1 hit of comments with the 10 parameter since
10/1/05... If it matters it was spam.
- Original Message -
From:
Goran Jovanovic
To: Declude.JunkMail@declude.com
Sent: Saturday, February 04, 2006 10:24
AM
Subject: [Declude.JunkMail] Comments
Test
Back in
Back in the beginning of last year there
was some talk about the COMMENTS test and its effectiveness. I would like to
know if others are using this test anymore and if so how well is it performing
for you. For me it is hitting a very small percentage of my e-mail 0.16% and I
am having FPs w
I am just looking through some of the built in declude tests that I have
been running unsuccessfully and the COMMENTS test is one of them. Have
any of you had great success with this test? How have you used this test
successfully? I am currently using it to look for 6,8 & 10 comments but
am
I am just looking through some of the built in declude tests
that I have been running unsuccessfully and the COMMENTS test is one of them.
Have any of you had great success with this test? How have you used this
test successfully? I am currently using it to look for 6,8 & 10
comments but
Can the "ipfile" filter list contain comments between lines.
Will this cause the filter to stop at the first comment?
Are comments ignored?
Example:
Xxx.xxx.xxx.xxx
#comment
Xxx.xxx.xxx.xxx
The comments are allowed, and processing will continue -- so in this case,
2 lines would be processed, and
Can the "ipfile" filter list contain comments between lines.
Will this cause the filter to stop at the first comment?
Are comments ignored?
Example:
Xxx.xxx.xxx.xxx
#comment
Xxx.xxx.xxx.xxx
Eddie Cornejo
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
-
Dan Geiser wrote:
will those "# Added: 05/17/2004"
comments mess up the functioning of the file?
I believe they will. Declude typically sees anything after the final
delimiter (space or tab) as one full string, even if it has another
space or tab in it.
Matt
--
AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail]
Comments in "SPAMDOMAINS" text file
Hello, All,
Is "spamdomains" one of the tests that permits
comments on the same line as it's entries or not?
For example, if I have a "spa
Hello, All,
Is "spamdomains" one of the tests that permits
comments on the same line as it's entries or not?
For example, if I have a "spamdomains" file that
looks like...
@adelphia.net .adelphia.net
# Added:
05/17/2004@att.net
# Added: 05/17/2004@
: Re: [Declude.JunkMail] Comments - revisited
>Here is an email I sent to myself from Hotmail. The filter is not
triggered.
It turns out that there is an issue with the interim releases after 1.77i2
that was causing this, that is fixed in 1.77i9.
Here is an email I sent to myself from Hotmail. The filter is not triggered.
It turns out that there is an issue with the interim releases after 1.77i2
that was causing this, that is fixed in 1.77i9.
-Scott
---
Declude JunkMail: The advanced an
"Did you turn off decoding ("DECODE OFF")?"
No.. I don't have any such line in the Global.cfg.
In that case (assuming you are running 1.75 or later), you should check the
HTML code to see *exactly* what is there (are there any extra spaces, for
example?). Another possibility is that the E-mail
IL PROTECTED]
Subject: Re: [Declude.JunkMail] Comments - revisited
>I just did a test..
>
>in our filter files we have:
>
>BODY 20 CONTAINS Banned CD
>
>Here is an email I sent to myself from Hotmail. The filter is not
triggered.
Did you turn off decoding ("DECODE OFF&qu
I just did a test..
in our filter files we have:
BODY 20 CONTAINS Banned CD
Here is an email I sent to myself from Hotmail. The filter is not triggered.
Did you turn off decoding ("DECODE OFF")? If so, E-mail with "Banned CD"
should get caught, but E-mail with "Banned
CD!" shoul
Kami,
Anything in <> these days is a legit HTML tag unfortunately. At the
same time, most of these patterns aren't used and can be filtered for.
If this one spammer wants to keep using that one pattern, nail him with
the following:
BODY 30 CONTAINS
I've been coding since
Hi
Scott:
I just did a
test..
in our filter
files we have:
BODY 20
CONTAINS Banned CD
Here is an email I
sent to myself from Hotmail. The filter is not
triggered.
==
X-OriginalArrivalTime: 26 Dec 2003 12:21:25.0569 (UTC)
FILE
Does Medication work as a filter?
Yes, but it isn't necessary, as:
If Declude takes off the <...> then we should just use Medication since
really Medicat can not be detected.
you can just use "Medication".
That's why I say that it really isn't an issue -- while it isn't possible
to detect the s
Hayer
Sent: Wednesday, December 24, 2003 10:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Comments test
Omar,
I get tons of this stuff too - but it is easy to filter on
for example in your bodyfilter
have lines like:
BODY2 CONTAINSMedicat
Kami,
The filters do work with the embeded html. I just sent myself a test
email with the
Medicat
To: <[EMAIL PROTECTED]>
Subject: RE: [Declude.JunkMail] Comments test
Date sent: Wed, 24 Dec 2003 15:55:50 -0500
Organi
Kami - Interesting - and very clever insight.
Scott - can I filter on "Medicat
To: <[EMAIL PROTECTED]>
Subject: RE: [Declude.JunkMail] Comments test
Date sent: Wed, 24 Dec 2003 15:55:50 -0500
Organization: ClickandPledge.com
Se
[EMAIL PROTECTED] On Behalf Of Nick Hayer
Sent: Wednesday, December 24, 2003 3:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Comments test
Omar,
I get tons of this stuff too - but it is easy to filter on for example in
your bodyfilter have lines like:
BODY2 CO
Omar,
I get tons of this stuff too - but it is easy to filter on
for example in your bodyfilter
have lines like:
BODY2 CONTAINSMedicatio
To: <[EMAIL PROTECTED]>
Subject: [Declude.JunkMail] Comments test
Date sent: Wed, 24 De
Maybe im not quite familiar with the workings of the COMMENTS test, but
shouldn't the included text trigger that test?
FAQ. :)
> Our
This is not an HTML comment -- you can search the archives for more details.
If not, what suggestions do you have? I see so much spam slip by that has
this chare
Maybe im not quite familiar with the workings of the COMMENTS test, but
shouldn't the included text trigger that test?
If not, what suggestions do you have? I see so much spam slip by that has
this charectristscs.
Thanks,
Our US Licensed Doctors
will
Prescribes Your Medication For
Free
R. Scott Perry wrote:
The problem is that it is nearly impossible to determine which are
valid HTML tags and which are not -- that would require a database of
known good HTML tags, which would need to be constantly updated.
This was the first filter that I tried writing actually :) I got a li
Just an observation.. It seems like the Comments test is not being
triggered as often as I see it used..
FAQ. :)
I thought you stated a while back that the comments test now picks up any
attempt to break words.. E.g.
No -- it just isn't possible.
The COMMENTS test detects anti-filter comments
Title: Comments test
Scott:
Just an observation.. It seems like the Comments test is not being triggered as often as I see it used..
I thought you stated a while back that the comments test now picks up any attempt to break words.. E.g.
=
Banned CD! Government don't
PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of IS - Systems Eng.
(Karl Drugge)
Sent: Friday, November 07, 2003 11:41 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Comments on this ?
I have a client that is getting HAMMERED by mass SPAM emailings. In excess
of 500,000 emails a month are ge
L PROTECTED]>
Sent: Friday, November 07, 2003 8:41 AM
Subject: [Declude.JunkMail] Comments on this ?
I have a client that is getting HAMMERED by mass SPAM emailings. In
excess of 500,000 emails a month are getting deleted on an 80 user
network. His Internet connection is totally flooded. I'
ssage-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of IS - Systems Eng.
(Karl Drugge)
Sent: Friday, November 07, 2003 11:41 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Comments on this ?
I have a client that is getting HAMMERED by mass SPAM emailings. In excess
of 500,000 e
I have a client that is getting HAMMERED
by mass SPAM emailings. In excess of 500,000 emails a
month are getting deleted on an 80 user network. His Internet connection is
totally flooded. I’ve been
working with him over the past 9 months or so and have been trying to track things
down to
Hello, All,
I am using a flat text file full of individual IP addresses...
61.115.176.254
200.24.83.51
218.79.70.14
, etc., with the IPFILE test. Can I put a comment in this file, e.g.
61.115.176.254 # iexpect.com
without breaking the test?
Thanks In Advance,
Dan Geiser [EMAIL PROTECT
I am using a flat text file full of individual IP addresses...
61.115.176.254
200.24.83.51
218.79.70.14
, etc., with the IPFILE test. Can I put a comment in this file, e.g.
61.115.176.254 # iexpect.com
without breaking the test?
Yes. According to the "Whitelist/Blacklist Reference" se
t: RE: [Declude.JunkMail] COMMENTS
|
|
|> What might be nice would be a test that would count how many times
|> each HTML feature was used -- for example, if it saw that " "
|> appeared 50 times in an E-mail, it could trigger the test.
|
|That would be nice. Can SpamCheck, Alligate or
> What might be nice would be a test that would count how many times each
> HTML feature was used -- for example, if it saw that " " appeared 50
> times in an E-mail, it could trigger the test.
That would be nice. Can SpamCheck, Alligate or Sniffer do this?
John Tolmachoff MCSE CSSA
Engineer/Cons
Shouldn't this have been caught by the comments test?
The COMMENTS test *only* looks for HTML comments that are designed to
bypass filters. It does not look for made-up HTML tags, or legitimate HTML
tags that are used to bypass filters.
In this case:
opportunities+ACY-nbsp+ADsAJg-nbsp+ADsAJg-
Shouldn't this have been caught by the comments test?
If not, what is the best way?
+ADwAIQ-DOCTYPE HTML PUBLIC +ACI--//W3C//DTD HTML 3.2//EN+ACIAPg-
+ADw-HTML+AD4-
+ADw-HEAD+AD4-
+ADw-META HTTP-EQUIV+AD0AIg-Content-Type+ACI- CONTENT+AD0AIg-text/html+ADs-
charset+AD0-utf-7+ACIAPg-
+ADw-META NAME+
I added:
COMMENTS comments 10 x 5 0
to global.cfg file.
I added:
COMMENTSLOG
to my $default$.JunkMail
Do I need to do anything else to implement this filter?
That's all you need to do (just so long as you are running the latest beta).
I added:
COMMENTS comments 10 x 5 0
to global.cfg file.
I added:
COMMENTSLOG
to my $default$.JunkMail
Do I need to do anything else to implement this filter?
TIA
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Decl
Ok, I'll add a minimum number in to help in this case.
Cheers
Jools
On Wed, 25 Jun 2003 08:51:16 -0400, you wrote:
>
>>Here's another email with a problem, the comments test has been fired
>>but there is no html portion, there are >file that seems to be triggering it.
>>
>>Is it possible to mak
Here's another email with a problem, the comments test has been fired
but there is no html portion, there are
Is it possible to make this test just look inside Content-Type:
text/html sections or even open and close tags?
Not at this time. That's going to require full MIME decoding, which is
g
I think you need to skip attachments or at least make it an option in the
CFG file.
That's something that we are looking into. Note, however, that few
anti-spam programs have full MIME support in them (Ipswitch doesn't for
example). MIME decoding is very complex (it took Ipswitch years to get
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, June 04, 2003 5:12 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] COMMENTS test needs adjusting?
>This email caused 5 COMMENTS to be caught even though there is no HTML
>in the email
This email caused 5 COMMENTS to be caught even though there is no HTML
in the email as the attachment text has Very interesting -- that's the first time I've ever seen a .PDF file that
was encoded in a way that was still human readable.
We are getting close to the point where we may add full MIM
Hi,
This email caused 5 COMMENTS to be caught even though there is no HTML
in the email as the attachment text has
To: "Kate Priddle" <[EMAIL PROTECTED]>
Subject: FW: Orange Print
Date: Wed, 4 Jun 2003 10:53:41 +0100
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
Scott, does the COMMENTS test also catch bogus HTML tags?
No. It is only designed to catch HTML comments that are designed
specifically to bypass filters, such as "I am a spammer"
(which would appear in the mail client as "I am a spammer").
I've seen rather a lot of spam HTML messages where th
3 4:02 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Comments Test
Specifically, 1.67 would count a comment like
"...", where the comment was embedded between
HTML commands. 1.68 won't count those, so even 1 of the comments that the
test catches in 1.68 should ind
I've seen a newsletter with 27 comments (motely fool), but there seems to
be a sweet spot between 10 and 20. Just make sure you use it as a
weighted test.
FWIW, there was a problem with v1.67 where it could catch standard comments
(such as the ones found in the motley fool newsletter), but wit
I've seen a newsletter with 27 comments (motely fool), but there seems to be a sweet
spot between 10 and 20. Just make sure you use it as a weighted test.
I'm expecting the rationale & configuration that works with html counting to also work
with the new subject count tests, for similar reasons
For the comments test has anyone found an acceptable value that seems to
trap a lot of spam?
Thanks
Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EM
> I mean't to search for normal but uneccessary repeated html-tags like
>
> This can trigger a lot of false positives not only in Frontpage composed
> html.
> The target is to remove them completely before search for keywords.
OK, I guess I am still not sure then how this test works.
Of course,
> So, if I create say a flyer in Frontpage, then send that as
> the body of a message to all of our clients, the multiple
> matches will cause a problem, correct?
Hi John,
I mean't to search for normal but uneccessary repeated html-tags like
This can trigger a lot of false positives not only
> I can't imagine anyone who could take spews.org seriously.
We don't. We completely ignore them. We used to have a class C on a UUNet
T1 and SPEWS had us blacklisted as dial-up IPs.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from
Agree as well! SPEWS caused more trouble than it did good.
Duane
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 04, 2003 12:16 PM
Subject: RE: [Declude.JunkMail] Comments
> Scott,
>
> As well it should say that!
> Spews is a joke and should be taken offline
Agreed.
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude
upport requests to
[EMAIL PROTECTED] */
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Tuesday, February 04, 2003 12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Comments
>Anyone else out there ever
Anyone else out there ever have an issue with spews.org irresponsibly
reporting servers?
No.
But, they will intentionally blacklist IPs that are "near" a spammer.
They have blacklisted one of my boxes and for a domain we do not even
host. There is not a way to get off their list and their si
EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Keith Johnson
Sent: Tuesday, February 04, 2003 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Comments
John,
Speaking of lists, whose lists do you use.
Keith
> -Original Message-
> From: John Tolmach
> John, how would you know - since they were DELETED and you have no way to
> determine their content after the fact?
Manually reviewing the logs and looking at the subject line and sender.
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.relianc
Hi,
>> not one message deleted by Declude was a false positive <<
John, how would you know - since they were DELETED and you have no way to
determine their content after the fact?
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
---
[This E-mail was scan
> John,
> Speaking of lists, whose lists do you use.
>
> Keith
Currently, I am using mine. However, as time avails, I am going to be
working on incorporating Kami's and Tom's.
I truly feel and am seeing evidence that a balanced approach is the best.
Example, in the last week, not one mess
John,
Speaking of lists, whose lists do you use.
Keith
> -Original Message-
> From: John Tolmachoff [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 04, 2003 11:31 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Comments
>
>
> O
On the subject of the new comments test, I am looking forward to some one
coming up with a good list to share. ;)
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
---
[This E-mail was scanned for viruses by Declude Virus (http:
First, I know very little about html formatting, but here is my input;
When a message such as a flyer is created in Front Page, each line of text
gets its own formatting information:
###
New Page 1
This is a test
message!
No, the font command is embedded specifically to cause pattern-matching
junk mail scanners to miss the email. I am seeing messages like this:
Buy my wonderful product it will do
miracles and make you younger while enlarging your proboscis and eliminating
wrinkles, while you make a million doll
> What would you do with those mail that change the
> color, delete them, put them on hold?
Use it in a weighting system.
> Or.. do you think
> these color statments are used in the same way the comment
> tags are being used, with several tags after one another and
> the last having th
Hi Scott!
Yes you, no not him, the other one. ;-), If I understood you wrong at first
then please read the last line.
> Now that we have the Comments tag, I now find spam with tons of these
> peppered throughout:
>
>
Standard HTML stuff I think.
> Not really comments, as they are functional, b
; [mailto:[EMAIL PROTECTED]] On Behalf Of Scott MacLean
> Sent: Tuesday, February 04, 2003 1:54 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Comments
>
>
>
>
> Now that we have the Comments tag, I now find spam with tons of these
> peppered throughout:
>
&
Now that we have the Comments tag, I now find spam with tons of these
peppered throughout:
Not really comments, as they are functional, but they're put randomly
throughout the email. Functional, but pointless. Any ideas?
___
Scott MacLean
[EMAIL PROTECTED]
ICQ: 9184011
ht
> Attached is a zip screen shot.
> > If it can be made to look like this, would SpamReview still work?:
Here is a sample screenshot from our system.
Regards,
Tom
Image`fx
spamshot.zip
Description: Zip compressed data
Attached is a zip screen shot.
> If it can be made to look like this, would SpamReview still work?:
Not sure. As you can see in the screen shot, we can look at X-RBL-WARNING in
one box and the full headers in another box, so that is what I am looking
for, so we can see right away what filter it w
nce.
>
>
>-----Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode
>Sent: Friday, 13 December 2002 5:19 PM
>To: [EMAIL PROTECTED]
>Subject: Re: [Declude.JunkMail] Comments in filters
>
>
>Put your log level to HIGH and it shows
13, 2002 2:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Comments in filters
Here's my take on why I endorse John's request. I understand Dan's
suggestion and agree with its intent, I just don't want to raise my log
level yet. I'm a MID loglevel person, and ha
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode
Sent: Friday, 13 December 2002 5:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Comments in filters
Put your log level to HIGH and it shows each phrase that caught something.
While its not intuitive to see which of mul
> Put your log level to HIGH and it shows each phrase that caught something.
True, but when reviewing with SpamReveiw, it would be nice to not have to
open and check the log also.
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
Put your log level to HIGH and it shows each phrase that caught something. While its
not intuitive to see which of multiple tests a given phrase belongs to, because a
given email can fail multiple tests in the same package, you actually get more info.
Dan
On Friday, December 13, 2002 12:38, J
>>Or, can the headers or log show what the filter was instead of a test line
>>number? Say, add a comment after the line.
>>
>>Example:
>>SUBJECT 5 CONTAINS FREE "Subject contains free."
>
>No, that is not possible.
Feature request! :)) That could be useful to see in the logs why it was
caught ins
Can comment lines be included in a filter file?
Example:
# Test 10
Yes, that will work fine (just so long as the line begins with "#").
Or, can the headers or log show what the filter was instead of a test line
number? Say, add a comment after the line.
Example:
SUBJECT 5 CONTAINS FREE "Sub
Can comment lines be included in a filter file?
Example:
# Test 10
Or, can the headers or log show what the filter was instead of a test line
number? Say, add a comment after the line.
Example:
SUBJECT 5 CONTAINS FREE "Subject contains free."
John Tolmachoff MCSE, CSSA
IT Manager, Network Engin
That's what I need! Thanks Scott!
--Todd.
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 01, 2002 8:44 AM
Subject: Re: [Declude.JunkMail] comments in BLACKLIST fromfile?
>
> >Is it poss
>Is it possible to put comments in the fromfile used in a BLACKLIST line?
Yes, you can. If the first character of the line is a "#", Declude will
ignore the line.
It is not possible to add comments to an existing line.
-Scott
---
[This E-mail was scanned for v
[NOTE: Your mail server [131.123.20.12] is missing a reverse DNS entry. All Internet
hosts are required to have a reverse DNS entry. The missing reverse DNS entry will
cause your mail to be treated as spam on some servers, such as AOL.]
Scott,
Is it possible to put comments in the fromfile us
82 matches
Mail list logo