RE: [Declude.JunkMail] Strange Subject
I'm not familiar with this test? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, September 10, 2003 10:27 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Add the following tests and it get's even better :) SUBSPACE-10subjectspaces10x10 SUBSPACE-20subjectspaces20x20 SUBSPACE-30subjectspaces30x30 Matt Dan Patnode wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i .. jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB231 2?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does
RE: [Declude.JunkMail] New test request
How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John, We already look for sender-addresses containing more then 4 (SenderWithCodeMaybe) or more then 8 digits (SenderWithCode). So we count around 75% of spam-senders and 25% of FPs. As Scott sayd there are a lot of tipical Freemailer-Addresses like [EMAIL PROTECTED] creating FPs with such a test. But there are also auto-generated mailings having a sender address like [EMAIL PROTECTED] On a tipical day we can see around 10% of all incomming messages having between 4 and 7 digits. Other ~8% of incomming messages has more then 8 digits. It's not the best but a definitively usefull test in a weighting system. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Hi; I have been following this discussion and it seems like for weight test it would be good. Some observations that could complement this: 1: Mailing list email addresses are long. I have not seen autogenerated addresses that are less than 10 or so characters. E.g. [EMAIL PROTECTED] [64.241.105.8] [EMAIL PROTECTED] But on the other hand spam like emails are typically about 10 or so characters. I think it is worth looking into John's suggestion with a consideration of the UserID length. E.g. from last night logs: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I think we can use the length of the UserID to our advantage in implementing this test. 2: I wish we could run tests on UserID and domain separately. It seems like it would be much easier if the domain could be separated from the UserID since for example one could test for two dashes (--) in the domain. We are getting more more spam like hot--stuff.com Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, September 11, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New test request How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John, We already look for sender-addresses containing more then 4 (SenderWithCodeMaybe) or more then 8 digits (SenderWithCode). So we count around 75% of spam-senders and 25% of FPs. As Scott sayd there are a lot of tipical Freemailer-Addresses like [EMAIL PROTECTED] creating FPs with such a test. But there are also auto-generated mailings having a sender address like [EMAIL PROTECTED] On a tipical day we can see around 10% of all incomming messages having between 4 and 7 digits. Other ~8% of incomming messages has more then 8 digits. It's not the best but a definitively usefull test in a weighting system. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] longsubject
Just FYI Dell Premier support has very long subject lines. One example I've seen is 182 characters. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Slightly: Reason for HELO bogus
That's a standard I don't know what I'm doing but I'm going to sound like an expert response. Why doesn't your Reverse DNS work? for security reasons Why does your server respond as yourdomain.here? for security reasons Why was your server offline for six hours yesterday? for security reasons It's also a good CYA response if you work for a white-collar idiot. OK I just got off the phone with another mail admin who claims his helo bogus is by design. He clained it is a security feature so the inturnal structure of his network can not be figured out. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SMTP Relay Limit
Hello Matthew, Wednesday, September 10, 2003, 6:36:04 PM, you wrote: MB Dan Patnode wrote: Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Postfix on BSD. IMHO, most powerful/stable email platforms are OS. (I know that's a generalization and not the best solution for every environment but for what Dan's looking for I think it's the best bet) MB It's a crying shame that IMail has such a basic shortcoming. One might MB think that was purposeful. No kidding. I personally think it's engineered that way. A limit of 100. If it were technical, wouldn't it be a limit of 99 or a limit of 128/256/etc? I asked Ipswitch why and got no real answer. -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
It's one of Declude's undocumented tests. I found a bunch of them in the release notes on his site (link at the bottom of the manual page) and then I searched the archives to find comments about them. I also found a few from just simply reading people's config files on this board. This test, a.k.a. SUBJECTSPACES, just simply counts the number of spaces in a subject line. Spammers often will do something like show a subject, then a bunch of spaces, and then some gibberish. It will also score on some very long subjects which are not common in real E-mail. The scoring is additive as higher levels are hit, and you can customize those levels. Matt Marc Catuogno wrote: I'm not familiar with this test? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Wednesday, September 10, 2003 10:27 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Add the following tests and it get's even better :) SUBSPACE-10subjectspaces10x10 SUBSPACE-20subjectspaces20x20 SUBSPACE-30subjectspaces30x30 Matt Dan Patnode wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i .. jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB231 2?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003
[Declude.JunkMail] Frequent bouncing of legitimate mail
I'm at my wits end to solve a problem which has coincided with the release of Imail 8.02 and/or the Sobig.F virus, but it may just be a coincidence. Several of my users' messages and replies to an armful of recipients are bouncing with varying causes, usually this: "Unknown host: email_address" or this: "undeliverable to: email_address" or this: "Unknown user: email_address" And one or two with this: "This address no longer accepts mail." Whether by reply, or a new message,from Outlook, or from Webmail. A check with the companies and individuls involved reveals that the recipients are having no problems receiving messages from anyone else. Ipswitch support claims no responsibility or knowledge of the cause except to say that it is the other guy's server rejecting it. INTERESTING NOTE: I've had some success sending messages to the problem addresses in this form: [EMAIL PROTECTED] whereas normally it would just be [EMAIL PROTECTED]. Sound like DNS? We don't have an in-house DNS server, but use our ISPs. This problem has just added a couple new hostnames, all of which are business hostnames. Any help would be greatly appreciated. -Mike
RE: [Declude.JunkMail] Strange header from REVDNS and REMOTEIP
Enclosed are several headers taken directly from a main.mbx file on the IMail server. (A few internal names have been changed/protected.) The affected line starts with X-Note: SENT from and should show REVDNS and REMOTEIP. This only happens about once every 30 messages. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. From [EMAIL PROTECTED] Thu Sep 11 10:27:28 2003 Received: from pimout4-ext.prodigy.net [207.115.63.103] by www.vantagemed.com with ESMTP (SMTPD32-8.02) id A44B8D01D0; Thu, 11 Sep 2003 10:27:07 -0500 Received: from vantagemed.com (adsl-65-69-197-121.dsl.hstntx.swbell.net [65.69.197.121]) by pimout4-ext.prodigy.net (8.12.9/8.12.3) with ESMTP id h8BFXnaA147638 for [EMAIL PROTECTED]; Thu, 11 Sep 2003 11:33:50 -0400 Received: {(helo=namehere) }}by vantagemed.com with smtp (Exim 3.35 #1) id 19xTej-0007SY-00 for [EMAIL PROTECTED]; Thu, 11 Sep 2003 10:46:49 -0500 From: namehere [EMAIL PROTECTED] To: Keith Purtell [EMAIL PROTECTED] Subject: RE: Three accounts for Houston, licenses Date: Thu, 11 Sep 2003 10:35:42 -0500 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-Mimeole: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [207.115.63.103] X-Declude-Spoolname: D944b008d01d0c930.SMD X-RBL-Warning: Total weight: 0 X-Tests-Failed: Whitelisted X-Country-Chain: X-Note: SENT from gemed.com; Thu, 11 Sep 200 ([207.115.63.103]). X-Note: Sender address: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 350546558 From [EMAIL PROTECTED] Thu Sep 11 11:03:15 2003 Received: from smtp4.pacifier.net [64.255.237.174] by www.vantagemed.com (SMTPD32-8.02) id ACAC6E021A; Thu, 11 Sep 2003 11:02:52 -0500 Received: from station5 (unknown [207.202.152.65]) by smtp4.pacifier.net (Postfix) with SMTP id ADEB56B003 for [EMAIL PROTECTED]; Thu, 11 Sep 2003 09:05:51 -0700 (PDT) From: Diane [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Today's Upgrade and Licensing Date: Thu, 11 Sep 2003 09:10:13 -0700 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.255.237.174] X-Declude-Spoolname: D9cac006e021a8214.SMD X-RBL-Warning: Total weight: 0 X-Tests-Failed: Whitelisted X-Country-Chain: X-Note: SENT from d.com; Thu, 11 Sep 2003 09 ([64.255.237.174]). X-Note: Sender address: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 350546568 From [EMAIL PROTECTED] Wed Sep 10 15:36:58 2003 Received: from cs.ipswitch.com [156.21.1.4] by www.vantagemed.com with ESMTP (SMTPD32-8.02) id AB51FF6019A; Wed, 10 Sep 2003 15:36:33 -0500 Received: from CAMPAIGN [156.21.1.4] by cs.ipswitch.com (SMTPD32-8.02) id ABD23277031C; Wed, 10 Sep 2003 16:38:42 -0400 From: Tamara Hart, Ipswitch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Subject: Your Ipswitch Newsletter - September Edition Date: WED, 10 SEP 2003 16:38:42 -0400 MIME-Version: 1.0 Reply-To: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=Boundary.. X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.4] X-Declude-Spoolname: D8b510ff6019a8fbf.SMD X-RBL-Warning: Total weight: 0 X-Tests-Failed: Whitelisted X-Country-Chain: X-Note: SENT from :42 -0400 From: Tamara Ha ([156.21.1.4]). X-Note: Sender address: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 350546459 From [EMAIL PROTECTED] Wed Sep 10 16:28:19 2003 Received: from outgoing3.securityfocus.com [205.206.231.27] by www.vantagemed.com with ESMTP (SMTPD32-8.02) id A75B97C01D0; Wed, 10 Sep 2003 16:27:55 -0500 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id DFD90A35FA; Wed, 10 Sep 2003 14:10:37 -0600 (MDT) Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Id: bugtraq.list-id.securityfocus.com List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED]
Re: [Declude.JunkMail] Frequent bouncing of legitimate mail
I'm at my wits end to solve a problem which has coincided with the release of Imail 8.02 and/or the Sobig.F virus, but it may just be a coincidence. Several of my users' messages and replies to an armful of recipients are bouncing with varying causes, usually this: Unknown host: email_address Have you tried BounceFinder from http://www.declude.com/tools ? If you go to a command prompt, go to the spool directory, and type BoundFinder sys0911.txt +email_address, it will show all bounces involving email_address. And one or two with this: This address no longer accepts mail. This one means just that -- the recipient no longer accepts E-mail. This is a problem on the remote end. A check with the companies and individuls involved reveals that the recipients are having no problems receiving messages from anyone else. Ipswitch support claims no responsibility or knowledge of the cause except to say that it is the other guy's server rejecting it. In this last case, it almost certainly is. INTERESTING NOTE: I've had some success sending messages to the problem addresses in this form: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] whereas normally it would just be mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Sound like DNS? We don't have an in-house DNS server, but use our ISPs. This problem has just added a couple new hostnames, all of which are business hostnames. There have been a number of cases in previous versions of IMail where IMail would skip over a valid MX record and use the A record, which sounds like it *could* be what you are experiencing. Have you checked the IMail SMTP or SMTP- log file entries, to see if IMail is sending to an IP address that appears in the MX record? Also, you should take some of the E-mail addresses that you can't send to, and use the Mail Test at http://www.DNSreport.com to see if there are problems with the domain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange header from REVDNS and REMOTEIP
Enclosed are several headers taken directly from a main.mbx file on the IMail server. (A few internal names have been changed/protected.) The affected line starts with X-Note: SENT from and should show REVDNS and REMOTEIP. This only happens about once every 30 messages. Hmmm. What are your HOP, HOPHIGH or IPBYPASS settings? It looks like one of them may not be set up correctly. Also, what version of Declude are you running (you can type \IMail\Declude -diag from a command prompt to find out)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Explanation of failed tests
Where can I find an explanation of the following tests that are being failed by one of our customers? IPWHOIS, FIVETEN-FREE, NOABUSE I'm trying to help them correct their MX settings but am not sure what these tests mean. Thanks, Greg attachment: winmail.dat
RE: [Declude.JunkMail] Strange Subject
SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on kr [weight-10; KR ]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on free bottle [weight-2; free bottle with your purchase]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on 3+ inches [weight-2; 3+ Inches!br100% SatÃsfactio]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on Lengthen And Enlarge [weight-4; Lengthen and Enlarge your PenÃ]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on VP-RX [weight-1; VP-RX Pillsbr/b/font 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on No embarrassing doctor or pharmacy visits [weight-3; No embarrassing doctor or phar]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on Remove me [weight-5; /Remove me/abr-=hqoGD]. 09/11/2003 00:13:04 Q2074182b01428a33 Triggered CONTAINS filter on .biz/ [weight-1; .biz/mka/m2c.php?man=st4vpPr]. 09/11/2003 00:13:05 Q2074182b01428a33 DSBL:6 BASE64:10 SPAMCOP:10 REVDNS:4 IPNOTINMX:2 NOLEGITCONTENT:2 COUNTRY:10 SNIFFER:7 FIVETENSRC:5 EASYNET-DNSBL:7 EASYNET-PROXIES:5 SORBS-HTTP:7 SORBS-SOCKS:7 PSBL:5 CBL:5 BENTALLIPBL:7 BENTALLSPAMHINT:33 BENTALLSPAMURL:6 . Total weight = 138 09/11/2003 00:13:05 Q2074182b01428a33 Using [outgoing] CFG file global.cfg. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed DSBL (http://dsbl.org/listing?ip=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 211.109.109.68 with no reverse DNS entry.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed WEIGHT20 (Weight of 163 reaches or exceeds the limit of 20.). Action=HOLD. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed IPNOTINMX (). Action=LOG. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed COUNTRY (Message failed COUNTRY test (41)). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed FIVETENSRC (68.109.109.211.blackholes.five-ten-sg.com.). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed EASYNET-DNSBL (Blacklisted by easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed EASYNET-PROXIES (Open Proxy - http://proxies.blackholes.easynet.nl/errors.html). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SORBS-HTTP (Open Server [socks/35762] See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed SORBS-SOCKS (Open Server [http/35763] See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed PSBL (Your mailserver spammed me, see http://psbl.surriel.com/cgi-bin/listing.cgi?ip=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed CBL (Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=211.109.109.68). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BENTALLIPBL ( matched 211.104.0.0/13). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BENTALLSPAMHINT (Message failed BENTALLSPAMHINT test (901)). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Msg failed BENTALLSPAMURL (Message failed BENTALLSPAMURL test (412)). Action=WARN. 09/11/2003 00:13:05 Q2074182b01428a33 Subject: First Ti=?ISO-8859-1?B?bWU=?= 09/11/2003 00:13:05 Q2074182b01428a33 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 211.109.109.68 ID: h8B78ZwD003879 09/11/2003 00:13:05 Q2074182b01428a33 Last action = HOLD.
RE: [Declude.JunkMail] Strange header from REVDNS and REMOTEIP
We're running version 1.70 professional. After you zeroed in on those settings, I reviewed some posts in the archive and made a change. Here is before and after... HOP 0 HOPHIGH 1 IPBYPASS64.105.145.252 HOP 0 # HOPHIGH 1 # IPBYPASS 64.105.145.252 That IP address was formerly a backup mail server, and we don't yet have a gateway. Am I on the right track now? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, September 11, 2003 12:53 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Strange header from REVDNS and REMOTEIP Enclosed are several headers taken directly from a main.mbx file on the IMail server. (A few internal names have been changed/protected.) The affected line starts with X-Note: SENT from and should show REVDNS and REMOTEIP. This only happens about once every 30 messages. Hmmm. What are your HOP, HOPHIGH or IPBYPASS settings? It looks like one of them may not be set up correctly. Also, what version of Declude are you running (you can type \IMail\Declude -diag from a command prompt to find out)? -Scott --- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Yet another new test request
How about some thoughts on selectively running tests, based on the HOP count? Specifically, one of my strong reasons to buy Declude+IMail (yes, that's the way I view it!) for my gateway was because of the HOPHIGH feature for running ip4r tests against more than just the IP of the host that sent the message. The drawback is that some of those ip4r are only relevant for certain hops. Here's an example that leads to false positives in my setup, which in turn leads to me diluting the effectiveness of some tests by lowering their weight. NJABLDUL and SORBS-DUL list blocks from lots of ISPs, and are great to use if you are only testing the IP of the host that sent the message, but they are a false positive when an innocent workstation on that netblock sends a message through their own ISPs mailhost. I suppose one suggestion is that I could follow Kami's lead and put the ip4r tests that are direct-spam related in IMail, and have Declude test the header for those. Then have Declude set to HOP 1 instead of HOP 0 in my global.cfg ... Hmmm... that might close more doors than it opens. Some tests would have to be run in both places, like FIVETENMULTI and SORBS-ZOMBIE to be effective. So, any thoughts, comments, flames? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange header from REVDNS and REMOTEIP
We're running version 1.70 professional. I would recommend upgrading to 1.75 (1.70 was a beta version, with some known issues). After you zeroed in on those settings, I reviewed some posts in the archive and made a change. Here is before and after... HOP 0 HOPHIGH 1 IPBYPASS64.105.145.252 HOP 0 # HOPHIGH 1 # IPBYPASS 64.105.145.252 That IP address was formerly a backup mail server, and we don't yet have a gateway. Am I on the right track now? I'm guessing this will fix the problem. I would still recommend upgrading to 1.75, however. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Yet another new test request
NJABLDUL and SORBS-DUL list blocks from lots of ISPs, and are great to use if you are only testing the IP of the host that sent the message, but they are a false positive when an innocent workstation on that netblock sends a message through their own ISPs mailhost. Actually, Declude JunkMail automatically skips over those two tests if it has passed the first hop. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Yet another new test request
Scott, Am I correct in assuming that EASYNET-DYNA isn't excluded? Should it be? Your server seems to be tagging me based on my PC because my server isn't listed anywhere but XBL (waste of resources). Matt R. Scott Perry wrote: NJABLDUL and SORBS-DUL list blocks from lots of ISPs, and are great to use if you are only testing the IP of the host that sent the message, but they are a false positive when an innocent workstation on that netblock sends a message through their own ISPs mailhost. Actually, Declude JunkMail automatically skips over those two tests if it has passed the first hop. :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Yet another new test request
Am I correct in assuming that EASYNET-DYNA isn't excluded? Correct. Should it be? You are correct, it should. That will be changed for the next release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Looking at my spamples I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Cautionary note on BASE64
For those who are using the BASE64 test and finding that you have to counterweight for Exchange Servers that uselessly encode plain ASCII messages, note that there is a new patch level: HEADERS -10 CONTAINS Microsoft Exchange V6.0.6375.0 in addition to John Tolmachoff's research: HEADERS -10 CONTAINS Microsoft Exchange V6.0.5762.3 HEADERS -10 CONTAINS Microsoft Exchange V6.0.6249.0 Also note that a BASE64 encoded message will also trigger NOLEGITCONTENT if you use it penalize such messages in addition to its intended effect of rewarding legitimate messages... so your counterweight (-10 in my example) should equal your BASE64 plus your positive NOLEGITCONTENT weight. Andrew 8) p.s. Of course, YMMV. Exchange doesn't always encode a plain message in BASE64... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Strange Subject
Here you go. Out of the 85 messages received in less than 3 days with this ISO encoded subject, 11 had the encoding in the middle of the line (see attachment). I think they were all caught due to the weights of other tests. Andrew 8) -Original Message- From: Dan Patnode [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Strange Subject Looking at my spamples I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on CA [weight-0; CA BR ]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on br [weight-10; BR ]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on @snip [weight--9; @snip; Mon, 8 Sep]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on [EMAIL PROTECTED] [weight-30; [EMAIL PROTECTED]; Mon,]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on 100% guaranteed [weight-3; 100% Guaranteed to Work!/em 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on Weight Loss Patch [weight-3; Weight Loss Patch 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on Norton [weight-1; Norton [EMAIL PROTECTED] 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on /bek/ [weight-30; /bek/Remove me/a 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on .biz/ [weight-1; .biz/mdp/m2c.php?man=andClic]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on getit4less.biz [weight-30; getit4less.biz/mdp/m2c.php?man]. 09/08/2003 00:04:54 Q2a100762009c03a5 Triggered CONTAINS filter on No More [weight-5; no morebrstarvation diets/]. 09/08/2003 00:04:54 Q2a100762009c03a5 DSBL:4 DSBLALL:3 MONKEYPROXIES:7 SPAMCOP:10 IPNOTINMX:2 COUNTRY:10 SNIFFER:7 NJABLDUL:5 EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BR-BR:7 SORBS-HTTP:7 SORBS-SOCKS:7 PSBL:5 CBL:5 SPAMBAG:3 BENTALLSPAMHINT:28 BENTALLSPAMURL:61 BENTALLSPAMUNSUB:5 . Total weight = 194 09/08/2003 00:04:54 Q2a100762009c03a5 Using [outgoing] CFG file global.cfg. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed DSBL (http://dsbl.org/listing?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed DSBLALL (http://dsbl.org/listing?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed MONKEYPROXIES (BLOCKED: See http://www.monkeys.com/upl/listed-ip-0.cgi?ip=200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?200.168.125.76). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed WEIGHT20 (Weight of 194 reaches or exceeds the limit of 20.). Action=HOLD. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed IPNOTINMX (). Action=LOG. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed COUNTRY (Message failed COUNTRY test (34)). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed SNIFFER (Message failed SNIFFER: 63.). Action=WARN. 09/08/2003 00:04:54 Q2a100762009c03a5 Msg failed NJABLDUL (This E-mail came from 200.168.125.76,
Re: [Declude.JunkMail] Strange Subject
I've been capturing this stuff and I have found the code in the middle of native language text, but only occasionally. Some examples: Subject: You never IM =?ISO-8859-1?B?bWUgYW55?=more Subject: This is=?ISO-8859-1?b?IHRoZSA1dGgg?=email=?ISO-8859-1?b?IEkgc2Vu?=t you Subject: =?ISO-8859-1?b?SG93IGRvIA==?=you use =?ISO-8859-1?b?aXQ/?= I haven't seen a false positive yet. Has someone seen ISO 8859-1 (Latin-1) being used for any other purpose? This is the standard English and Western European character set. Is it possible that say a foreign E-mail client build would tag Latin-1? If not, is there a reason to be concerned about false positives??? Matt Dan Patnode wrote: Looking at my "spamples" I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8)
Re: SPAM: Re: [Declude.JunkMail] Strange Subject
Not bad. Makes me wonder if the future test grouping feature would be even stronger with exclusive as well as inclusive grouping. Must have (1) and (2) but not (3). That would rock! :) Dan On Thursday, September 11, 2003 15:05, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, There's a decent way around that. You can set the test in the Config file for a solid weight, not score each filter test incrementally, and then provide a list of negative tests that would offset the test. So if there is some sort of ISO tagging of this Japanese stuff, you can find that code and defeat the test from running. Same goes for other languages. I just got my first false positive out of 200 catches. This was from Korea but written in English (still encoded though). There are two clues in the headers as to how to defeat the test: Subject: [22] =?euc-kr?B?R2VuZXJhbCBJbnF1aXJ5IGZvciBzbm93bW9iaWxl?= Content-Type: text/html; charset=euc-kr You could probably do something like the following (suggested replacement for the original filter if you are using it): GIBBERISHSUBfilter C:\IMail\Declude\Filters\GibberishSub.txtx50 # The following defeats the test if it finds the subject is not sent as ASCII SUBJECT-5CONTAINS?b? # Small list of letter combinations not found in a basic dictionary. SUBJECT0CONTAINSqb SUBJECT0CONTAINSqc SUBJECT0CONTAINSqd SUBJECT0CONTAINSqe SUBJECT0CONTAINSqf SUBJECT0CONTAINSqg SUBJECT0CONTAINSqh SUBJECT0CONTAINSqi SUBJECT0CONTAINSqj SUBJECT0CONTAINSqk SUBJECT0CONTAINSqm SUBJECT0CONTAINSqn SUBJECT0CONTAINSqo SUBJECT0CONTAINSqp SUBJECT0CONTAINSqr SUBJECT0CONTAINSqs SUBJECT0CONTAINSqt SUBJECT0CONTAINSqv SUBJECT0CONTAINSqx SUBJECT0CONTAINSqy SUBJECT0CONTAINSqz SUBJECT0CONTAINSvq SUBJECT0CONTAINSwq SUBJECT0CONTAINStq SUBJECT0CONTAINSjq SUBJECT0CONTAINSxd SUBJECT0CONTAINSxj SUBJECT0CONTAINSxk SUBJECT0CONTAINSxr SUBJECT0CONTAINSxz SUBJECT0CONTAINSzb SUBJECT0CONTAINSzc SUBJECT0CONTAINSzf SUBJECT0CONTAINSzj SUBJECT0CONTAINSzk SUBJECT0CONTAINSzl SUBJECT0CONTAINSzm SUBJECT0CONTAINSzx Matt Dan Patnode wrote: Follow-up, Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that Japanese encoded messages like lots of mixed up letters. More testing... Dan On Wednesday, September 10, 2003 19:20, Dan Patnode [EMAIL PROTECTED] wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse
Re: SPAM: Re: [Declude.JunkMail] Strange Subject
Either test grouping, or some way to limit the score of a filter that increments, or someway to negate the whole filter with a test inside of the filter. Something like: SUBJECTEXEMPTCONTAINS?b? That would keep your negation techniques from having an effect outside of the test. In the fix I wrote below, there will be an unintentional effect of subtracting 5 points from any E-mail with an encoded subject, and that would be an issue if you get spam with encoded subjects besides Latin-1 encoding since you are blocking that. I'm thinking that negation test functionality would work nicely within the framework of Declude's filters, providing a way to escape the test. This could also potentially save processing on large filters if you listed them at the top of the file. Suggestion database candidate??? Matt Dan Patnode wrote: Not bad. Makes me wonder if the future test grouping feature would be even stronger with exclusive as well as inclusive grouping. Must have (1) and (2) but not (3). That would rock! :) Dan On Thursday, September 11, 2003 15:05, Matthew Bramble [EMAIL PROTECTED] wrote: Dan, There's a decent way around that. You can set the test in the Config file for a solid weight, not score each filter test incrementally, and then provide a list of negative tests that would offset the test. So if there is some sort of ISO tagging of this Japanese stuff, you can find that code and defeat the test from running. Same goes for other languages. I just got my first false positive out of 200 catches. This was from Korea but written in English (still encoded though). There are two clues in the headers as to how to defeat the test: Subject: [22] =?euc-kr?B?R2VuZXJhbCBJbnF1aXJ5IGZvciBzbm93bW9iaWxl?= Content-Type: text/html; charset=euc-kr You could probably do something like the following (suggested replacement for the original filter if you are using it): GIBBERISHSUBfilter C:\IMail\Declude\Filters\GibberishSub.txtx50 # The following defeats the test if it finds the subject is not sent as ASCII SUBJECT-5CONTAINS?b? # Small list of letter combinations not found in a basic dictionary. SUBJECT0CONTAINSqb SUBJECT0CONTAINSqc SUBJECT0CONTAINSqd SUBJECT0CONTAINSqe SUBJECT0CONTAINSqf SUBJECT0CONTAINSqg SUBJECT0CONTAINSqh SUBJECT0CONTAINSqi SUBJECT0CONTAINSqj SUBJECT0CONTAINSqk SUBJECT0CONTAINSqm SUBJECT0CONTAINSqn SUBJECT0CONTAINSqo SUBJECT0CONTAINSqp SUBJECT0CONTAINSqr SUBJECT0CONTAINSqs SUBJECT0CONTAINSqt SUBJECT0CONTAINSqv SUBJECT0CONTAINSqx SUBJECT0CONTAINSqy SUBJECT0CONTAINSqz SUBJECT0CONTAINSvq SUBJECT0CONTAINSwq SUBJECT0CONTAINStq SUBJECT0CONTAINSjq SUBJECT0CONTAINSxd SUBJECT0CONTAINSxj SUBJECT0CONTAINSxk SUBJECT0CONTAINSxr SUBJECT0CONTAINSxz SUBJECT0CONTAINSzb SUBJECT0CONTAINSzc SUBJECT0CONTAINSzf SUBJECT0CONTAINSzj SUBJECT0CONTAINSzk SUBJECT0CONTAINSzl SUBJECT0CONTAINSzm SUBJECT0CONTAINSzx Matt Dan Patnode wrote: Follow-up, Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that Japanese encoded messages like lots of mixed up letters. More testing... Dan On Wednesday, September 10, 2003 19:20, Dan Patnode [EMAIL PROTECTED] wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p
RE: [Declude.JunkMail] Cautionary note on BASE64
Thanks Andrew for the update. I wonder if this behavior has been changed in Exchange 2003? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, September 11, 2003 3:23 PM To: '[EMAIL PROTECTED]' Subject: [Declude.JunkMail] Cautionary note on BASE64 Importance: High For those who are using the BASE64 test and finding that you have to counterweight for Exchange Servers that uselessly encode plain ASCII messages, note that there is a new patch level: HEADERS -10 CONTAINS Microsoft Exchange V6.0.6375.0 in addition to John Tolmachoff's research: HEADERS -10 CONTAINS Microsoft Exchange V6.0.5762.3 HEADERS -10 CONTAINS Microsoft Exchange V6.0.6249.0 Also note that a BASE64 encoded message will also trigger NOLEGITCONTENT if you use it penalize such messages in addition to its intended effect of rewarding legitimate messages... so your counterweight (-10 in my example) should equal your BASE64 plus your positive NOLEGITCONTENT weight. Andrew 8) p.s. Of course, YMMV. Exchange doesn't always encode a plain message in BASE64... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.