Re: [Declude.JunkMail] OBFUSCATION filter
Matt, It appears that your coding for a combination of http url encoding in urls is redundant since you capture both types individually. It's a small optimization, but worth mentioning. _M At 07:46 PM 9/14/2003 -0400, you wrote: I've posted a newer version of the OBFUSCATION filter on my site. This contains the removal of the attachment thing and also the removal of 6 (of over 100) tests in order to be more forgiving, sans the PayPal issue. http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt If you find any false positives with this besides the Ticketmaster one that I've already counterbalanced, please let me know. I would imagine that posting to this group would be better than PM's unless others mind having discussion here. That way everyone would know about any issues ASAP. Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
At 05:58 AM 9/15/2003 -0400, you wrote: Matt, It appears that your coding for a combination of http url encoding in urls is redundant since you capture both types individually. It's a small optimization, but worth mentioning. _M ooops.. Sorry, I meant html. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
Hi Bill: You are right... No disagreement here. We had negative MAILFROM but it was being abused like crazy. We were getting so much spam from faked addresses. We now have a negative list for mailing lists and at times we see email coming through. REVDNS whitelist has worked well and we have not yet seen any abuses - but as a rule I agree with you it can be abused. Since someone asked about our whitelist- here it is (these are the general items - we have in this list some of our clients with screwed up server setups but are taken out in this list). This goes in the Global.cfg file. WHITELIST REVDNS .airborne.com WHITELIST REVDNS .amazon.com WHITELIST REVDNS .audible.com WHITELIST REVDNS .bestfares.com WHITELIST REVDNS .cnet.com WHITELIST REVDNS .dell.com WHITELIST REVDNS .dowjones.com WHITELIST REVDNS .ebay.com WHITELIST REVDNS .equifax.com WHITELIST REVDNS .fedex.com WHITELIST REVDNS .gartner.com WHITELIST REVDNS .getactive.com WHITELIST REVDNS .hertz.com WHITELIST REVDNS .house.gov WHITELIST REVDNS .ibm.com WHITELIST REVDNS infoworld.wc09.net WHITELIST REVDNS .ipswitch.com WHITELIST REVDNS .j2.com WHITELIST REVDNS .kintera.com WHITELIST REVDNS .looksmart.com WHITELIST REVDNS .luxurylink.com WHITELIST REVDNS .macromedia.com WHITELIST REVDNS .microsoft.com WHITELIST REVDNS .microsoft.m0.net WHITELIST REVDNS .moveon.org WHITELIST REVDNS .msnbc.com WHITELIST REVDNS .nytimes.com WHITELIST REVDNS .officemax.com WHITELIST REVDNS .openitx.com WHITELIST REVDNS .oracle.com WHITELIST REVDNS .paypal.com WHITELIST REVDNS .philanthropy.com WHITELIST REVDNS .schwab.com WHITELIST REVDNS .sears.com WHITELIST REVDNS .shockwave.com WHITELIST REVDNS .thawte.com WHITELIST REVDNS .travelzoo.com WHITELIST REVDNS .truste.org WHITELIST REVDNS .ups.com WHITELIST REVDNS .usairways.com WHITELIST REVDNS .veritas.com WHITELIST REVDNS .zd-swx.com Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, September 14, 2003 10:39 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OBFUSCATION filter Kami, the only reason I mentioned PayPal to Matt was because I figured he would be tracking FPs regarding his Obfuscation test. The PayPal message in question here did get delivered without user intervention, however, it was not due to PayPal being whitelisted. I don't like to whitelist anything except TO addresses, since anything else that is whitelisted can be abused, including RDNS. Instead, we apply a high enough negative weight to three primary filter tests (HELO, RDNS MAILFROM) to trusted mailers so that they will generally pass with an acceptable weight and get delivered without user intervention; however, anything sent by a spammer abusing these trusted mailer addresses will still likely get caught because they probably will not pass all three of these primary tests, and will most likely fail other JunkMail tests, as well. When something is whitelisted, no other tests can be run against these messages and they simply get delivered, no matter what. However, if you instead apply a minimal negative weight to multiple tests, forged e-mail will still likely get caught and not delivered. Using PayPal as an example, if you whitelist RDNS, or MailFrom, or HELO, etc., if a spammer happens to forge their messages using any of these, there spam gets delivered, no matter what other tests it might have failed. However, if you instead apply minimal negative weights like: MAILFROM-5ENDSWITH.paypal.com REVDNS-5ENDSWIDTH.paypal.com HELO-5ENDSWITH.paypal.com This give legitimate PayPal e-mail a total negative of -15, which will most likely allow it to be delivered, even if it fail a couple of other tests. However, the likelihood of a spammer being able to successfully meet all three of these criteria is highly unlikely, and even if they did, there are still all of the other spam tests that JunkMail supports that we can run against these messages and still probably block it's delivery. It basically gives a fighting chance against forging spammers who attempt to abuse spam-test whitelists. Just my 2 cents... Bill - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, September 14, 2003 6:04 PM Subject: RE: [Declude.JunkMail] OBFUSCATION filter Bill:
Re: [Declude.JunkMail] SPAMDOMAINS
I would like to see an updated list also. Todd - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, September 13, 2003 3:56 PM Subject: [Declude.JunkMail] SPAMDOMAINS Any one have an updated list to share? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
That was me, and thank you for posting that! Since someone asked about our whitelist- here it is (these are the general items - we have in this list some of our clients with screwed up server setups but are taken out in this list). This goes in the Global.cfg file. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Timing out with latest Microsoft patch
Have you customized any registry settings for TCP/IP? No. Haven't needed to. with your DNS lookups. First, you should be downloading TXT records from the RBL's instead of doing remote lookups. That should save you a ton of resources. We have a caching DNS server in front of Declude that's getting about a 98% cache hit on the lookups right now, which says a lot about spammer demographics. We experimented with TXT records when we were still evaluating Declude (and many others) and it didn't change performance enough to be worth more than the benefit of real-time lookups. We get so much email here, five minutes sometimes makes a difference in how much spam is caught. (Hey Scott god of spam blocking Perry, if you're reading this, a caching feature internal to Declude would be a nice feature... just keep the last 1500 or so lookups in memory with a configurable TTL... now that would be really cool.) I do know that switching to Bounce on any of the tests causes the server to immediately bog down. :) If you insist on testing the outgoing stuff, why not try Declude Hijack instead of JunkMail? It's got to be a whole bunch easier on your Is there a way to disable outbound testing in the pro version? I couldn't see that in the documentation (but I haven't really looked that hard, either). With the mess that Microsoft has created over the last couple of months, I haven't had time to look at the other Declude options, but will do. My biggest client published all of their employees' email addresses on their web page (a bright move, eh?), becoming one of the reasons why blocking the incoming hurricane of spam has been such a priority. Declude has been enormously successful! could turn off some tests like DUL lists to save on resources? We don't run an open relay, so this doesn't matter. The biggest risk we have is from people finding our customers' wireless access points and using them to spam. We had someone in July park his car in front of a client's building and send over a million emails. Fortunately a sharp-eyed IT guy caught him and he is now Bubba's boyfriend. Our customers have been extremely resistant to SMTP authentication, and in some cases we've blocked SMTP from the WAPs. Paying Microsoft for a trouble ticket also isn't anywhere near as expensive as a new server either. It's pretty clear they broke your setup, and from reading the bulletin, it shouldn't be limiting your My experience is this is just about as good at yelling at the sky for rain. I read, there is no danger if you are isolated behind a firewall that is blocking ports that you should be blocking by default. Right-- the biggest risks are from the inside, not from the outside. You can't cure stupid, and someone in the organization will eventually cause a problem if we don't protect ourselves. So the server is now talking through firewalls on both ends until we get this figured out. By the way, thanks for your help. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Kami, I hope there are no spammers monitoring this list since now they know how to easily spam your e-mail domains. It is never a good idea to share your whitelists in a public forum. Bill - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:42 AM Subject: RE: [Declude.JunkMail] OBFUSCATION filter Hi Bill: You are right... No disagreement here. We had negative MAILFROM but it was being abused like crazy. We were getting so much spam from faked addresses. We now have a negative list for mailing lists and at times we see email coming through. REVDNS whitelist has worked well and we have not yet seen any abuses - but as a rule I agree with you it can be abused. Since someone asked about our whitelist- here it is (these are the general items - we have in this list some of our clients with screwed up server setups but are taken out in this list). This goes in the Global.cfg file. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
Sorry, my fault for asking. Kami, I hope there are no spammers monitoring this list since now they know how to easily spam your e-mail domains. It is never a good idea to share your whitelists in a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
But, Kami just listed the revdns whitelists, wouldn't the spammer have to have a RDNS listing of something in her whitelist (not likely) to take advantage of the listing? Jason - Original Message - From: Keith Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 10:05 AM Subject: RE: [Declude.JunkMail] OBFUSCATION filter Sorry, my fault for asking. Kami, I hope there are no spammers monitoring this list since now they know how to easily spam your e-mail domains. It is never a good idea to share your whitelists in a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
Bill is right.. As a general rule it is not a good idea to post whitelists on a list. REVDNS faking is not as easy as faking return email.. But as was discussed a long time ago it is still possible. Scott had a lengthy posting regarding this indicating the difficulties but yet again it is possible. It is a good practice to send those off list. My mistake.. It has to be Monday again! ... I have not used my Monday's quota for a long time so... Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Newland Sent: Monday, September 15, 2003 11:21 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OBFUSCATION filter But, Kami just listed the revdns whitelists, wouldn't the spammer have to have a RDNS listing of something in her whitelist (not likely) to take advantage of the listing? Jason - Original Message - From: Keith Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 10:05 AM Subject: RE: [Declude.JunkMail] OBFUSCATION filter Sorry, my fault for asking. Kami, I hope there are no spammers monitoring this list since now they know how to easily spam your e-mail domains. It is never a good idea to share your whitelists in a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist question
I don't see WHITELIST REVDNS ... in the instructions anywhere. What is this doing exactly, and what are the other WHITELIST options? Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Yes, but since I run my own name servers, I could easily setup the IP address of my mail server to respond to a reverse query with one of the domains listed in his whitelist. Granted, RDNS is more difficult to forge then say HELO or MAILFROM, but is still fairly trivial if you run your own name servers. Bill - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 8:21 AM Subject: Re: [Declude.JunkMail] OBFUSCATION filter But, Kami just listed the revdns whitelists, wouldn't the spammer have to have a RDNS listing of something in her whitelist (not likely) to take advantage of the listing? Jason - Original Message - From: Keith Anderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 10:05 AM Subject: RE: [Declude.JunkMail] OBFUSCATION filter Sorry, my fault for asking. Kami, I hope there are no spammers monitoring this list since now they know how to easily spam your e-mail domains. It is never a good idea to share your whitelists in a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist question
Keith, Monday, September 15, 2003 you wrote: KA I don't see WHITELIST REVDNS ... in the instructions anywhere. What is KA this doing exactly, and what are the other WHITELIST options? see http://www.declude.com/relnotes.htm 1.66 [Beta, 17 Jan 2003] Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Yes, but since I run my own name servers, I could easily setup the IP address of my mail server to respond to a reverse query with one of the domains listed in his whitelist. Granted, RDNS is more difficult to forge then say HELO or MAILFROM, but is still fairly trivial if you run your own name servers. Not only do you need your own nameservers, but you also need your upstream to delegate authority for the reverse DNS entries to you. So any open relays or open proxies will not have forged reverse DNS. Then, there are the potential legal consequences of a spammer using a reverse DNS entry like mail.paypal.com -- they could very likely get sued for trademark infringement, false advertising, etc. And a spammer with the ability to change their own reverse DNS entries would be much easier to track down than a typical spammer. So it definitely is possible, but unlikely. I'm sure that if a spammer *does* change their reverse DNS entry to something that may commonly be whitelisted, it would be detected quite quickly (Gee, why did this spam get through -- ah, it was whitelisted, I wonder why? -- oh, the reverse DNS entry is mail.paypal.com). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Pete, It's not redundant because the two by themselves only check for strings of two, while the combination checks for strings with one of each in succession. This way, if they go back and forth between the two, it will get caught as long as there is a . or @ between them, or as long as it is URL encoding followed by HTML encoding. I left out the other way around because it was only a two character string, ;% and wanted to protect from FP's. I do appreciate the feedback though...I do of course make mistakes. Matt Pete McNeil wrote: Matt, It appears that your coding for a combination of http url encoding in urls is redundant since you capture both types individually. It's a small optimization, but worth mentioning. _M At 07:46 PM 9/14/2003 -0400, you wrote: I've posted a newer version of the OBFUSCATION filter on my site. This contains the removal of the attachment thing and also the removal of 6 (of over 100) tests in order to be more forgiving, sans the PayPal issue. http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt If you find any false positives with this besides the Ticketmaster one that I've already counterbalanced, please let me know. I would imagine that posting to this group would be better than PM's unless others mind having discussion here. That way everyone would know about any issues ASAP. Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer
I have this line in my sender.eml file: SKIPIFVIRUSNAMEHAS Fizzer However, The sender notice is still being sent and starts off like this: The Declude Virus software on our mail server detected the the W32/[EMAIL PROTECTED] virus !!! I know, because one particular address always bounces the notice with this error: This Message was undeliverable due to the following reason: The user(s) account is temporarily over quota. [EMAIL PROTECTED] Suggestions, please. -Mike --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Not only do you need your own nameservers, but you also need your upstream to delegate authority for the reverse DNS entries to you. So any open relays or open proxies will not have forged reverse DNS. Then, there are the potential legal consequences of a spammer using a reverse DNS entry like mail.paypal.com -- they could very likely get sued for trademark infringement, false advertising, etc. And a spammer with the ability to change their own reverse DNS entries would be much easier to track down than a typical spammer. Yep, all of this it true, however, as a spammer I would only use the PTR for that single spam run and then change it. Spammers abuse trademarked names in their HELO and MAILFROM addresses, why would you think they would be opposed to using them in RDNS, if they have the ability to? Again, my only point was that it is not a good idea to share your whitelists on a public forum, not the how-to's of spamming. So it definitely is possible, but unlikely. I'm sure that if a spammer *does* change their reverse DNS entry to something that may commonly be whitelisted, it would be detected quite quickly (Gee, why did this spam get through -- ah, it was whitelisted, I wonder why? -- oh, the reverse DNS entry is mail.paypal.com). Still does not make it wise to share whitelists on a public forum. However, if you are promoting a whitelist exchange on this list, so be it; however, it's not a practice I plan to participate in. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
Ahh. Understood. I got confused by our rules where we code for a single instance restricted to the URL. (Can't do that without wildcards). All good then. Great work! _M |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Matthew Bramble |Sent: Monday, September 15, 2003 12:40 PM |To: [EMAIL PROTECTED] |Subject: Re: [Declude.JunkMail] OBFUSCATION filter | | |Pete, | |It's not redundant because the two by themselves only check |for strings |of two, while the combination checks for strings with one of each in |succession. This way, if they go back and forth between the two, it |will get caught as long as there is a . or @ between them, or as |long as it is URL encoding followed by HTML encoding. I left out the |other way around because it was only a two character string, ;% and |wanted to protect from FP's. | |I do appreciate the feedback though...I do of course make mistakes. | |Matt | |Pete McNeil wrote: | | Matt, | | It appears that your coding for a combination of http url encoding | in urls is redundant since you capture both types |individually. It's a | small optimization, but worth mentioning. | | _M | | At 07:46 PM 9/14/2003 -0400, you wrote: | | I've posted a newer version of the OBFUSCATION filter on my site. | This contains the removal of the attachment thing and also the | removal of 6 (of over 100) tests in order to be more |forgiving, sans | the PayPal issue. | | |http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003 | c.txt | | | If you find any false positives with this besides the Ticketmaster | one that I've already counterbalanced, please let me know. I would | imagine that posting to this group would be better than PM's unless | others mind having discussion here. That way everyone would know | about any issues ASAP. | | Thanks, | | Matt | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | | --- | [This E-mail was scanned for viruses by Declude Virus | (http://www.declude.com)] | | --- | This E-mail came from the Declude.JunkMail mailing list. To | unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type | unsubscribe Declude.JunkMail. The archives can be found at | http://www.mail-archive.com. | | |--- |[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Timing out with latest Microsoft patch
Keith, I still haven't applied the patch, but will report back when I do. Regarding that one problem customer posting their entire directory on the Web; you might want to suggest that they either URL encode or HTTP encode their entire address in the MAILTO tags and displayable text on their site. I'm not aware of address harvesters bothering to decode such things, so it should keep their addresses from getting on more lists, and the traffic should fall. This works fine with everything I have tested it with. They could even be extra tricky and mix the two. It's a good suggestion for everyone to follow, and something that I didn't think of before writing a recent filter. http://www.redkernel-softwares.com/?url_encode,tool Since your question about outgoing E-mail hasn't been answered yet, I'll try. Anything in your Global.cfg that says WARN, IGNORE, HOLD, or other actions seen in your $default$.junkmail files is an outgoing test and can be commented out. It's probably a small list and often cached on your server because of similar IP's. I think the concept of Declude Hijack is better for the outgoing stuff personally, but I haven't had a need yet to try it being as small as I am. That would definitely take care of your WAP issue, and the page on it says that SMTP AUTH or IP tracking isn't required for it to work. Regarding DNS caching, I know that IMail 8 will now allow a cache of up to 5,000 lookups. I don't know though if Declude hands off to IMail for this functionality. That might be something to look in to. Also, when you say that you have a caching server in front of Declude, is that on the same box? I can't imagine that running a caching DNS server on the same box for it's exclusive use would do anything but speed things up. Just guessing though, and not quite sure of what your answer was. No data leaves your machine for a local lookup. That could be potentially huge for you, and easy to test out some night. Consider my suggestion in the last note also for automated ping testing the various RBL's and updates to your config file. That could make a huge difference for your server when one or several of these servers becomes unreachable or overly slow. Someone else mentioned to me the problem of WAP recently. Hopefully there will evolve a blocklist for these things, and considering that they problem should be for the time being, isolated to certain areas, i.e.not in Nebraska because you would have to move quite a distance after they figure you out the first time. I also just found another customer being blocked by their DSL provider from outbound port 25, so this seems to be becoming more common from the ISP's that don't want to lose bandwidth or bet blocked themselves. Thankfully these guys, heaven.net (marketed under a different name) are allowing it on request and they monitored for exclusions before shutting it off for most of their customers. It may be necessary for community WAPs to have some sort of port 25 constriction, in order to stop this behavior. Then again, who would have thunk that 3 years ago, there would be open relays in every office? Keep us posted. Matt Keith Anderson wrote: Have you customized any registry settings for TCP/IP? No. Haven't needed to. with your DNS lookups. First, you should be downloading TXT records from the RBL's instead of doing remote lookups. That should save you a ton of resources. We have a caching DNS server in front of Declude that's getting about a 98% cache hit on the lookups right now, which says a lot about spammer demographics. We experimented with TXT records when we were still evaluating Declude (and many others) and it didn't change performance enough to be worth more than the benefit of real-time lookups. We get so much email here, five minutes sometimes makes a difference in how much spam is caught. (Hey Scott "god of spam blocking" Perry, if you're reading this, a caching feature internal to Declude would be a nice feature... just keep the last 1500 or so lookups in memory with a configurable TTL... now that would be really cool.) I do know that switching to "Bounce" on any of the tests causes the server to immediately bog down. :) If you insist on testing the outgoing stuff, why not try Declude Hijack instead of JunkMail? It's got to be a whole bunch easier on your Is there a way to disable outbound testing in the "pro" version? I couldn't see that in the documentation (but I haven't really looked that hard, either). With the mess that Microsoft has created over the last couple of months, I haven't had time to look at the other Declude options, but will do. My biggest client published all of their employees' email addresses on their web page (a bright move, eh?), becoming one of the reasons why blocking the incoming hurricane of spam has been such a priority. Declude has been enormously successful! could turn off some tests like DUL lists to
Re: [Declude.JunkMail] OBFUSCATION filter
Bill Landry wrote: Still does not make it wise to share whitelists on a public forum. However, if you are promoting a whitelist exchange on this list, so be it; however, it's not a practice I plan to participate in. I have less than 500 addresses being used on my server and only about 250 accounts. If spammers want to customize their attack for my vunerabilities...I would consider that to be an honor and a waste of their resources, and therefore a net good. Of course they won't though...not for me at least. On the other hand, if I was working for AOL and posting their whitelist...that would be a whole 'nother matter. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] postmaster junk
Someone typed in a message about deleting email that is to postmaster email which are basically junk messages sitting in the spool directory and now I can't find it. Anyone remember the subject so I can find it? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] Still does not make it wise to share whitelists on a public forum. However, if you are promoting a whitelist exchange on this list, so be it; however, it's not a practice I plan to participate in. I have less than 500 addresses being used on my server and only about 250 accounts. If spammers want to customize their attack for my vunerabilities...I would consider that to be an honor and a waste of their resources, and therefore a net good. Of course they won't though...not for me at least. On the other hand, if I was working for AOL and posting their whitelist...that would be a whole 'nother matter. Hmmm, you seem to be missing the point. Spammers monitor these spam lists in order to learn how to subvert spam filters, so why make there jobs any easier and your user any more vulnerable? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Bill Landry wrote: Hmmm, you seem to be missing the point. Spammers monitor these spam lists in order to learn how to subvert spam filters, so why make there jobs any easier and your user any more vulnerable? None of this stuff is a big secret, and besides, pretending to come from a domain like AOL or Amazon has resulted in spammers being sued successfully. Clearly they already know the tactics and have used them. On the other hand, if I wanted to become a spammer, I assure you that I could get past your spam filters with near perfect success. Most of these guys don't even know how to fake a header properly and that would take someone moderately intelligent about 5 seconds to figure out. It's the fact that these guys are so dumb that makes it so that we can block them as effectively as we do. In the future, the only way around this will a distributed network of truly real-time, reliable blocklists where trusted people are promoting spam instead of spamtraps. Spamcop is doing this to some extent, but they lack in quality control because of the automation and lack of attention to whitelisting. They blocked PayPal the other day for at least several hours for instance...that got them demoted on my server. Same goes for MailPolice, who somehow tagged Ebay as porn. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] postmaster junk
Delete based on specified content Danny Klopfer wrote: Someone typed in a message about deleting email that is to postmaster email which are basically junk messages sitting in the spool directory and now I can't find it. Anyone remember the subject so I can find it? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Email addresses on a company webpage?
I've been reading the recent threads and someone mentioned it a bad idea to post employee email addresses on their company webpage because of spammers or bots harvesting them. Isn't this a little bit paranoid or am I just naive? Isn't it a pretty common practice for a company to list emails addresses on their webpage, at least for sales and service individuals? I see many smaller companies doing this. Maybe they just take the risk and manage the spam when it comes in, or change specific addresses if the spam gets too bad. Any alternatives to doing this? How do they get the info to their customers if it isn't listed on the webpage? Dan Spangenberg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Email addresses on a company webpage?
Dan, The best practice is to advertise generic addresses, and don't subscribe such addresses to anything. Then you know that harvested addresses will likely be those on your site, and you can weight them higher, or fail on a lower score, whichever. At least that's what I do. I also recommend the same practice for domain name registrations...generics only. So a car dealership might have sales@, service@, bodyshop@, financing@, etc., but those would just be aliases pointing back to named accounts like [EMAIL PROTECTED] jsmith should also be the account that is subscribed to newsletters or used for ecommerce, not service@, etc. I see my customers doing stupid things like signing up for contests as their generic addresses. That floodgate will never close. When you list addresses on Web sites, generic or not, obfuscate them using HTML and/or URL encoding. Address harvesters don't take the time to unencode such things. Mix techniques if you want to be real safe. I doubt they would waste the time to modify their code seeing as how many addresses aren't obfuscated. This is something that I'm going to start practicing myself from now on. Using forms is also a good idea in many cases, especially for non-sales related things, like support for instance. You don't have to advertise an address in that event. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
I manage both our public sites and our mail server, so I've consistent direct evidence of this harvesting. The quick workaround is to use JavaScript to display the addresses. Most bots won't bother to figure it out. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Spangenberg Sent: Monday, September 15, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Email addresses on a company webpage? I've been reading the recent threads and someone mentioned it a bad idea to post employee email addresses on their company webpage because of spammers or bots harvesting them. Isn't this a little bit paranoid or am I just naive? Isn't it a pretty common practice for a company to list emails addresses on their webpage, at least for sales and service individuals? I see many smaller companies doing this. Maybe they just take the risk and manage the spam when it comes in, or change specific addresses if the spam gets too bad. Any alternatives to doing this? How do they get the info to their customers if it isn't listed on the webpage? Dan Spangenberg --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] endswith REVDNS
Hi, Is it ok to do this: REVDNS -35 ENDSWITH .ebay. and it'll pick up ebay.com, ebay.ca and etc? What happens if someone has this as reverse spammy.ebay.spam.com? Will this be valid too? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
We're not a very big company - about 35 employees. I created an account for a new employee who wasn't due to start for 5 days and added his e-mail address to the company directory on our web site. In keeping with the insert expletive here corporate policy, the directory listings are not obfuscated (please don't ask why, it's lame). By the time the employee started and was in orientation with me to go over company applications the following week, he had already recv'd 9 spam messages (with many more blocked by Declude). So, conveniently it was a good time to go over Outlook's filters capabilities too. Spams for Viagra and it's ilk have become the most annoying, most frequent complaint - even over the porn, beastiality, and Nigerian money scams. Anyway, enough of that tangent - the point is, bot traffic to our dinky lil ol' site is constant and we are harvested frequently. If you post your contacts, consider if they really have to be hot mailto tags, or could they at least be obfuscated. Just my 2 cents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Spangenberg Sent: Monday, September 15, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Email addresses on a company webpage? I've been reading the recent threads and someone mentioned it a bad idea to post employee email addresses on their company webpage because of spammers or bots harvesting them. Isn't this a little bit paranoid or am I just naive? Isn't it a pretty common practice for a company to list emails addresses on their webpage, at least for sales and service individuals? I see many smaller companies doing this. Maybe they just take the risk and manage the spam when it comes in, or change specific addresses if the spam gets too bad. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] None of this stuff is a big secret, and besides, pretending to come from a domain like AOL or Amazon has resulted in spammers being sued successfully. Clearly they already know the tactics and have used them. And these successful lawsuits have obviously not stopped the practice. On the other hand, if I wanted to become a spammer, I assure you that I could get past your spam filters with near perfect success. Although I highly doubt it, your point is...? Most of these guys don't even know how to fake a header properly and that would take someone moderately intelligent about 5 seconds to figure out. It's the fact that these guys are so dumb that makes it so that we can block them as effectively as we do. So let's make it easier for them by posting our whitelists. This is straying all over the place. If you think it is fine and good to post your whitelists on a public forum, then by all means do so. It's was just my personal recommendation that it is not a wise thing to do, but to each his own... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] endswith REVDNS
- Original Message - From: Kevin [EMAIL PROTECTED] Hi, Is it ok to do this: REVDNS -35 ENDSWITH .ebay. and it'll pick up ebay.com, ebay.ca and etc? No, in this case it will only match if the end of the line is a period . I think what you want to do is: REVDNS -35 CONTAINS .ebay. That will allow you to match ebay.com, ebay.ca and etc, What happens if someone has this as reverse spammy.ebay.spam.com? Will this be valid too? No, not with the ENDSWITH flag. However, using CONTAINS would match spammy.ebay.spam.com. So maybe what you want to do is add multiple entries for EBay like: REVDNS -35 ENDSWITH .ebay.com REVDNS -35 ENDSWITH .ebay.ca REVDNS -35 ENDSWITH .ebay.net etc., which would prevent matches for things like spammy.ebay.spam.com, but also provide the weight reductions you want for legit EBay messages. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] endswith REVDNS
Is it ok to do this: REVDNS -35 ENDSWITH.ebay. and it'll pick up ebay.com, ebay.ca and etc? No -- because ebay.ca doesn't end with .ebay.. You want REVDNS -35 CONTAINS .ebay.. What happens if someone has this as reverse spammy.ebay.spam.com? Will this be valid too? Yes. The only way to get around that would be to use ENDSWITH .ebay.com, ENDWITH .ebay.ca, etc. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
With all this talk of email addresses on web pages... What is the best way to obfuscate them? HTML (how is this done?)? Java (how is this done?)? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sean Fahey Sent: Monday, September 15, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Email addresses on a company webpage? We're not a very big company - about 35 employees. I created an account for a new employee who wasn't due to start for 5 days and added his e-mail address to the company directory on our web site. In keeping with the insert expletive here corporate policy, the directory listings are not obfuscated (please don't ask why, it's lame). By the time the employee started and was in orientation with me to go over company applications the following week, he had already recv'd 9 spam messages (with many more blocked by Declude). So, conveniently it was a good time to go over Outlook's filters capabilities too. Spams for Viagra and it's ilk have become the most annoying, most frequent complaint - even over the porn, beastiality, and Nigerian money scams. Anyway, enough of that tangent - the point is, bot traffic to our dinky lil ol' site is constant and we are harvested frequently. If you post your contacts, consider if they really have to be hot mailto tags, or could they at least be obfuscated. Just my 2 cents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Spangenberg Sent: Monday, September 15, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Email addresses on a company webpage? I've been reading the recent threads and someone mentioned it a bad idea to post employee email addresses on their company webpage because of spammers or bots harvesting them. Isn't this a little bit paranoid or am I just naive? Isn't it a pretty common practice for a company to list emails addresses on their webpage, at least for sales and service individuals? I see many smaller companies doing this. Maybe they just take the risk and manage the spam when it comes in, or change specific addresses if the spam gets too bad. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Missing text with a filter BADHEADERS error
Scott, Is there a limit to how far down a file the text filters will search? I've come across a few examples where a text filter of: BODY 0 CONTAINS base64 ...didn't hit when it was actually in the message as text. In the most recent example, this was 72,486 characters into the E-mail (including the headers). If recollection serves me right, the other messages were also very long, though I could be mistaken. If length isn't the issue, do you have any other suggestions as to why this happened? Also, is there a fix available for the BADHEADERS 840a error? I get a decent number of these every day, and they're often false positives (as was discussed before). The message that I'm referencing failed because of both the text filter not hitting and that BADHEADERS issue (not RFC compliant, but supported functionality from popular mail clients). Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Missing text with a filter BADHEADERS error
Is there a limit to how far down a file the text filters will search? Yes -- it will only check the first 32K of the E-mail. Also, is there a fix available for the BADHEADERS 840a error? I get a decent number of these every day, and they're often false positives (as was discussed before). The message that I'm referencing failed because of both the text filter not hitting and that BADHEADERS issue (not RFC compliant, but supported functionality from popular mail clients). That's something that we are currently investigating. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
Generally speaking, what are the bots looking for? Only mailto:'s? Or are they smart enough to use a regex search and find any text of the form [EMAIL PROTECTED]? Jason Wolfe Lead Developer Netcomm, Inc. http://www.netcomm.com (859) 224-4124 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
Generally speaking, what are the bots looking for? Only mailto:'s? Or are they smart enough to use a regex search and find any text of the form [EMAIL PROTECTED]? Sobig.F uses regexp to find addresses on cached web pages, so I would not be surprised if tools spammers use to harvest addresses would do the same. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
Example... SCRIPT LANGUAGE=JavaScript TYPE=text/javascript !-- // var grabthis = username; var andthis = domain.com; document.write(A HREF= + mail + to: + grabthis + @ + andthis + + grabthis + @ + andthis + /A) // -- /SCRIPT Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] Voice: (816) 801-5200 Fax: (816) 880-4776 Toll-free: (800) 525-1101 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Todd Holt Sent: Monday, September 15, 2003 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Email addresses on a company webpage? With all this talk of email addresses on web pages... What is the best way to obfuscate them? HTML (how is this done?)? Java (how is this done?)? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sean Fahey Sent: Monday, September 15, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Email addresses on a company webpage? We're not a very big company - about 35 employees. I created an account for a new employee who wasn't due to start for 5 days and added his e-mail address to the company directory on our web site. In keeping with the insert expletive here corporate policy, the directory listings are not obfuscated (please don't ask why, it's lame). By the time the employee started and was in orientation with me to go over company applications the following week, he had already recv'd 9 spam messages (with many more blocked by Declude). So, conveniently it was a good time to go over Outlook's filters capabilities too. Spams for Viagra and it's ilk have become the most annoying, most frequent complaint - even over the porn, beastiality, and Nigerian money scams. Anyway, enough of that tangent - the point is, bot traffic to our dinky lil ol' site is constant and we are harvested frequently. If you post your contacts, consider if they really have to be hot mailto tags, or could they at least be obfuscated. Just my 2 cents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Spangenberg Sent: Monday, September 15, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Email addresses on a company webpage? I've been reading the recent threads and someone mentioned it a bad idea to post employee email addresses on their company webpage because of spammers or bots harvesting them. Isn't this a little bit paranoid or am I just naive? Isn't it a pretty common practice for a company to list emails addresses on their webpage, at least for sales and service individuals? I see many smaller companies doing this. Maybe they just take the risk and manage the spam when it comes in, or change specific addresses if the spam gets too bad. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Dopey question
Ok, here's a easy one from a declude newbie. Are the config files whitespace agnostic? Are tab and space the same thing? can I have more than one separating the various columns of parameters? -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail scanned for viruses by Declude Virus / Sophos AV] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OBFUSCATION filter
I know this is a little late to the party. But I do think Spammers monitor this list. A few weeks back I posted some IP addresses that I was receiving spam from. I have not recieved a single spam from thoes servers since but other users/domains on my server have. I have them spamtraped so I can monitor the volume. Not a good Idea to post whitelists to and spamfiltering user list. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Monday, September 15, 2003 4:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OBFUSCATION filter Hi Bill: You are right... No disagreement here. We had negative MAILFROM but it was being abused like crazy. We were getting so much spam from faked addresses. We now have a negative list for mailing lists and at times we see email coming through. REVDNS whitelist has worked well and we have not yet seen any abuses - but as a rule I agree with you it can be abused. Since someone asked about our whitelist- here it is (these are the general items - we have in this list some of our clients with screwed up server setups but are taken out in this list). This goes in the Global.cfg file. WHITELIST REVDNS .airborne.com WHITELIST REVDNS .amazon.com WHITELIST REVDNS .audible.com WHITELIST REVDNS .bestfares.com WHITELIST REVDNS .cnet.com WHITELIST REVDNS .dell.com WHITELIST REVDNS .dowjones.com WHITELIST REVDNS .ebay.com WHITELIST REVDNS .equifax.com WHITELIST REVDNS .fedex.com WHITELIST REVDNS .gartner.com WHITELIST REVDNS .getactive.com WHITELIST REVDNS .hertz.com WHITELIST REVDNS .house.gov WHITELIST REVDNS .ibm.com WHITELIST REVDNS infoworld.wc09.net WHITELIST REVDNS .ipswitch.com WHITELIST REVDNS .j2.com WHITELIST REVDNS .kintera.com WHITELIST REVDNS .looksmart.com WHITELIST REVDNS .luxurylink.com WHITELIST REVDNS .macromedia.com WHITELIST REVDNS .microsoft.com WHITELIST REVDNS .microsoft.m0.net WHITELIST REVDNS .moveon.org WHITELIST REVDNS .msnbc.com WHITELIST REVDNS .nytimes.com WHITELIST REVDNS .officemax.com WHITELIST REVDNS .openitx.com WHITELIST REVDNS .oracle.com WHITELIST REVDNS .paypal.com WHITELIST REVDNS .philanthropy.com WHITELIST REVDNS .schwab.com WHITELIST REVDNS .sears.com WHITELIST REVDNS .shockwave.com WHITELIST REVDNS .thawte.com WHITELIST REVDNS .travelzoo.com WHITELIST REVDNS .truste.org WHITELIST REVDNS .ups.com WHITELIST REVDNS .usairways.com WHITELIST REVDNS .veritas.com WHITELIST REVDNS .zd-swx.com Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, September 14, 2003 10:39 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] OBFUSCATION filter Kami, the only reason I mentioned PayPal to Matt was because I figured he would be tracking FPs regarding his Obfuscation test. The PayPal message in question here did get delivered without user intervention, however, it was not due to PayPal being whitelisted. I don't like to whitelist anything except TO addresses, since anything else that is whitelisted can be abused, including RDNS. Instead, we apply a high enough negative weight to three primary filter tests (HELO, RDNS MAILFROM) to trusted mailers so that they will generally pass with an acceptable weight and get delivered without user intervention; however, anything sent by a spammer abusing these trusted mailer addresses will still likely get caught because they probably will not pass all three of these primary tests, and will most likely fail other JunkMail tests, as well. When something is whitelisted, no other tests can be run against these messages and they simply get delivered, no matter what. However, if you instead apply a minimal negative weight to multiple tests, forged e-mail will still likely get caught and not delivered. Using PayPal as an example, if you whitelist RDNS, or MailFrom, or HELO, etc., if a spammer happens to forge their messages using any of these, there spam gets delivered, no matter what other tests it might have failed. However, if you instead apply minimal negative weights like: MAILFROM-5ENDSWITH.paypal.com REVDNS-5ENDSWIDTH.paypal.com HELO-5ENDSWITH.paypal.com This give legitimate PayPal e-mail a total negative of -15, which will most likely allow it to be delivered, even if it fail a
Re: [Declude.JunkMail] Dopey question
Are the config files whitespace agnostic? Are tab and space the same thing? can I have more than one separating the various columns of parameters? In most cases, they are treated the same. The two exceptions that come to mind are in filters (where BODY 0 CONTAINS wordtab would only match when wordtab was found), and the .eml files where lines such as SKIPIFVIRUSNAMEHAS are used (which are normally only used by Declude Virus, and require just one space/tab on the line). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Missing text with a filter BADHEADERS error
Thanks for the answers. I would imagine that it makes a lot of sense to limit it at 32 K. The root of my issue then becomes Microsoft Word's unbelievably bloated code. If they can't construct a simple E-mail without 500% overhead in their tagging, I can see why Linux people laugh about Window's performance. That message had 13,058 displayable characters with spaces without attachments, but it contained 83,023 characters with spaces counting the formatting code (the previous quoted number didn't have spaces included). That made a 13 K message 84 K. Geeze! Matt R. Scott Perry wrote: Is there a limit to how far down a file the text filters will search? Yes -- it will only check the first 32K of the E-mail. Also, is there a fix available for the BADHEADERS 840a error? I get a decent number of these every day, and they're often false positives (as was discussed before). The message that I'm referencing failed because of both the text filter not hitting and that BADHEADERS issue (not RFC compliant, but supported functionality from popular mail clients). That's something that we are currently investigating. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] GIBBERISH and GIBBERISHSUB filters updated
They're still a work in progress of course, but most of the major sources of FP's seem to have been fixed. The major changes are that the tests have both been split into two files, on for positives, and one for counterbalancing false positives. This reduces the possibility of crediting too much back to any E-mail. It also makes testing a lot easier as any test that fails the main filter, and doesn't fail the anti filter gets scored, those that fail both don't. The GIBBERISHSUB filter is pretty much there with the only things that I expect to add being exceptions in the ANTIGIBBERISHSUB filter. Those exemptions should be for words, acronyms and stock market symbols, and they should match the same exemptions in ANTIGIBBERISH filter. The GIBBERISH filter similarly has ANTIGIBBERISH as a counterbalance. Some things are listed in both files if they only occasionally don't tend to throw positives, which makes monitoring easier. The test will no longer interfere with BASE64 except that it will add extra score to any base64 encoded content that isn't tagged anywhere in the headers or message body as being such. This is not a bad thing because that would be very highly indicative of spam. I have also found that many spams are caught because they contain gibberish in the message boundary only. Normal mail clients use time stamps, either in decimal or hexadecimal form so they won't trip the test. Spammers also tend to create fake directories in their links that are made from gibberish, and this will detect that as well, though unfortunately, some legitimate mailers are random enough to get caught and they are being kept track of in the anti file. I haven't had time to massage the comments, but wanted to put this out for testing because it resolves many of the false positives. Please let me know if you have a nomination for counterbalancing measures, such as words, mail clients, bulk mailers, etc. Offending code is helpful because a literal exception might not be the best way around it. For instance, I just too care of a MS Word mail issue by exempting XML tags instead of one particular string of characters. You can download those filters plus the OBFUSCATION filter at the following locations: GIBBERISH and ANTIGIBBERISH http://www.mailpure.com/decludefilters/gibberish/Gibberish_09-15-2003.txt http://www.mailpure.com/decludefilters/gibberish/AntiGibberish_09-15-2003.txt GIBBERISHSUB and ANTIGIBBERISHSUB http://www.mailpure.com/decludefilters/gibberishsub/GibberishSub_09-15-2003.txt http://www.mailpure.com/decludefilters/gibberishsub/AntiGibberishSub_09-15-2003.txt OBFUSCATION http://www.mailpure.com/decludefilters/obfuscation/Obfuscation_09-14-2003c.txt Recommendations how to best obscure the files long-term would be appreciated. It shouldn't be anything too convoluted, like maybe a secret handshake or something :) Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] postmaster junk
Matthew, Thanks that is what I was looking for. So is this basically what you did: Change the postmaster alias to [EMAIL PROTECTED] In the rule.ima have: [EMAIL PROTECTED]:NUL Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble Sent: Monday, September 15, 2003 11:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] postmaster junk Delete based on specified content Danny Klopfer wrote: Someone typed in a message about deleting email that is to postmaster email which are basically junk messages sitting in the spool directory and now I can't find it. Anyone remember the subject so I can find it? TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Email addresses on a company webpage?
If you're a small company with 5 to 15 people, then it's not as bad as a company with hundreds of employees, or in the case of my client, thousands. Against our advice, they placed their entire directory online for convenience of their customers and it turned into a harvest festival for spammers. 90 days later their email system was nearly useless because of the volume of spam. Some employees were receiving over 1000 emails between the time they left work and the time they arrived in the morning. Then they tell us it's our problem to fix because it's our mail sever. (We charge per-mailbox, so we really don't mind if we have to fix their problems.) Whatever email address you put on a web page should be generic, such as sales@ info@ support@ and so forth, and point those to the persons responsible. That way the employee-to-employee email stays clean. Besides, it's easier to rotate a generic email address through a department. And instruct employees to not use their company email addresses to send e-greetings or subscribe to newsletters. I've been reading the recent threads and someone mentioned it a bad idea to post employee email addresses on their company webpage because of spammers or bots harvesting them. Isn't this a little bit paranoid or am I just naive? Isn't it a pretty --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Timing out with latest Microsoft patch
As far as the Microsoft update status, I've been granted a Microsoft engineer who is paying us a visit this week to witness all of this for himself. Regarding that one problem customer posting their entire directory on the Web; you might want to suggest that they It's not on their web page anymore, but the damage is done. You can't pull them back off the spam lists once they get out there. And to make sure someone took the blame, they fired their web designer who put the names online, even though I'm pretty sure they asked him to do what he did. Welcome to Corporate CYA America. Since your question about outgoing E-mail hasn't been answered yet, I'll try. Anything in your Global.cfg that says WARN, IGNORE, HOLD, or other actions seen in your Yes, but aren't the tests done anyway, just not triggering an action? Doesn't matter, since I don't want to disable it anyway, but I was curious. As soon as I dig myself out, I'm going to check out Hijack. something to look in to. Also, when you say that you have a caching server in front of Declude, is that on the same box? Seperate box running Linux on a separate LAN. Mail send, receive and DNS lookups are all done on different NICs. I can't be sure, but I don't think there's another Imail installation that looks anything like this one. Frankly if I had been able to predict that it would grow this big, I wouldn't have used Windows or Imail, but migrating it at this point would be a negative experience. Someone else mentioned to me the problem of WAP recently. Hopefully there will evolve a blocklist for these things, and considering that they problem should be for the time being, What we really need is stronger encryption and authentication standards on wireless systems, and for corporate IT guys to realize that you can actually get on their LAN from the parking lot. It's amazing how many IT people are completely ignorant of that fact. I've been on many business trips where the hotel Internet access is limited to dialup, but a good antenna hanging out the hotel window will pickup someone's WAP and give you the use of someone's T1 line to the Internet. I've never tried, but I betcha on most of these you could get into their corporate servers in a matter of minutes. In fact, I helped a client move his business once, and we moved his WAP system, only to discover several weeks later that their DSL line hadn't been working the whole time, and they had been going out to the Internet on the neighboring company's T1 through their WAP. When we discovered this (by accident), the owner actually considered continuing as it was. They were always curious why too many systems showed up in Network Neighborhood... --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude List in Digest Mode fails BADHEADERS
I just recently installed Declude JunkMail and while tweaking the weights discovered the Digest version of this List fails the BADHEADERS test. Kinda ironic, no? Received: from declude.com [24.107.232.14] by mail.roycemedical.com with ESMTP (SMTPD32-6.06) id AAFF3A0002D6; Sun, 14 Sep 2003 16:34:23 -0700 Subject: [Declude.JunkMail Digest] Precedence: bulk Sender: [EMAIL PROTECTED] From: [EMAIL PROTECTED] (List Server) Date: Sun, 14 Sep 2003 19:31:33 -0400 Message-Id: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840a]. X-Declude-Sender: [EMAIL PROTECTED] [24.107.232.14] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: BADHEADERS [5] X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 337759383 Status: U Alan Walters Director of I.T. Royce Medical --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude List in Digest Mode fails BADHEADERS
The non-digest version fails BADHEADERS also. We whitelisted it here. -Original Message- From: Alan Walters [mailto:[EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:02 PM To: Declude. JunkMail Subject: [Declude.JunkMail] Declude List in Digest Mode fails BADHEADERS I just recently installed Declude JunkMail and while tweaking the weights discovered the Digest version of this List fails the BADHEADERS test. Kinda ironic, no? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Timing out with latest Microsoft patch
Keith, you have good stories. BTW, I was one of those folks working in Corporate CYA America was a webmaster. I didn't last long. Couldn't stand the way things worked. Our firewall administrator didn't even know the basics of TCP/IP, and it took several weeks and meetings to get him to stop routing private IP space out to the Internet. He's probably still working there. Lucky him. He probably thinks that I'm an a** h***. I have very low tolerance for that type of thing in the quantity that existed. The lead network guy for a worldwide company once blamed me for a problem of his because he didn't know you could bind more than one IP to a NIC... I've got more too :) Anyway, I'm not sure if you were acknowledging my suggestion about DNS or exploring it further. For the sake of this reply, I'll assume the latter. If you start up the MS DNS service on your box and enable forwarders to look at your linux box, it will cache locally without needing to open all of those connections. Even though your local DNS server is on fast ethernet, there's still lots of local overhead there. If most of what you have is cached already, that would save a bunch of resources I would think. Stress on the "think." It's easy to try and back out of though. It's interesting that Microsoft is sending an engineer. Matt Keith Anderson wrote: As far as the Microsoft update status, I've been granted a Microsoft engineer who is paying us a visit this week to witness all of this for himself. Regarding that one problem customer posting their entire directory on the Web; you might want to suggest that they It's not on their web page anymore, but the damage is done. You can't pull them back off the spam lists once they get out there. And to make sure someone took the blame, they fired their web designer who put the names online, even though I'm pretty sure they asked him to do what he did. Welcome to Corporate CYA America. Since your question about outgoing E-mail hasn't been answered yet, I'll try. Anything in your Global.cfg that says WARN, IGNORE, HOLD, or other actions seen in your Yes, but aren't the tests done anyway, just not triggering an action? Doesn't matter, since I don't want to disable it anyway, but I was curious. As soon as I dig myself out, I'm going to check out Hijack. something to look in to. Also, when you say that you have a caching server in front of Declude, is that on the same box? Seperate box running Linux on a separate LAN. Mail send, receive and DNS lookups are all done on different NICs. I can't be sure, but I don't think there's another Imail installation that looks anything like this one. Frankly if I had been able to predict that it would grow this big, I wouldn't have used Windows or Imail, but migrating it at this point would be a negative experience. Someone else mentioned to me the problem of WAP recently. Hopefully there will evolve a blocklist for these things, and considering that they problem should be for the time being, What we really need is stronger encryption and authentication standards on wireless systems, and for corporate IT guys to realize that you can actually get on their LAN from the parking lot. It's amazing how many IT people are completely ignorant of that fact. I've been on many business trips where the hotel Internet access is limited to dialup, but a good antenna hanging out the hotel window will pickup someone's WAP and give you the use of someone's T1 line to the Internet. I've never tried, but I betcha on most of these you could get into their corporate servers in a matter of minutes. In fact, I helped a client move his business once, and we moved his WAP system, only to discover several weeks later that their DSL line hadn't been working the whole time, and they had been going out to the Internet on the neighboring company's T1 through their WAP. When we discovered this (by accident), the owner actually considered continuing as it was. They were always curious why too many systems showed up in Network Neighborhood...
RE: [Declude.JunkMail] Timing out with latest Microsoft patch
Keith, you have good stories. I'm a novice in a group like this. Anyway, I'm not sure if you were acknowledging my suggestion about DNS or exploring it further. For the sake of this Exploring further. I think network resources are used whether they exit the machine or are passed internally. I'll play with it during a future 4am maintenance session and see what happens. I really detest Microsoft's DNS server, so it's likely to be a biased test. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Timing out with latest Microsoft patch
Keith, you have good stories. I'm a novice in a group like this. You must be doing something right to get MS to send an Engineer out to you. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Monday, September 15, 2003 3:42 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Timing out with latest Microsoft patch Anyway, I'm not sure if you were acknowledging my suggestion about DNS or exploring it further. For the sake of this Exploring further. I think network resources are used whether they exit the machine or are passed internally. I'll play with it during a future 4am maintenance session and see what happens. I really detest Microsoft's DNS server, so it's likely to be a biased test. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail (only E-mail from addresses on recently expired domains, and domains not handled by Network Solutions will still fail). Fortunately, the MAILFROM test only caught about 2% of all spam, but it was an extremely reliable test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Timing out with latest Microsoft patch
You must be doing something right to get MS to send an Engineer out to you. I doubt it has anything to do with us. It's more the fact that our one client (who is only our client because of extremely good luck) has thousands of Windows clients and a long-term Microsoft support contract that makes Bill's house payment every month. I think Microsoft is aware that it's not a very big jump these days to replace Windows with Linux, Lindows, OpenOffice, Openexchange, etc. These big customers say JUMP and Microsoft throws an engineer or two onto an airplane. I'm sure they won't do that for any of our other clients. What we do right is work hard, blees, beg and butt kiss. :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Seems like the easiest solution is to block all email from domains that resolve to 64.94.110.x The question is, how do we do this? (I'm still learning... sorry if this is a stupid question.) NS is going to make a lot of enemies doing this. Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Timing out with latest Microsoft patch
That should have been bleed and now I'm going to stop this off-topic thread. Thank you. won't do that for any of our other clients. What we do right is work hard, blees, beg and butt kiss. :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Disposable Domains
Spammers put links in the body of messages and more recently are creating them by the pound, changing to new ones multiple times/days. Is it possible to have a test that checks the age of domain names in the body? This information is available from a number of places: http://www-whois.internic.net/cgi/whois?whois_nic=uzbeki98.biztype=domain But is it possible to make an automated test that can collect and use it? Simplest would be just specifying the location and age, in days, fewer than which it would trip, under one month in this example: DomainAge domainage body30 1 0 Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Any more than they already have?? Its not a stupid move at all (if you NetSol). The make all of their money on the ignorance of newbies that just don't know any better. Once people realize what lyin', cheatin', stealin' scum they are...you get the idea. Do all of the unregistered domains resolve to this range: 64.94.110.x??? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Monday, September 15, 2003 4:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Seems like the easiest solution is to block all email from domains that resolve to 64.94.110.x The question is, how do we do this? (I'm still learning... sorry if this is a stupid question.) NS is going to make a lot of enemies doing this. Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Good call Keith. I don't know what the proper address would be, but the following article says that it can be blocked: http://biz.yahoo.com/ap/030915/internet_typos_1.html If you were correct, you would probably have to do this in your DNS server. Maybe set up reverse DNS for that block. I'm not sure though. Scott could probably also filter it out with Declude. It's not active yet from where I'm sitting (resolving off my own DNS server). I'll bet $100 that this move does not last. Network Solutions is one of the shadiest companies that I have ever dealt with (MCI has top honors). I resell Tucows now just so I don't have to deal with them...not for the money. They held up the whole transition to de-monopolize the popular domains, and I have no clue as to how they got away with that, but it was held up for 1 or 2 years. Now they are hurting bad for business, losing customers left and right to bargain registrars...and then they pull this scam. They ought to charge them a fee for each possible letter and number combination if you ask me. It's like taking over the airwaves and stealing every available frequency range that isn't licensed. That's real freaky stuff. Same goes for Microsoft's default settings by way of their de facto monopoly in the browser market, but that's another story. Matt Keith Anderson wrote: Seems like the easiest solution is to block all email from domains that resolve to 64.94.110.x The question is, how do we do this? (I'm still learning... sorry if this is a stupid question.) NS is going to make a lot of enemies doing this. Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer
I know those rules, but I don't percieve it to be the case. I've enclosed the sender.eml, if you would please take a look at it. Thanks. -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, September 15, 2003 10:17 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer I have this line in my sender.eml file: SKIPIFVIRUSNAMEHAS Fizzer However, The sender notice is still being sent and starts off like this: This would be more appropriate in the Declude Virus list. In this case, the problem is most likely that either [1] There is more than one space or tab on the line, or [2] There is a blank line between that line and the body of the E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] ---BeginMessage--- The Declude Virus software on %LOCALHOST% has reported that you sent an E-mail to %ALLRECIPS%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was %SUBJECT%. The E-mail containing the virus has been quarantined to prevent further damage. NOTE: Sender information is easily forged, so while the email containing the virus purportedly was sent by you, it may not actually have come from you, in which case we apologize for this notification. Headers Follow: %HEADERS% ---End Message---
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Ignore my earlier reverse DNS thoughts, that doesn't make any sense :) I certainly have my moments. I think the article is also wrong by saying that DNS could be used to defeat this. I'm betting that providers like AOL are just simply configuring that block of addresses to point to their own servers through routing and there's nothing that you can do with DNS. This does potentially make the MAILFROM test somewhat simple to fix if Declude is already doing the lookups though. I would imagine that you could just test the senders IP for that block and fail on that. There's no documented filter capabilities though at present for the IP address in the From, probably because only the mail file itself is filtered, so this would probably have to come by way of the program itself. BTW, this only affects .net and .com. Matt Keith Anderson wrote: As near as I can figure, they all go to that class. I hope that makes it easier. I'm going to keep an eye on that one, though, in case it changes. It's not hard... just setup a script to resolve www._somethingrandomhere_.com and record the resolved IP address. -Original Message- From: Todd Holt [mailto:[EMAIL PROTECTED] Sent: Monday, September 15, 2003 5:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Any more than they already have?? Its not a stupid move at all (if you NetSol). The make all of their money on the ignorance of newbies that just don't know any better. Once people realize what lyin', cheatin', stealin' scum they are...you get the idea. Do all of the unregistered domains resolve to this range: 64.94.110.x??? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Monday, September 15, 2003 4:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Seems like the easiest solution is to block all email from domains that resolve to 64.94.110.x The question is, how do we do this? (I'm still learning... sorry if this is a stupid question.) NS is going to make a lot of enemies doing this. Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer
Open your sender.eml with notepad, then copy and paste into a new text document. Outlook treats this as an attached e-mail and messes with it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Mike Gable Sent: Monday, September 15, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer I know those rules, but I don't percieve it to be the case. I've enclosed the sender.eml, if you would please take a look at it. Thanks. -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, September 15, 2003 10:17 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer I have this line in my sender.eml file: SKIPIFVIRUSNAMEHAS Fizzer However, The sender notice is still being sent and starts off like this: This would be more appropriate in the Declude Virus list. In this case, the problem is most likely that either [1] There is more than one space or tab on the line, or [2] There is a blank line between that line and the body of the E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
For now I've added: REVDNS 10 ENDSWITH sitefinder-idn.verisign.com to at least be able to add some weight to e-mail messages that use bogus domain names and resolve RDNS for 64.94.110.11 to sitefinder-idn.verisign.com. Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:32 PM Subject: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail (only E-mail from addresses on recently expired domains, and domains not handled by Network Solutions will still fail). Fortunately, the MAILFROM test only caught about 2% of all spam, but it was an extremely reliable test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Oops, never mind, that's not going to work. Hmmm, back to the drawing board on this one... Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 7:18 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions For now I've added: REVDNS 10 ENDSWITH sitefinder-idn.verisign.com to at least be able to add some weight to e-mail messages that use bogus domain names and resolve RDNS for 64.94.110.11 to sitefinder-idn.verisign.com. Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:32 PM Subject: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail (only E-mail from addresses on recently expired domains, and domains not handled by Network Solutions will still fail). Fortunately, the MAILFROM test only caught about 2% of all spam, but it was an extremely reliable test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
I think a better filter might be: BODY 100 CONTAINS verisign HEADERS 100 CONTAINS verisign HELO 100 CONTAINS verisign MAILFROM 100 CONTAINS verisign REMOTEIP 100 CONTAINS verisign REVDNS 100 CONTAINS verisign ALLRECIPS 100 CONTAINS verisign SUBJECT 100 CONTAINS verisign and don't forget obfuscation... BODY 100 CONTAINS v-e-r-i-s-i-g-n BODY 100 CONTAINS v.e.r.i.s.i.g.n BODY 100 CONTAINS vrisign BODY 100 CONTAINS verlslgn Matt :) Bill Landry wrote: Oops, never mind, that's not going to work. Hmmm, back to the drawing board on this one... Bill - Original Message - From: "Bill Landry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 7:18 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions For now I've added: REVDNS 10 ENDSWITH sitefinder-idn.verisign.com to at least be able to add some weight to e-mail messages that use bogus domain names and resolve RDNS for 64.94.110.11 to sitefinder-idn.verisign.com. Bill - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:32 PM Subject: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail (only E-mail from addresses on recently expired domains, and domains not handled by Network Solutions will still fail). Fortunately, the MAILFROM test only caught about 2% of all spam, but it was an extremely reliable test. -Scott
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Yep, that should certainly cover all of the bases! ;-) Actually, what we need is a hostname lookup filter: HOSTNAME-ADDR 25 IS 64.94.110.11 If the hostname resolves to 64.94.110.11, then add lots of weight to the message. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 7:41 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions I think a better filter might be:BODY 100 CONTAINS verisignHEADERS 100 CONTAINS verisignHELO 100 CONTAINS verisignMAILFROM 100 CONTAINS verisignREMOTEIP 100 CONTAINS verisignREVDNS 100 CONTAINS verisignALLRECIPS 100 CONTAINS verisignSUBJECT 100 CONTAINS verisignand don't forget obfuscation...BODY 100 CONTAINS v-e-r-i-s-i-g-nBODY 100 CONTAINS v.e.r.i.s.i.g.nBODY 100 CONTAINS vérisignBODY 100 CONTAINS verlslgnMatt :)Bill Landry wrote: Oops, never mind, that's not going to work. Hmmm, back to the drawing board on this one... Bill - Original Message - From: "Bill Landry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 7:18 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions For now I've added: REVDNS 10 ENDSWITH sitefinder-idn.verisign.com to at least be able to add some weight to e-mail messages that use bogus domain names and resolve RDNS for 64.94.110.11 to sitefinder-idn.verisign.com. Bill - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:32 PM Subject: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail (only E-mail from addresses on recently expired domains, and domains not handled by Network Solutions will still fail). Fortunately, the MAILFROM test only caught about 2% of all spam, but it was an extremely reliable test. -Scott
Re: [Declude.JunkMail] Change to .com/.net behavior
On Sep 15, 2003, at 11:11 PM, wayne wrote: In [EMAIL PROTECTED] Matt Larson [EMAIL PROTECTED] writes: Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. Well, I hope you have the worlds most secure server running on this IP address as it is going to be a prime target for crackers. And, just to give you some idea how carefully VeriSlim considered this aspect, I saw this link on /. http://sitefinder.verisign.com/lpc?url='%3E%3Ch1%3Ehi%20mom%3C/h1%3E ;; ANSWER SECTION: 11.110.94.64.in-addr.arpa. 900 IN PTR sitefinder-idn.verisign.com. I was thinking that if email came from a bogus domain that when I look up the PTR on my email server, if it is sitefinder-idn.verisign.com then could I block that mail and never be blocking legitimate mail? -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions
Another good test for this would be a mail domain "A" recordlookup filter: MAILDOMAIN 25 IS 64.94.110.11 That, combined with the hostname "A" record lookup filter below, would take care of this stupid VeriSpam issue. Bill - Original Message - From: Bill Landry To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 8:32 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Yep, that should certainly cover all of the bases! ;-) Actually, what we need is a hostname lookup filter: HOSTNAME-ADDR 25 IS 64.94.110.11 If the hostname resolves to 64.94.110.11, then add lots of weight to the message. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 7:41 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions I think a better filter might be:BODY 100 CONTAINS verisignHEADERS 100 CONTAINS verisignHELO 100 CONTAINS verisignMAILFROM 100 CONTAINS verisignREMOTEIP 100 CONTAINS verisignREVDNS 100 CONTAINS verisignALLRECIPS 100 CONTAINS verisignSUBJECT 100 CONTAINS verisignand don't forget obfuscation...BODY 100 CONTAINS v-e-r-i-s-i-g-nBODY 100 CONTAINS v.e.r.i.s.i.g.nBODY 100 CONTAINS vérisignBODY 100 CONTAINS verlslgnMatt :)Bill Landry wrote: Oops, never mind, that's not going to work. Hmmm, back to the drawing board on this one... Bill - Original Message - From: "Bill Landry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 7:18 PM Subject: Re: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions For now I've added: REVDNS 10 ENDSWITH sitefinder-idn.verisign.com to at least be able to add some weight to e-mail messages that use bogus domain names and resolve RDNS for 64.94.110.11 to sitefinder-idn.verisign.com. Bill - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 4:32 PM Subject: [Declude.JunkMail] A slight increase in spam not getting caught thanks to Network Solutions Just so people are aware, Network Solutions just hours ago made the dumb move of making all unregistered domains point to their web site. As a result, very little E-mail will fail the MAILFROM test in Declude JunkMail (only E-mail from addresses on recently expired domains, and domains not handled by Network Solutions will still fail). Fortunately, the MAILFROM test only caught about 2% of all spam, but it was an extremely reliable test. -Scott
Re: [Declude.JunkMail] Change to .com/.net behavior
That's what I mistakenly thought, at first. However, nothing will ever connect to your server with the IP address of 64.94.110.11, so you should never have the opportunity to resolve the IP to a name. Rather, they will connect with a bogus hostname or mail domain, and the forward lookup (A record) will resolve to 64.94.110.11. At least bogus domain MX records are not resolving to this VeriSlime address. Bill - Original Message - From: Joshua Levitsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 15, 2003 8:36 PM Subject: Re: [Declude.JunkMail] Change to .com/.net behavior On Sep 15, 2003, at 11:11 PM, wayne wrote: In [EMAIL PROTECTED] Matt Larson [EMAIL PROTECTED] writes: Today VeriSign is adding a wildcard A record to the .com and .net zones. The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now. Well, I hope you have the worlds most secure server running on this IP address as it is going to be a prime target for crackers. And, just to give you some idea how carefully VeriSlim considered this aspect, I saw this link on /. http://sitefinder.verisign.com/lpc?url='%3E%3Ch1%3Ehi%20mom%3C/h1%3E ;; ANSWER SECTION: 11.110.94.64.in-addr.arpa. 900 IN PTR sitefinder-idn.verisign.com. I was thinking that if email came from a bogus domain that when I look up the PTR on my email server, if it is sitefinder-idn.verisign.com then could I block that mail and never be blocking legitimate mail? -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's
Interesting side effect of Verislime's move. Just setup a ip4r test that goes to a bogus domain and then all the bad addresses result in an answer of 64.94.110.11. Maybe this is how we can take advantage of this? If i made an ip4r test of aklsjlajkdjkhskljdkjldhsjdshkhklshdkjl.comthen I'd probably be good no? -Josh Begin forwarded message: From: Patrick Muldoon [EMAIL PROTECTED]> Date: September 16, 2003 12:39:14 AM EDT To: [EMAIL PROTECTED] Subject: Verisign's New Change and Outdate RBL's Was playing with a test box here at home. Installed SpamAssassian from a newely cvsup'd ports tree on a FreeBSD box, and was surprised to see messages getting marked as received in blacklists that no longer exist. Most noteably ORBS. Since this was a fresh Install I hadn't gone through and removed the dead RBL's from 20_head_tests.cf yet. Since dorkslayers doesn't exist. any queries for it are returning that infamous sitefinder address. [EMAIL PROTECTED] doon]$ host 34.131.246.64.orbs.dorkslayers.com 34.131.246.64.orbs.dorkslayers.com has address 64.94.110.11 So anybody that hasn't update their SpamAssassian config, now has the added benefit of all ip's being tagged as an open relay. Just an FYI -Patrick