Let's keep in mind that Spammers likely are behind costly and viscous
virus/worm attacks to create zombie machines for their benefit.
They are also clearly coordinating their efforts in DOS attacks against
anti-spam web-sites.
In my book they have crossed the line from "nuisance" to organized cri
Wow, certainly not a very stable server:
=
How I am searching:
Searching for A record for 2.0.0.127.cabal.web-o-trust.org at
d.root-servers.net: Got referral to TLD2.ULTRADNS.NET. [took 45 ms]
Searching for A record for 2.0.0.127.cabal.web-o-trust.org at
TLD2.ULTRADNS.NET.: Got referral to a
Yep, it does appear to be back up now. However, for about an hour after I
implemented the test, my bind logs showed that the server was not
responding.
Bill
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 11, 2003 5:59 PM
S
Obviously we all hate spam, but in a country where Enron's executives
still haven't been charged with a crime, it seems that maybe we're
making a bit too much out of an individual spammer. I consider these
guys to be merely a nuisance on an individual basis and the only damage
they are capable
Well - I tested it yesterday and it worked - but I admit that initially I
had trouble connecting. You may be right.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Andy, do they seem to be responding to your IP4R queries. The site appears
to be down from my perspective.
http://www.dnsstuff.com/tools/lookup.ch?name=2.0.0.127.cabal.web-o-trust.org&type=A
shows that it is working.
-Scott
---
Declude JunkMail
I am still having issues with this. I have the REDIRECT
[EMAIL PROTECTED] c:\dir\dir\filename in both the global.cfg and the
$junkmail file. I also have the renamed copy of the $junkmail file with
the custom actions in the Imail directory. It is not processing the
users settings...
Can you look at
This message was labelled in the subject as SPAM: but the only test I
see it failing is the IPNOTINMX, which in the user's .junkmail file is
set to WARN. The IPNOTINMX is also set to WARN in the
$default$.junkmail file as well.
The best thing to do here would be to look at the Declude JunkMail lo
<.02>
The courts will see this as a "victimless" crime and give him a 2 month
sentence, under house arrest, blah, blah, blah, ginger.
Then companies can sue him in civil court for losses they can
document...
Can you document your monetary losses from SPAM from a specific
source?? I know t
It's the "five years" that makes it a deterrent. Nobody cares about the
amount of the arbitrary fines for committing murder, either.
> -Original Message-
> From: Todd Holt [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 11, 2003 4:56 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declud
I applaud there efforts, but...
$2500 a piece will deter no one!!!
Todd Holt
Xidix Technologies, Inc
Las Vegas, NV USA
www.xidix.com
702.319.4349
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Frederick Samarelli
> Sent: Thursd
Andy, do they seem to be responding to your IP4R queries. The site appears
to be down from my perspective.
Bill
- Original Message -
From: "Andy Schmidt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 11, 2003 2:11 PM
Subject: RE: [Declude.JunkMail] Web-o-Trust
Ma
Thanks a bunch Markus. What I will likely do is reduce this to only
about 70% of my fail weight, figuring that most messages which use one
obfuscation technique use others which will also produce a score, such
as Declude's BASE64 test (30% on my system), and on my system, the two
alone will pr
http://www.washingtonpost.com/wp-dyn/articles/A56209-2003Dec11.html
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Dec
Do you mark the subject of messages with Declude? If not, this was
marked by another mail server before it reached yours.
Matt
Technical Support wrote:
This message was labelled in the subject as SPAM: but the only test I
see it failing is the IPNOTINMX, which in the user's .junkmail file is
Scott,
I am still having issues with this. I have the REDIRECT
[EMAIL PROTECTED] c:\dir\dir\filename in both the global.cfg and the
$junkmail file. I also have the renamed copy of the $junkmail file with
the custom actions in the Imail directory. It is not processing the
users settings...
Can you
This message was labelled in the subject as SPAM: but the only test I
see it failing is the IPNOTINMX, which in the user's .junkmail file is
set to WARN. The IPNOTINMX is also set to WARN in the
$default$.junkmail file as well.
Here are the headers (slightly modified to remove email addresses).
And another one not funny:
PEOPLE KEEP SENDING ME THIS STUPID VIRUS HOAX! IF YOU GET THIS E MAIL JUST
DELETE IT PLEASE AND IF YOU ALREADY HAVE IT AND YOU DID WHAT IT SAID. DON'T
WORRY ABOUT DELETING THE BUG YOU DID TAKE SOMETHING OUT OF YOUR COMPUTER
WHICH WAS THERE WHEN YOU BOUGHT IT BUT YOU D
I guess some one got fed up with virus warnings that are hoaxes:
If you receive an email entitled "Bedtimes," delete it IMMEDIATELY.. Do
not
> open it. Apparently this one is pretty nasty. It will not only erase
> everything on your hard drive, but it will also delete anything on floppy
> disks w
> Are you talking about the ?B? or the ?Q?
?B?
Some examples from todays logfile:
Subject: Freiberufliche Mitarbeit. Brauchen Sie
=?ISO-8859-1?B?3GJlcnNldHp1bmdlbj8g?=
Subject: Re: Mutige =?iso-8859-1?b?TeRkY2hlbi1TdGFya2U=?= Frauen
=?iso-8859-1?b?SuRubmVy?= Termin
In this cases only the words
That's intended. Base64 encoding will almost always trip GIBBERISH and
GIBBBERISHSUB so we counterbalance for that in the ANTI files. In the
ANTI-GIBBERISHSUB filter it looks for ?b? and credits back the points,
and this string is also in the GIBBERISHSUB filter just to make sure
that too muc
Markus:
The following line will give everyone with a web-o-trust a little negative
weight.
WEB-O-TRUST ip4rcabal.web-o-trust.org * -2
0
At present - it truly means everyone. They have already stated that
eventually they'll become selective on which Ips they add to
Markus Gufler wrote:
But I've found also several legit cases where the e-mail client has base64
encoded the entire subject line or also only the word that contains a
special character. (Some of them was send from a hotmail account).
Are you talking about the ?B? or the ?Q?
I don't check for ?Q?,
Our email service comes with Declude AV/AS + Sniffer.
We bill $2/box + bandwidth & storage and get it happily (happy
customers, no churn).
Our customers are primarily business clients.
_M
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of ITG Lists
|Se
Samantha,
If you have the Pro version of JunkMail, try the FOREIGN/TLD filter set
from my site at http://www.mailpure.com/software/decludefilters/
I wouldn't recommend blocking based on just the country, but the FOREIGN
filter allows you to define countries according to several different
marke
> >How do the names get added to the list (or web-o-trust)?
>
> By getting someone to trust them.
>
> For example, we're asking that our customers let us know that
> they have set up a WOT file, and we add them to our WOT file,
> which a lot of people already trust.
Hi Scott,
As an ISP we ho
Actually, upon further reading, it appears that this affects all
non-printing characters that are URL encoded. Here's a list of
everything that I could find which is non-printing. Also note that I
don't believe that OBFUSCATION will catch this, and @LINKED will catch
it only if the @ is follo
> Most of the spam that I get is coming from Netherlands,
> Germany, France, Italy and so on and so on.
Why do you know from where the message is comming from?
Note that a message having a sender address like [EMAIL PROTECTED] can
come from everywhere around the world.
> Is there anyway to blo
> ISO-8859 is Latin-1, which is the standard character set and
> there is no need to be encoding Latin-1 except to get around
> content filters.
You're right.
Testing with Outlook 2003 and some messages containing legit special
characters I can confirm that all legit messages are "Quoted printa
> This is a perfect example of how an obfuscation method can be more
> indicative than the content itself.
These are failing GIBBERISHSUB and ANTIGIBBERISHSUB.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declu
$0.00 for spam control
$3.00/month for Virus Protection. At this price we have had a lot of takers.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of ITG Lists
Sent: Thursday, December 11, 2003 4:05 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] [OT] Anyb
Hello,
Kind of Off-Topic, but was wondering if anybody is charging their customers
a fee for providing Declude Spam/Virus filtering?
We have been providing as a free service for about 18 months and would like
to charge if we can to help offset some of the costs of managing. Problem is
how to app
Hello All.
Most of the spam that I get is coming from Netherlands, Germany, France,
Italy and so on and so on.
Is there anyway to block these based on the country?
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
http://netscape.com.com/2100-1105_2-5119440.html?part=netscape&subj=technews&tag=mynetscape
Follow the link to the following address for an example (only works as
designed in Internet Explorer):
http://www.zapthedingbat.com/security/ex01/vun1.htm
I would assume that you should probably t
Gufler Markus wrote:
It's not a good idea to filter anything (or to asign a high weight) that is ISO/Base64 encoded. Many international formated legit messages can have such subject lines.
This is true except for ISO-8859 which is Latin-1, which doesn't need to
be encoded in E-mail.
---
[This E
Whenever you see ISO-8859 encoding for a subject, you should just simply
assume it is spam, or at least I have never see a false positive on this.
SUBJECT15CONTAINS=?ISO-8859-1?b?
ISO-8859 is Latin-1, which is the standard character set and there is no
need to be encoding Lat
>
> =?ISO-8859-1?b?RUVOVCBjaGVjayBzdG9jayBjaGFydA==?=
> =?ISO-8859-1?b?RUVOVCBQcm9kdWN0aW9uIFByb2dyZXNz?=
> =?ISO-8859-1?B?SGk=?=
The "b?" in the encoded string means "base64-encoded"
To decode the string just use all after the "b?"
It's not a good idea to filter anything (or to asign a high we
> How can you decode the encoded subject lines so as to see
> what it is and then create a filter?
http://david.carter-tod.com/base64/
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
For what its worth this is the info of a spam host that harvested one of my
emails from the whois database and will spam using different domain names to
get around unsubscribe requests.
Here's the current one:
Received: from Mailer3.gd-aol.com (52.gd-aol.com [66.63.163.52])
Here's one from a mont
John Tolmachoff (Lists) wrote:
How can you decode the encoded subject lines so as to see what it is and
then create a filter?
Things like:
=?ISO-8859-1?b?RUVOVCBjaGVjayBzdG9jayBjaGFydA==?=
=?ISO-8859-1?b?RUVOVCBQcm9kdWN0aW9uIFByb2dyZXNz?=
=?ISO-8859-1?B?SGk=?=
I've only been able to seen the a
> 1. E-mail address used must be a part of the company represented.
> 2. Runs checks against the domain and MX records.
> 3. Not known to send out bounces or notifications to forged senders.
> 4. Must have current support agreement with Declude. (With Scott's
> permission.)
> 5. Must be a Declude J
How can you decode the encoded subject lines so as to see what it is and
then create a filter?
Things like:
=?ISO-8859-1?b?RUVOVCBjaGVjayBzdG9jayBjaGFydA==?=
=?ISO-8859-1?b?RUVOVCBQcm9kdWN0aW9uIFByb2dyZXNz?=
=?ISO-8859-1?B?SGk=?=
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
--
> I hear ya... Just consider this. You will become a "trusted authority"
> on the members - essentially saying that since the members were allowed
> to sign up they can be trusted. Can you be fooled? I know I can.
Yes, I can be fooled. That is why I am going to create a signup form that
will requi
|What I am proposing is to set up a website that would require
|a username and password. Each user would have their own
|directory to place files they wish to allow others to view and
|use. They would be the only one that could modify those files.
|Everyone who was a member could view all the d
> In the current version, it will go through all entries. However, as you
> pointed out, there is no benefit in continuing processing with a fromfile
> after the first match is reached -- so the logic will be changed for the
> next release (and therefore giving the fromfile a slight performance
>
A while back, I had asked about the comparison in performance of a fromfile
and a filter using MAILFROM ENDSWITH.
Scott, you stated that would not be much difference.
But wouldn't Declude stop processing a fromfile as soon as a match is found,
where in a filter to goes through the whole file?
Tha
Greg,
20% of our hold weight on our primary mx
30% of our hold weight on our backup mx
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
System Administrator writes:
I'm curious
A while back, I had asked about the comparison in performance of a fromfile
and a filter using MAILFROM ENDSWITH.
Scott, you stated that would not be much difference.
But wouldn't Declude stop processing a fromfile as soon as a match is found,
where in a filter to goes through the whole file?
Jo
And a big source of spam from those dialup and dsl IPs
Mike
- Original Message -
From: "serge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 10:19 PM
Subject: Re: [Declude.JunkMail] wanadoo.fr
> this this france telecom (french at&t) internet services
>
Thanks Scott, as long as it's being considered, I will hold off - especially
since I think you could do a much better job of implementing it than I could
through an external app, anyway.
Bill
- Original Message -
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thu
Scott, I didn't see any response from you about this test suggestion. I was
wondering what your thoughts were on a test like this and if you might
consider implementing.
We definitely are considering it. The first step is going to be how to
implement it, which may be a difficult decision. Alth
Is there anyway to skip a filter if the starting weight is less than a
certain amount?
No, but we will be looking into adding that.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known
> A great example. Keywords for white listing are a fragile solution, and
> an example of something best sent directly rather than on a list IMO.
> (very tight security required)
>
> On the other hand, a list of IP sources that are whitelisted and the
> protocols for using/generating that list rep
Possibly, however, I was trying to bring it down to the most basic
components of an e-mail: HELO, rDNS, MX, & MAILFROM. All other tests are
really extraneous to these basic components. I simply felt that if all of
these basic components matched, that it would be a pretty good indicator of
a legi
Bill:
Would it not be a more general test if one could AND various test names?
So then it would be a grand logic case..
Test1 & test2 & test3 match -10
That way it can help with a broader set of conditions.
Just a thought..
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EM
Scott, I didn't see any response from you about this test suggestion. I was
wondering what your thoughts were on a test like this and if you might
consider implementing. If not, I will consider writing an external app to
run this kind of test, however, it would be much better if supported by
Decl
|> Any solution that requires secrecy will be some combination
|of: little
|> benefit, difficult to impossible to deploy, and/or easy to
|compromise
|> once discovered.
|
|Well, Williams post of his file is a good example. Any (not if
|I am sure) spammer that may read this list now sees that f
Thanks Andrew, seemed pretty straight forward but I thought I would ask the
experts.
Todd Hunter
Progressive Systems
"Better Networks by Design"
281-821-8111
- Original Message -
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 3:4
Title: Message
This
program will log one line for each e-mail received - currently there is no
option to log any other way but I will consider options for future versions
(like an option to log only whitelisted or blacklisted
messages).
If a
message is whitelisted (i.e. the program return
Hi;
Is there anyway to
skip a filter if the starting weight is less than a certain
amount?
For
example:
We are running all
of our negative weights at the beginning and do not want to whitelist them since
who knows when that email may be used by spammers as a fake return
address.
BU
Is there anyway to have the gateway server "dump" the email to my server
without having to set in the spool for so long? Also what do most of you
have your Maxqueproc set to?
Thanks,
Kris McElroy
[EMAIL PROTECTED]
Chief Technology Officer
Duracom, INC.
www.duracom.net
"I am always doing th
negative rDNS scores 5. No hold or delete. Subject line maker SPAM-VHIGH @
30+.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of System
Administrator
Sent: 11 December 2003 13:01
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] revdns weight question
I'm
I'm curious as to what others are doing concerning the weight assigned to
the revdns test. How much weight do you assign to your revdns test, as a
percentage of your hold or delete limit? Our percentage is currently at 25%
(10/40).
Thanks,
Greg
---
[This E-mail was scanned for viruses by Declude
http://news.bbc.co.uk/1/hi/technology/3308989.stm
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". T
> >FYI, we need to have a serious discussion not on a public forum about
> >sharing/posting of filters and such. I am really concerned that spammers
> can
> >easily get a hold of the information we talk about and use that to get
> >around the very things we are trying to do.
>
> I have mixed feeli
65 matches
Mail list logo