With Declue removing the data between the in HTML messages to get the
correct wording. Deasdsdasdadlude = Declude.
Would a test that counts and/or totals the number of characters between a
single asd or all the aaa's in a message be a viable ne test.
That is a good idea (and one we're already
This was kind of suggested when the SURBL came out.
Do you use the SURBL code.
I don't know if anyone is interested but I've got a batch file that goes through last
month's logs (it works on log level high) and pulls out all matches for a Body URL
filter. It can help trim the deadwood.
I've
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 11, 2004 3:03 PM
Subject: Re: [Declude.JunkMail] New Test Idea
This was kind of suggested when the SURBL came out.
Do you use the SURBL code.
I don't know if anyone is interested but I've got a batch file that goes
through last month's logs
on 4/21/04 2:35 PM, ISPHuset Nordic wrote:
And how do you can the spam if it's a legitime user?
We delete it. Spam is spam no matter who sends it.
Later,
Greg
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
on 4/20/04 3:16 PM, Matt wrote:
NOTCONTAINS would be incredibly helpful for lots of filters, though of course
all forms of NOT filters would be good addition, but NOTCONTAINS is the most
flexible and therefore capable, especially to defeat a counterbalancing filter
so that it doesn't credit
Hello Sysadmin,
it would be nice, if you could use a real name.
We're an ISP and we believe we can't whitelist our addresses and we
definitely can't require authentication.
Why not?
We do the same job, and I thought the same.
But if all would think so, we will never get of the spammers.
So
We're an ISP and we believe we can't whitelist our addresses and we
definitely can't require authentication.
If you haven't your own network (ISP backbone) or users connecting from a
defined range of IP's you SHOULD switch to SMTP-AUTH and you CAN prepare
some usefull how-to pages, then
on 4/21/04 11:17 AM, John Tolmachoff (Lists) wrote:
Why are you so much different than other ISPs that you can not force
authentication?
Try to imagine having to contact thousands of subscribers and walk them
through changing their settings. Even if we only took a minute to help each
Why are you so much different than other ISPs that you can not force
authentication?
Try to imagine having to contact thousands of subscribers and walk them
through changing their settings. Even if we only took a minute to help
each
subscriber (and I can guarantee you a minute isn't even
John,
Dial-up ISP's, especially smaller ones, are very unlikely to be
targeted by spammers due to the dynamic nature of the IP space. There
one minute, gone the next...and the bandwidth sucks. Almost all
viruses don't use mail servers to spread, so SMTP AUTH won't stop them
either, but
That means
that any one using one of those addresses can send out millions of spam
e-mails through your server and there is nothing you can do about it.
How is that statement correct? We scan all outgoing messages for spam and
viruses and delete them if a message contains one or both.
I
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
System Administrator
Sent: 21. april 2004 20:20
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test
on 4/21/04 1:40 PM, John Tolmachoff (Lists) wrote:
I assume you are relaying
System Administrator wrote:
on 4/19/04 5:30 PM, David Dresler wrote:
For the most part, its a great new test and is working well.
However, i've noticed that Entourage seems to be getting caught.
Yes, I can confirm this (I'm using Entourage). I've also noticed that some
other e-mail
Greg,
NOTCONTAINS would be incredibly helpful for lots of filters, though of
course all forms of NOT filters would be good addition, but NOTCONTAINS
is the most flexible and therefore capable, especially to defeat a
counterbalancing filter so that it doesn't credit too much. I've been
holding
... when
many of the tests could be wrapped by SpamAssassin custom
rules ...
The only thing I fear, is that as soon as SA will have such a rule spammers
will immediatly rewrite their SW (or bether said email worms) and don't use
anymore IP-like HELO strings.
Markus
---
[This E-mail
Matt wrote:
I have a few suggestions that you might want to consider.
The first one would be to skip processing of the message and just have
Declude pass off the HELO as an argument to your script. This can be
done with %HELO%. This will speed processing and ensure that the HELO
comes in
These headers didn't trigger the HELOISIP test. It looks to me like
they should have. Any Ideas?
Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com
(SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500
Received: from iowiekwaoakkwjehckckw.com
Jason wrote:
These headers didn't trigger the HELOISIP test. It looks to me like
they should have. Any Ideas?
Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500
Because of the 'lsan03', the
You should be fine as long as you don't do matches on numbers below 20,
or at least that is my experience. I'm thinking that you created this
exception in order to head off that problem. Minimally it's worth a try.
Matt
Bud Durland wrote:
Jason wrote:
These headers didn't trigger the
Will Heloisp run on NT ...I do not see any activity in task manager or in
the declude logslog level MID
At 01:57 PM 4/19/2004 -0400, you wrote:
You should be fine as long as you don't do matches on numbers below 20, or
at least that is my experience. I'm thinking that you created this
, April 19, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test
Will Heloisp run on NT ...I do not see any activity in task manager or
in
the declude logslog level MID
At 01:57 PM 4/19/2004 -0400, you wrote:
You should be fine as long as you don't do matches on numbers
Glenn Brooks wrote:
Will Heloisp run on NT ...I do not see any activity in task manager or
in the declude logslog level MID
It should run on NT just fine, although I couldn't test it on that
platform. No surprise that it's not on the task manager -- it does it's
thing very quickly an
Below is an example of headers taken from a false positive using this new
test. For the most part, its a great new test and is working well.
However, i've noticed that Entourage seems to be getting caught. This is
the second customer of mine that i've noticed getting caught by this and
both are
David (and Bud),
An exception could probably be made for proper usage of the IP being
used as the HELO (when enclosed in brackets). Also, a while back in an
effort to reduce the processing power required for my @LINKED and
IPLINKED filters, I removed all of the IP space that was reserved
Bud Durland wrote:
I am testing a small external test program. A message fails the test
if there is an discernable IP address in the HELO entry of the message.
The new test is available for download from http://bud.thedurlands.com.
--
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test
Bud Durland wrote:
I am testing a small external test program. A message fails the test
if there is an discernable IP address in the HELO entry of the message.
The new test is available for download from http://bud.thedurlands.com
Andy Schmidt wrote:
Hm - isn't that already covered in the HELOBOGUS test?
Not really:
Received: from morden-res-206-45-166-10.mts.net [206.45.166.10]
morden-res-206-45-166-10.mts.net is a valid host name that will not
trip HELOBOGUS, but will trip HELOISIP.
--
:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test
Bud Durland wrote:
I am testing a small external test program. A message fails the test
if there is an discernable IP address in the HELO entry of the
message.
The new test is available for download from http
: Sunday, April 18, 2004 5:59 PM
Subject: RE: [Declude.JunkMail] New test
Bud,
Is this the proper format for the config file? :
HELOISIP external weight C:\imail\declude\heloisip\heloisip.exe 10 0
Thanks!
Jason
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED
PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 12:21 AM
Subject: Re: [Declude.JunkMail] New test
Andy Schmidt wrote:
Hm - isn't that already covered in the HELOBOGUS test?
Not really:
Received: from morden-res-206-45-166-10.mts.net [206.45.166.10]
morden-res-206-45-166
any chance to get the source code ?
Thanks
- Original Message -
From: Bud Durland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 12:21 AM
Subject: Re: [Declude.JunkMail] New test
Andy Schmidt wrote:
Hm - isn't that already covered in the HELOBOGUS test
Glenn Brooks wrote:
I get an unknow filter type in the log files...
HELOISP filter C:\imail\declude\heloisipx.exe 10 0
this apth would point to the exe file
is this not correct?
It is not a filter; it is an external non-zero test. Your GLOBAL.CG
file entry would look like something like
Jason wrote:
Thanks Bill. All I can say is WOW. This test seems to be working very
very well. It is snagging tons of stuff.
The question is, is it generating false positives? I hope not; the FP
ratio here is very, very low, but I realize everyone's traffic pattern
is different. While
I'm trying to figure out WHY spammers would bother to include dial-up
reverse DNS as HELO string?
And if so, why not just check the reverse DNS? And, how much does this test
overlap with existing dynamic host/dial up blacklists?
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Andy,
This is almost completely a zombie spammer thing. Just like they need
to create a valid Mail From, they also need to create a HELO, and
hopefully one that is valid, though of course not many ISP's will enter
both A records and reverse DNS entries for this type of address. The
Here is one FP
Where's the IP ?
Received: from alias-1.c10-ave-mta1.cnet.com [206.16.1.130] by
mail.cefib.com with ESMTP
- Original Message -
From: Bud Durland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 2:43 AM
Subject: Re: [Declude.JunkMail] New test
Jason
Bud,
I have a few suggestions that you might want to consider.
The first one would be to skip processing of the message and just have
Declude pass off the HELO as an argument to your script. This can be
done with %HELO%. This will speed processing and ensure that the HELO
comes in the
I am testing a small external test program. A message fails the test
if there is an discernable IP address in the HELO entry of the
message...
Just a little note here: while this test is surely valuable and its
development much appreciated, I think creating a slew of external
Anybody already using a handy way to record the HELO in the decMMDD.log
file?
I'd like to save the step of going to my sysMMDD.txt file if I could.
I've run Bud's test for a few hours and had quite a few hits. The only
false positive wasn't a false positive at all, but a correctly identified
, April 19, 2004 12:15 AM
Subject: Re: [Declude.JunkMail] New test
I am testing a small external test program. A message fails the test
if there is an discernable IP address in the HELO entry of the
message...
Just a little note here: while this test is surely valuable and its
Markus;
Thanks for the detailed feedback and kind words. I haven't had time to
the study our numbers (and I believe our statistical universe is much
smaller than yours), but generally speaking I'm pleased with the results
we're seeing here.
For those who are interested, I'll be posting this
I created this because I see quite a few messages that use an
IP for the HELO, (and often it is MY mail server's IP). I
have never, ever, not once seen such a message that wasn't
spam, so on my system that test will be weighted quite heavily.
No other MTA should connect to your MTA using
Markus Gufler wrote:
No other MTA should connect to your MTA using your MTA's IP as HELO string.
I don't know if there is any reason to connect with any other IP-address as
HELO-string.
My thinking exactly
Several people has set up a filter file containing
HELO 0 CONTAINS
I
would like to test. Looks like a good test.
Kevin
Bilbee
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Dave
DohertySent: Wednesday, April 14, 2004 7:14 PMTo:
[EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] New
test
I'd like
I'm interested.
Thanks.
Original Message
From: Bud Durland
Subject: [Declude.JunkMail] New test
Date: Wed, 14 Apr 2004 06:05:40 -0700
I am testing a small external test program. A message fails the test if
there is an discernable IP address in the HELO entry of the message.
These
interested
thanks, andy
- Original Message -
From:
Bud
Durland
To: Declude List
Sent: Wednesday, April 14, 2004 8:58
AM
Subject: [Declude.JunkMail] New
test
I am testing a small external test program. A message
fails the test if there is an discernable IP
interested
At 09:17 AM 4/14/2004 -0400, you wrote:
interested
thanks, andy
- Original Message -
From: Bud Durland
To: Declude List
Sent: Wednesday, April 14, 2004 8:58 AM
Subject: [Declude.JunkMail] New test
I am testing a small external test program. A message fails the test
I'd like to test it also.
-Dave
- Original Message -
From:
Bud
Durland
To: Declude List
Sent: Wednesday, April 14, 2004 8:58
AM
Subject: [Declude.JunkMail] New
test
I am testing a small external test program. A message
fails the test if there is an
How about a test like this:
NUMBERSINMAILFROM
It would be similar to SUBJECTSPACES but would count the amount of
numbers in the mail from address. You could then configure
it for say if 10 or more,
add 5 to the weight and so forth.
John,
We already look for sender-addresses
for two dashes (--) in the domain.
We are getting more more spam like hot--stuff.com
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Thursday, September 11, 2003 7:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail
Any thoughts, good or bad?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Sent: Tuesday, September 09, 2003 10:32 PM
Any thoughts, good or bad?
It's one that we do hope to add. It's not foolproof (such as
[EMAIL PROTECTED]), but would be useful in helping catch spam.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude
That would work great at detecting old Compuserve accounts :)
I'm not convinced that this would be a very clear marker for spam
though (depends on what the automated real stuff does), but you could
probably set up a filter to test the theory
First create a filter file test and score it as a
Sorry, I've no great insight on the positive uses of this test, but I can
point out another exception. E-mail enabled pagers and RIM Blackberries
often have their phone number as the e-mail address @TheProviderDomain.com
instead of or in addition to the subscriber's name.
Andrew.
---
[This
Title: Message
maybe
a bad idea -
We send out
e-mail that has a Variable Return Address, so that we can handle bounces
well. In our case, that address is a combo of letters and numbers (lots of
numbers sometimes). And, we work hard to make sure our mail is all
requested!
Other legit
] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Wednesday, September 10, 2003 12:32 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] New test request
Sorry, I've no great insight on the positive uses of this test, but I can
point out another exception. E-mail enabled
Here's some examples of mailing lists that have lots of numbers (and
letters) in the MAILFROM. You may find that you'll have to put in a
counterweight everytime a user reports that they're missing mail when they
sign up for a newsletter.
Andrew 8)
p.s. I've deliberately munged the addresses a
Dan Patnode wrote:
Good point,
The goal then should be to differentiate numbers used as codes from numbers used to confuse. The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters. Perhaps if the test counted numbers with letters on both sides?
JT Pagers have 10 numbers, so I would actually start at either 11 or 15.
JT An old CompuServe address will most likely not be failing other tests to
JT where this one would put it over. How many numbers do those addresses
have
JT in them?
Nine digits, e.g [EMAIL PROTECTED] (that was mine for 5
I wouldn't consider that to be spam. Amazon? Travelocity? Yahoo
Groups?
Most of these are opt-in sources (by way of membership or purchase),
and doing the bounce test that they are doing is in fact responsible
use of commercial E-mail. If you are going to monitor for failed
receivers, that
MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0
MB SUBJECT2CONTAINSqb
(snip)
This looks good, Matthew.
The weight is low enough to be cautious, and I suspect the only false
positives you will get are on subject lines with that raw
=?ISO-8859-1?B?UmU6U2lsZG stuff.
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Wednesday, September 10, 2003 1:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] New test
Thanks Andrew...I like my apples :)
Some stuff could be put back in that I took out while testing the filter
for the body before I found out that it caught attachments. I was
careful to take out things like ql because of MSSQL, and I searched a
dictionary file for matches on the other strings
Wow, what a sweet idea Matthew! Applying rules of English (like Q is always followed
by U) to look for gibberish. :)
Yea, so long as BODY searches attachments, any small code will sooner or later show up
in an attachment. I've even had problems trying hard tests for complete words where
an
I was wondering if you could add a new test to Declude JunkMail? This test
could be called similar addresses.
If someone sends a message to multiple addresses and the to, cc or bcc
of all the addresses contain helpdesk@ then I'd think it's a pretty good
bet that it's a spam message.
It is
One problem, I recieve very legitimate email to [EMAIL PROTECTED], that is
sent to abuse@ for all domains thought to be involved for spammers and other
issues. There are cases where someone is just trying to get ahold of
several parties using standard addresses like abuse, hostmaster,
on 4/25/02 11:40 AM, R. Scott Perry wrote:
Looking at our spamtraps, it looks like only a small
portion (perhaps 5% to 10%) of the spam is sent with the multiple addresses
in the To:/Cc: headers. Making it less useful is that often they are
similar-but-not-exact names -- such as john123@,
I think you shouldn't worry about the similar-but-not-exact names case, only
the exact names case. If all the addresses are the same name (and there is 3
or more) then I think it would have to be a spam message (unless someone can
think of a case where that wouldn't be true).
In a manual review
68 matches
Mail list logo