are from users, with one to
three leading spaces. Three different legitimate "news alerts" are using up
to 6 leading spaces, presumably to make their subject line stand out in t
Sorry, Matt!
http://www.theinquirer.net/?article=16960
... which seems to bear fruit. I've received exactly 4 zombie spams from
the ComCast network since June 17, 2004, and my usual rate is tens to
hundreds per day from them.
Unfortunately, there's no indication that ComCast will take any furth
Title: Message
Todd, in addition
to checking for your own IP address in the inbound mail HELO, another handy
"anti-spoofing" test is to check for your own mailhost.
HEADERS 20
CONTAINS Received: from yourmailhost.yourdomain.com
because, hey,
your mailserver is receiving this message, so
Me three.
I installed FireBird a long, long time ago at home. I had no problems,
ever. But then I got the upgrade itch, so I'm on the latest FireFox now,
with nifty extensions. And I cut the cord last weekend, by deleting all my
Favorites out of IE (years and years worth!). Now I use IE for a
Your webservers, sure. That's the easy part, the patch was available in
early April.
Your desktops, no, not if your users use Internet Explorer. There is no
patch yet, and it's been exploited for at least 2 months.
For a whitehat demonstration, use your fully patched IE to go to:
http://62.131
Title: Message
The executive summary: expect
perfectly normal spam subject lines more often.
http://www.techweb.com/wire/story/TWB20040623S0007
Andrew
8)
ilto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> Sent: Wednesday, June 23, 2004 2:56 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [Declude.JunkMail] OT: Find Command
>
> Bill, you caught me red-handed. I was hoping you'd do the heavy
lifting
Bill, you caught me red-handed. I was hoping you'd do the heavy lifting to
offer up an awk equivalent template for findstr.
Andrew 8)
p.s. Goran, grep is your friend. Use fgrep as a straight substitute for
find, but fgrep is a magnitude faster. Use egrep to do nifty things like
Bill's "or" exa
Goran, check out the FindStr.exe command in your %windir%\system32 folder,
it does exactly what you want. Specifically, you will keep appending your
search strings as new lines in one text file, and search each line to
include/exclude from your orig.txt
If your needs are going to grow to only a fe
e or distribution is prohibited. If you are not the
intended recipient, please
contact the sender by reply email and destroy all copies of the original
message.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Colbeck, Andrew
> Sent: Wednesday, Jun
The odds are 100%, Keith.
That's exactly how all the current viruses work. Recently, WORM_SOBER.* has
also generated usernames at the domains it harvests to increase their hit
rate, because they don't care about their failure rate or the massive number
of NDRs that they generate.
Andrew 8)
Declude.exe instances fire once for each email, they don't stay resident.
Instead of rebooting the server, stop your IMail SMTP and Queue services so
that no mail is being processed, which means declude.exe instances won't be
run. Then you can do whatever maintenance you require, and restart the
Scam.
You surmised correctly. The HTML snippet shows the reader one URL, but the
real "target" of the link is somewhere else entirely. China, actually.
Three great web resources to find out who a domain is or where it is:
http://openrbl.org
http://whois.sc
http://www.senderbase.org
Using "w
Title: Message
This is from the SANS Handler's
diary at http://isc.sans.org
ARIN in-addr.arpaA
post on the NANOG list indicates that the American Registry for Internet Numbers
(ARIN, www.arin.net) is not providing reverse-lookup forwarding for any networks
in the range 206.46.0.0 - 255.255
That's a great idea, Sandy.
And I'll contribute a tiny hint and suggest that if anyone were to do so,
using a sniffer like Ethereal with a capture filter would minimize the size
of the actual data file collected, which would then make post-processing
much simpler.
Andrew 8)
-Original Message
ic
The LAN Shoppe
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> Sent: Thursday, June 03, 2004 12:09 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [Declude.JunkMail] OT what a con
Title: Message
fgrep "Total weight = " dec0531.log |
fgrep -v "SNIFFER" | gawk "$NF >=20"
>result.txt
sample
contents of result.txt:
05/31/2004
00:01:44 Qd84b1ec600561d03 IPNOTINMX:2 HELOBOGUS:6 MAILFROM:9 REVDNS:4
CMDSPACE:5 COUNTRY:10 DSBL:6 SPAMCOP:3 SPAMCOP-DYNA:7 FIVETENSRC:2
FIVETE
Title: Message
Ah, the easy
answer is that grep is not the way. You want something a little higher up
on the food chain, awk.
gawk "$4 == 2"
netflow.txt
or the identical
but clearer:
gawk "$4 == 2
{print $0}" netflow.txt
will parse the
file called netflow.txt and only output the
Samantha, part of the answer that you're looking for is that when your
misd.net server is connecting to their server to deliver the mail, you're
not connecting to "Trend Micro, the company", you're connecting to their
mail server, which has a Trend Micro product in front of their other mail
host, w
Title: Message
I've definitely
noticed in the last 2 weeks that pump and dump stock scams have been the lead
type of spam that leaks through. And also that pharmaceutical spam has far
eclipsed pornography. In my Hotmail account, it's about
even.
And I suppose
that this is news to someon
ew day ago - does acknowledge the
problem and said they are working on it. I had to tell my server to
retry for a day before I could start sending to hotmail again.
R
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew
Sent: Tuesday, May 18,
>
> Yep hotmail is not accepting from us either, I am seeing
> connection resets from them
>
> Rick Davidson
> National Systems Manager
> North American Title Group
> -
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED
Goran, mail.lanshoppe.com is not listed in SPEWS; your provider, HopOne is.
Other than complain to HopOne, there is nothing you can do except switch
your inbound mail server somewhere else, like swapping with your outbound
mail service, for example.
You can read information about SPEWS, and HopOne
Title: Message
http://zdnet.com.com/2100-1104_2-5210796.html?tag=zdfd.newsfeed
Quote:
They were wrong, and they were annoying, so now they've
been stopped.
With a new version of Symantec's SMTP (Simple Mail Transfer Protocol) e-mail
security product, the antivirus company is trying to
Don't poke the bear, Kami.
Andrew 8)
-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] ALLRECIPS CONTAINS END not ending?
"There is a new interim release 1.79i7 at"
:)
Scott... No
http://www.eeye.com/html/Research/Advisories/AD20040512A.html
and Symantec's patch:
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.ht
ml
which can be downloaded and installed via LiveUpdate.
Unlike the BlackIce worm, there is no report of malware "in the wild" but
th
Anybody else with this trouble? I've got 300+ messages queued to
hotmail.com addresses. Both my cached and a fresh DNS query look fine. I
have a ton of:
MX connect fail "65.54.190.50"
messages in my Imail log (lots of different IP addresses whose reverse DNS
ends with hotmail.com)
Andrew.
---
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?datab
ase=JanEE%2edb&command=viewone&id=15
Both in Germany, and in seemingly unrelated incidents. Whoever informed on
the Sasser author to Microsoft may see a payout of a quarter of a million
dollars.
Andrew 8)
---
[This E-ma
Title: Message
John, I'm
thinking that you're not qualifying the right hand side of the message-id
variable as text.
Let me put that
another way: why are you not putting quotes around the parts that are text, and
why are you only escaping the @ sign and not the hyphen or the GT and LT
sig
Title: Message
If you have
JunkMail Pro, and thus text filtering, you could do what I do for a case that
sounds similar to yours.
We have a domain
which has very few email addresses, and spammers regularly try a certain set of
addresses that simply never existed, along with CC'ing or BCC'i
Title: Message
I just saved some processing
power..
One of my most important text filters is the BODY
search for URL stuff. But it's quite big. To keep my loglevels in
check, I use LOGLEVEL MID, which doesn't log the individual lines
triggered. But whether I use MID or HIGH, the line nu
Good tip!
This is what the web page is using:
http://netsecurity.about.com/cs/generalsecurity/a/aa021504.htm
to download a file it creates called C:\Program Files\Internet
Explorer\Iesearch.exe
by downloading and rename the file http://68.192.132.122:8067/mstasks.dat
which my latest Trend Micro
Yep, also 0x20, also #20
Andrew 8)
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 20, 2004 10:47 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] OT: ASCII code
A space is %20, correct?
John Tolmachoff
Engineer/Consultant/Owner
eSer
Yep, a configuration of WEIGHT10 DELETE and a WEIGHT20 HOLD would indeed
delete a message with a weight of 21.
Something you mentioned earlier prompts me to point out another thing; the
veterans in the list generally regard HOLD messages not as something they
have to check out several times a day
They have weird numeric naming conventions, and use rogers.com for both
client and corporate mail. Try this instead:
#Sep-26-2003 AC Rogers Cable in Canada
REVDNS -10 ENDSWITH .is.net.cable.rogers.com
REVDNS -10 ENDSWITH .cpe.net.cable.rogers.com
REVDNS 10 CONTAINS .cable.
Andrew 8)
-Origi
ndrew 8)
-Original Message-
From: Colbeck, Andrew
Sent: Tuesday, April 20, 2004 8:25 AM
To: '[EMAIL PROTECTED]'
Subject: [Declude.JunkMail] OT: a cautionary note
This really belongs on the IMail support list, but I don't subscribe to
that...
On the weekend, I had a eurek
This really belongs on the IMail support list, but I don't subscribe to
that...
On the weekend, I had a eureka moment and figured out why we had 25 minute
delays on our inbound messages. It didn't happen often, or at least we
didn't notice it often. Mail would just be stuck in IMail, not flowing
Goran, yes, if you set a HOLD action, the weight is irrelevant in the
example you cited. In a more complicated example, you'd have to check the
precedence of actions listed in the manual.
Why?
Well, you might also have a WHITELIST action, or a WEIGHT action for a high
value that does a DELETE.
My humble opinion on terminology, Scott, is that:
"fixed in the next build"
would better reflect what you meant. Otherwise us folks out here in the
list start to wonder whether you mean "release" or "Release".
Just another tip for the Declude communications style book.
Andrew 8)
-Original
lPure: Spam and virus blocking services provided by MailPure.com
X-MailPure: ============
Colbeck, Andrew wrote:
Jeff, the main problem with figuring out spamdomains entries is that you
really have to receive valid mail from the domain to really know.
If they have an SPF recor
ded by MailPure.com
X-MailPure: ========
Colbeck, Andrew wrote:
>Jeff, the main problem with figuring out spamdomains entries is that you
>really have to receive valid mail from the domain to really know.
>
>If they have an SPF record, that's the easiest way to research them, but
you
>can
Jeff, the main problem with figuring out spamdomains entries is that you
really have to receive valid mail from the domain to really know.
If they have an SPF record, that's the easiest way to research them, but you
can also try the website at http://www.SenderBase.org to see what they've
noticed.
Anybody already using a handy way to record the HELO in the decMMDD.log
file?
I'd like to save the step of going to my sysMMDD.txt file if I could.
I've run Bud's test for a few hours and had quite a few hits. The only
false positive wasn't a false positive at all, but a correctly identified
cas
This works for me:
wamlog dec0416.log c:\imail\declude\global.cfg
Modify the parameters to suite your environment, of course.
Andrew 8)
-Original Message-
From: Dave Doherty [mailto:[EMAIL PROTECTED]
Sent: Friday, April 16, 2004 8:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkM
Not surprising that you missed this one, based on the subject line:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg17684.html
Sorry if this has already been answered here. My inbound messages on this
list have been highly out of sort order.
Andrew 8)
-Original Message-
From: Scott Fi
http://www.theregister.co.uk/2004/04/16/cosmic_419er/
A little levity for Friday.
Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
Dave, allow me to butt in here with the late night reply and say yes, your
interpretation is exactly right for all 3 of your examples.
And let me also add that clarity certainly does help, for example I saw a
weird false positive and chuckled over it.
I had a sd.txt that listed:
mac.com apple.
For what it's worth, over the last 2 days, my SURBL success has been 20%
that of the text filter I use to block recent spam we've noticed (which
contains spamvertised domains).
And there has been little overlap between my "local" test and SURBL. Which
simply shows that my spam is different from
Title: Message
Definitely fake,
Sharyn.
0) Like you said,
it had at least one typo. And would they tell you what "segment" they've
put you in? And to an email address they've never been
given?
1) The link
goes through another provider with a 6 month old domain name, through
a Group Te
Smokin' Bill!
That's very fast. I certainly found a few surprises at 0 hits for a normal
day.
Some low priority suggestions:
- Change "fail" wording in the header to "trigger" or "hit" or something.
- Ignore Declude directives, e.g. LOOSENSPAMHEADERS, HOPHIGH, CONSOLE,
PREWHITELIST ...
Thanks
ated tests. Both tests can return a hit
for the same IP under this arrangement.
Note that the impact of this one change is fairly minor, but with a lot
of minor changes, I have managed to get another half cup of juice out of
my current server.
Matt
Colbeck, Andrew wrote:
Hey, Kevin.
te that the impact of this one change is fairly minor, but with a lot
of minor changes, I have managed to get another half cup of juice out of
my current server.
Matt
Colbeck, Andrew wrote:
>Hey, Kevin.
>
>I do get the usual web page when I go to the CBL homepage you listed. I
see
>t
Nifty!
I'm on the current interim without issue, and it's great to have that log
line at LOGLEVEL MED.
Thanks a bunch,
Andrew 8)
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 2:15 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMai
Rick, no, the BODY text filtering searches everywhere, including inside
binary attachments.
Your best bet is to assign those nasty words with very little weight, don't
use very short words, and/or try to match a phrase instead, or use trailing
punctuation.
For example, I've found that although th
Hey, Kevin.
I do get the usual web page when I go to the CBL homepage you listed. I see
that the last update was March-30-2004 when they stated that they had
harvested out a lot of their old records.
I stopped using CBL on Jan-05-2004, though, because the SpamHaus XBL is a
superset of CBL, e.g.:
Title: Message
Matt, try the
more verbose:
EXTERNALTEST
external 30 "C:\Windows\System32\cscript.exe
C:\IMail\Declude\test.vbs //B //NoLogo
//T:2" 0 0
I don't know how
that will mangle the order of the parameter passing of the message filename, but
sniffer manag
Title: Message
Putting all of 60
seconds into this, Matt, I've the following I can help with:
Your link works
great, so the method of calling it is probably suspect. I haven't tried to
check the return code in Declude, but in a mini-script it works
fine.
Have you set the
cscript host t
Rob, check your spelling of "ANYWHERE" there is a typo in it.
Andrew 8)
-Original Message-
From: Robert Grosshandler [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Invalid Whitelist Type: Anywhere
Getting this error mes
I have my doubts. As with any learning system, accurate training is
paramount. Wiser heads than me have commented here on when learning systems
are a good fit.
He doesn't state how many mailboxes that he is handling and whether it is
for a vanity site, ISP, or corporate mail host. He may be impr
Title: Message
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS registration is a little more than a week old.
Googling the net-abuse groups turns up:
http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=30cd601n6r
That would be great! For what it's worth, the new verbose weight and test
results description line is very handy, too.
For example, If I want to count the messages held, I can:
egrep -c "Last action = HOLD." dec0316.log
whereas if I want to count the number of recipients for those messa
401 - 500 of 708 matches
Mail list logo