[Declude.JunkMail] Befuddled: Test not logged!
Title: Message Hi Scott: I know you are busy with viruses - but I can't figure THIS one out. I have thousands of emails in the log file, where SORBS-DUHL is discovered, logged and treated properly. But at least this ONE got through and I have no explanation. Firstlet's look at a mail 10 minutes later, to the SAME person, that was handled properly. It detected SORBS-DUHL (in addition to SORBS), added it to the log, and then this test name was filtered in "DYNAMIC-IP" and added 6 to the weight: 03/19/2004 08:33:59 Qf6be2b780148067f WEIGHTFILTER:2 DYNAMIC-IP:6 OPEN-RELAY:5 . Total weight = 13.03/19/2004 08:34:00 Qf6be2b780148067f Deleting spam from [EMAIL PROTECTED] to [EMAIL PROTECTED] 03/19/2004 08:34:00 Qf6be2b780148067f Subject: Hotel and Meal expenses for breakdowns far from home 03/19/2004 08:34:00 Qf6be2b780148067f From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 200.164.142.10 ID: 03/19/2004 08:34:00 Qf6be2b780148067f Tests failed [weight=13]: DSBLSINGLE=WARN NJABL=WARN NJABLDYNA=LOG NJABLPROXIES=DELETE SORBS=WARN SORBS-DUHL=LOG IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE WEIGHTFILTER=WARN DYNAMIC-IP=IGNORE OPEN-RELAY=IGNORE WEIGHT10=BOUNCEONLYIFYOUMUST The CONFIG files involved define: [global.cfg] SORBSip4rdnsbl.sorbs.net*... SORBS-DUHLip4rdnsbl.sorbs.net127.0.0.1000 ... SPAMDOMAINS spamdomainsD:\IMail\Declude\SpamDomains.txtx40WEIGHTFILTERfilterD:\IMail\Declude\WeightFilter.txtx00DYNAMIC-IPfilterD:\IMail\Declude\DUHLfilter.txtx60OPEN-RELAYfilterD:\IMail\Declude\RELAYSfilter.txtx60MULTI-RELAYfilterD:\IMail\Declude\MULTIRELAYSfilter.txtx60FORMMAILfilterD:\IMail\Declude\WEBfilter.txtx80 [$default$.junkmail] (global) SORBSWARNX-RBL-Warning: Suspected SPAM. %WARNING%... SORBS-DUHLLOG [DUHLfilter.txt] SKIPIFWEIGHT20TESTSFAILED0CONTAINSNJABLDULTESTSFAILED0CONTAINSNJABLDYNATESTSFAILED0CONTAINSAHBLDYNATESTSFAILED0CONTAINSSORBS-DUHL Now I try to understand THIS email, only a few minutes earlier. a) It came from an IP that returns 127.0.0.10 (for DUHL): nslookup result:Query: 104.96.47.69.dnsbl.sorbs.netAddress: 127.0.0.10 b) the header clearly shows, that Declude did get the proper return code from SORBS (Dynamic IP) text Received: from COMPAC [69.47.96.104] by hm-software.com (SMTPD32-7.07) id A50B5B900020; Fri, 19 Mar 2004 08:26:35 -0500Received: from COMPAC [192.168.1.101] by maranello.cc with SMTP; Fri, 19 Mar 2004 08:26:32 -0500Message-ID: [EMAIL PROTECTED]From: "Elizabeth Letterman" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: Lower your m ortgage today!Date: Fri, 19 Mar 2004 08:26:32 -0500MIME-Version: 1.0Content-Type: text/html; charset="ISO-8859-1"X-Priority: 3X-Mailer: yPHPReturn-Path: [EMAIL PROTECTED]XML-Context: aGFyYWxkQG1hcmFuZWxsby5jYw==X-RBL-Warning: Suspected SPAM. "Blocked - see http://www.spamcop.net/bl.shtml?69.47.96.104"X-RBL-Warning: Suspected SPAM. "Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=69.47.96.104"X-Declude: Version 1.78i27; Df50b5b900020628c.SMD from d47-69-104-96.try.wideopenwest.com [69.47.96.104]X-Declude: Triggered SPAMCOP [4]X-Countries: UNITED STATES-destinationReturn-Path: [EMAIL PROTECTED]X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 378205927 c) Yet- Declude never logs SORBS-DUHL!? 03/19/2004 08:26:38 Qf50b5b900020628c SPAMCOP:7 nNOLEGITCONTENT:-3 . Total weight = 4.03/19/2004 08:26:38 Qf50b5b900020628c Subject: Loweryour mortgage today!03/19/2004 08:26:38 Qf50b5b900020628c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 69.47.96.104 ID: 03/19/2004 08:26:38 Qf50b5b900020628c Tests failed [weight=4]: SPAMCOP=WARN SORBS=WARN IPNOTINMX=IGNORE Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
Re: [Declude.JunkMail] Befuddled: Test not logged!
I know you are busy with viruses - but I can't figure THIS one out. I have thousands of emails in the log file, where SORBS-DUHL is discovered, logged and treated properly. But at least this ONE got through and I have no explanation. The issue here isn't that the test wasn't logged -- Declude JunkMail doesn't think that the E-mail failed the test at all. SORBS ip4r dnsbl.sorbs.net * SORBS-DUHL ip4r dnsbl.sorbs.net 127.0.0.10 0 0 c) Yet - Declude never logs SORBS-DUHL!? 03/19/2004 08:26:38 Qf50b5b900020628c SPAMCOP:7 nNOLEGITCONTENT:-3 . Total weight = 4. 03/19/2004 08:26:38 Qf50b5b900020628c Subject: Lower your m ortgage today! 03/19/2004 08:26:38 Qf50b5b900020628c From: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] To: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] IP: 69.47.96.104 ID: 03/19/2004 08:26:38 Qf50b5b900020628c Tests failed [weight=4]: SPAMCOP=WARN SORBS=WARN IPNOTINMX=IGNORE In this case, the E-mail failed the SORBS test, but not the SORBS-DUHL test. It does indeed appear that it should have failed the SORBS-DUHL test, given the current information, but it is possible that it wasn't listed correctly yesterday (which would explain what happened). dnsbl.sorbs.net definitely did return *something* -- but what it returned is a mystery. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPFPASS (Junk)
What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Detecting disguised url's in headers
IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
Where is this set in imail? Is it antispam of imail as we do not use it. Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
It is a rule. They are located in a rules.ima (inbound rules file). The rules.ima file gets placed in the top directory of the domain that you want to use it on. There is lots of data about this in the knowledge base on Imails web site. Regards, Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers Where is this set in imail? Is it antispam of imail as we do not use it. Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
I am not sure if my request here is being understood. I would not want to mark all messages with an IP in the url as spam. Only those messages that use %nnn%nnn%nnn etc. When you view source of an html message you can see this kind of coding. As in this case: //205.159.%372.%32%30/mort/ We always do a view source and take the url out of the source and then blacklist that, for those messages that were no caught by anti-spam at the time. I do not know what that process is called and have only ever seen it in source code of certain spam e-mail Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
Well, let us ask the entire list if there are valid reasons that people would send an IP in a URL. I tested this for 2 months and didn't have a single legitimate e-mail like this. We did have people sending IP addresses, but not as a url. For example: My server IP is 156.23.140.10. Not one case had someone say my website is http://[insert ip here] Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers I am not sure if my request here is being understood. I would not want to mark all messages with an IP in the url as spam. Only those messages that use %nnn%nnn%nnn etc. When you view source of an html message you can see this kind of coding. As in this case: //205.159.%372.%32%30/mort/ We always do a view source and take the url out of the source and then blacklist that, for those messages that were no caught by anti-spam at the time. I do not know what that process is called and have only ever seen it in source code of certain spam e-mail Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPASS (Junk)
This is the offending header. Received: from mail13.americanfamilydeals.com ([69.56.11.46]) by DNS2.tcbinc.net (SAVSMTP 3.1.3.37) with SMTP id M2004031909522726515 for [EMAIL PROTECTED]; Fri, 19 Mar 2004 09:52:29 -0500 Message-ID: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 08:52:30 -0600 (CST) From: Point.com [EMAIL PROTECTED] Reply-To: American Family Deals [EMAIL PROTECTED] To: Nancy Gladwell [EMAIL PROTECTED] Subject: [~23]Cell Phone, Accessories Shipping at NO Cost Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_1277094_8887513.1079707950959 X-nb: zspttavsabivfviftpfnfnnn maifvvbmwpmfifmpa pmfwstssn X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-3-1800] X-RBL-Warning: SNIFFER: Message failed SNIFFER: 63. [2-6-3000] X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. [2-17-8800] X-RBL-Warning: MAILPOLICE-BULK: This E-mail came from mxllvniqnx.americanfamilydeals.com, a potential spam source listed in MAILPOLICE-BULK. [2-26-d000] X-RBL-Warning: SBL-XBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613; [2-33-10800] X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 426, weight 3) [2-57-1c800] X-Declude-Sender: [EMAIL PROTECTED] [69.56.11.46] X-Declude-Spoolname: D09300e8a005e2c5b.SMD X-RBL-Warning: Total weight: 23 X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: mail13.americanfamilydeals.com ([69.56.11.46]). X-Note: This E-mail was scanned by TCB [1.78i21] for virus. --=_Part_1277094_8887513.1079707950959 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This message contains an HTML formatted message but your email client does = not support the display of HTML. Please view this message in a different ma= il client or forward this email to a web-based mail system. --=_Part_1277094_8887513.1079707950959 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 11:46 AM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. It should be treated the same way as regular spam that you would report, but there is a big exception here: you can almost certainly find someone responsible that allowed the spam through. If you have the headers, feel free to post them here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPFPASS (Junk)
So zombie spamers forge Habeas, and ROKSO spammers give themselves SPF records. Not a surprise. You can't stop them from doing this, so I might suggest not crediting any points to those that pass. Matt Frederick Samarelli wrote: This is the offending header. Received: from mail13.americanfamilydeals.com ([69.56.11.46]) by DNS2.tcbinc.net (SAVSMTP 3.1.3.37) with SMTP id M2004031909522726515 for [EMAIL PROTECTED]; Fri, 19 Mar 2004 09:52:29 -0500 Message-ID: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 08:52:30 -0600 (CST) From: "Point.com" [EMAIL PROTECTED] Reply-To: American Family Deals [EMAIL PROTECTED] To: Nancy Gladwell [EMAIL PROTECTED] Subject: [~23]Cell Phone, Accessories Shipping at NO Cost Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_Part_1277094_8887513.1079707950959" X-nb: zspttavsabivfviftpfnfnnn maifvvbmwpmfifmpa pmfwstssn X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-3-1800] X-RBL-Warning: SNIFFER: Message failed SNIFFER: 63. [2-6-3000] X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. [2-17-8800] X-RBL-Warning: MAILPOLICE-BULK: This E-mail came from mxllvniqnx.americanfamilydeals.com, a potential spam source listed in MAILPOLICE-BULK. [2-26-d000] X-RBL-Warning: SBL-XBL: "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613" [2-33-10800] X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 426, weight 3) [2-57-1c800] X-Declude-Sender: [EMAIL PROTECTED] [69.56.11.46] X-Declude-Spoolname: D09300e8a005e2c5b.SMD X-RBL-Warning: Total weight: 23 X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: mail13.americanfamilydeals.com ([69.56.11.46]). X-Note: This E-mail was scanned by TCB [1.78i21] for virus. --=_Part_1277094_8887513.1079707950959 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This message contains an HTML formatted message but your email client does = not support the display of HTML. Please view this message in a different ma= il client or forward this email to a web-based mail system. --=_Part_1277094_8887513.1079707950959 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 11:46 AM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. It should be treated the same way as regular spam that you would report, but there is a big exception here: you can almost certainly find someone responsible that allowed the spam through. If you have the headers, feel free to post them here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] SPFPASS (Junk)
Title: Message Makes perfect sense to me. Everyone, including ROKSO spammers, can benefit from implementing SPF defensively, resulting in a valid SPFPASS. And *their* doing so dilutes the incentive for antispammers to reward those who implement SPF defensively, which in turn dilutes SPF. As noted in the last 2 weeks, current wisdom is to add points to those senders that trigger a SPFFAIL,and that rewarding a SPFPASS or SPFUNKNOWNwill reveal no joy. Andrew 8) -Original Message-From: Matt [mailto:[EMAIL PROTECTED] Sent: Friday, March 19, 2004 12:25 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] SPFPASS (Junk)So zombie spamers forge Habeas, and ROKSO spammers give themselves SPF records. Not a surprise.You can't stop them from doing this, so I might suggest not crediting any points to those that pass.MattFrederick Samarelli wrote: This is the offending header. Received: from mail13.americanfamilydeals.com ([69.56.11.46]) by DNS2.tcbinc.net (SAVSMTP 3.1.3.37) with SMTP id M2004031909522726515 for [EMAIL PROTECTED]; Fri, 19 Mar 2004 09:52:29 -0500 Message-ID: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 08:52:30 -0600 (CST) From: "Point.com" [EMAIL PROTECTED] Reply-To: American Family Deals [EMAIL PROTECTED] To: Nancy Gladwell [EMAIL PROTECTED] Subject: [~23]Cell Phone, Accessories Shipping at NO Cost Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_Part_1277094_8887513.1079707950959" X-nb: zspttavsabivfviftpfnfnnn maifvvbmwpmfifmpa pmfwstssn X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-3-1800] X-RBL-Warning: SNIFFER: Message failed SNIFFER: 63. [2-6-3000] X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. [2-17-8800] X-RBL-Warning: MAILPOLICE-BULK: This E-mail came from mxllvniqnx.americanfamilydeals.com, a potential spam source listed in MAILPOLICE-BULK. [2-26-d000] X-RBL-Warning: SBL-XBL: "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613" [2-33-10800] X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 426, weight 3) [2-57-1c800] X-Declude-Sender: [EMAIL PROTECTED] [69.56.11.46] X-Declude-Spoolname: D09300e8a005e2c5b.SMD X-RBL-Warning: Total weight: 23 X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: mail13.americanfamilydeals.com ([69.56.11.46]). X-Note: This E-mail was scanned by TCB [1.78i21] for virus. --=_Part_1277094_8887513.1079707950959 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This message contains an HTML formatted message but your email client does = not support the display of HTML. Please view this message in a different ma= il client or forward this email to a web-based mail system. --=_Part_1277094_8887513.1079707950959 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 11:46 AM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. It should be treated the same way as regular spam that you would report, but there is a big exception here: you can almost certainly find someone responsible that allowed the spam through. If you have the headers, feel free to post them here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: inSPAM:RE: [Declude.JunkMail] Detecting disguised url's in he aders
Well, assuming that you have Declude JunkMail Pro and thus text filtering features available, yes. See: http://www.mailpure.com/software/decludefilters/ for the IPFilter tests which would give you a very good example to get you started. However, I think that: a) You don't need to, because Declude is quietly de-obfuscating the %-escaped text, so you could simply search for dotted-quad text. b) If you want to add weight to emails that use the technique, because it's the technique usage you find significant, then be conservative. I'm not able to name names, but I know that I've received email flyers and mailing lists that used the %-escaped text correctly when the source server for their images did not have a fully qualified domain name. Andrew 8) -Original Message- From: Harry Vanderzand [mailto:[EMAIL PROTECTED] Sent: Friday, March 19, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: RE: inSPAM:RE: [Declude.JunkMail] Detecting disguised url's in headers Let me re-iterate again I would like to treat any mail where the source code of the mail is disguising either text or the URL. It is the act of disguising it in code that I think we can use to trap. Just because a URL is in the form of an IP is not a valid reason to mark it as spam. What I REALLY WOULD LIKE TO ASK IS ABOUT THE CODING OF THE SOURCE CODE IN E-MAILS Can it be trapped? My apologies if I cannot explain it better Well, let us ask the entire list if there are valid reasons that people would send an IP in a URL. I tested this for 2 months and didn't have a single legitimate e-mail like this. We did have people sending IP addresses, but not as a url. For example: My server IP is 156.23.140.10. Not one case had someone say my website is http://[insert ip here] Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers I am not sure if my request here is being understood. I would not want to mark all messages with an IP in the url as spam. Only those messages that use %nnn%nnn%nnn etc. When you view source of an html message you can see this kind of coding. As in this case: //205.159.%372.%32%30/mort/ We always do a view source and take the url out of the source and then blacklist that, for those messages that were no caught by anti-spam at the time. I do not know what that process is called and have only ever seen it in source code of certain spam e-mail Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
Re: [Declude.JunkMail] SPFPASS (Junk)
I have to agree with Matt. I am starting to see quite a few spam messages from the same spammer that has now implemented SPF for the following three domains: yfdvdsmail.com freefamilydeals.com americanfamilydeals.com I primarily now use SPF for adding negative weight for SPF fails. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 12:25 PM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) So zombie spamers forge Habeas, and ROKSO spammers give themselves SPF records. Not a surprise. You can't stop them from doing this, so I might suggest not crediting any points to those that pass. Matt Frederick Samarelli wrote: This is the offending header. Received: from mail13.americanfamilydeals.com ([69.56.11.46]) by DNS2.tcbinc.net (SAVSMTP 3.1.3.37) with SMTP id M2004031909522726515 for mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]; Fri, 19 Mar 2004 09:52:29 -0500 Message-ID: mailto:[EMAIL PROTECTED] als.com [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 08:52:30 -0600 (CST) From: Point.com mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Reply-To: American Family Deals mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: Nancy Gladwell mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Subject: [~23]Cell Phone, Accessories Shipping at NO Cost Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_1277094_8887513.1079707950959 X-nb: zspttavsabivfviftpfnfnnn maifvvbmwpmfifmpa pmfwstssn X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-3-1800] X-RBL-Warning: SNIFFER: Message failed SNIFFER: 63. [2-6-3000] X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. [2-17-8800] X-RBL-Warning: MAILPOLICE-BULK: This E-mail came from mxllvniqnx.americanfamilydeals.com, a potential spam source listed in MAILPOLICE-BULK. [2-26-d000] X-RBL-Warning: SBL-XBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613; http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613 [2-33-10800] X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 426, weight 3) [2-57-1c800] X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [69.56.11.46] X-Declude-Spoolname: D09300e8a005e2c5b.SMD X-RBL-Warning: Total weight: 23 X-Note: Sent from: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Note: Sent from Reverse DNS: mail13.americanfamilydeals.com ([69.56.11.46]). X-Note: This E-mail was scanned by TCB [1.78i21] for virus. --=_Part_1277094_8887513.1079707950959 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This message contains an HTML formatted message but your email client does = not support the display of HTML. Please view this message in a different ma= il client or forward this email to a web-based mail system. --=_Part_1277094_8887513.1079707950959 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message - From: R. Scott Perry mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Friday, March 19, 2004 11:46 AM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. It should be treated the same way as regular spam that you would report, but there is a big exception here: you can almost certainly find someone responsible that allowed the spam through. If you have the headers, feel free to post them here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] , and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com http://www.mail-archive.com . --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] , and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com http://www.mail-archive.com . -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ http://www.mailpure.com/software/
RE: [Declude.JunkMail] SPFPASS (Junk)
I am against subtracting points from and email based on an exturnal test. We only add weight unless we are counterweighting a known issue with valid email. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry Sent: Friday, March 19, 2004 1:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPFPASS (Junk) I have to agree with Matt. I am starting to see quite a few spam messages from the same spammer that has now implemented SPF for the following three domains: yfdvdsmail.com freefamilydeals.com americanfamilydeals.com I primarily now use SPF for adding negative weight for SPF fails. Bill - Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 12:25 PM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) So zombie spamers forge Habeas, and ROKSO spammers give themselves SPF records. Not a surprise. You can't stop them from doing this, so I might suggest not crediting any points to those that pass. Matt Frederick Samarelli wrote: This is the offending header. Received: from mail13.americanfamilydeals.com ([69.56.11.46]) by DNS2.tcbinc.net (SAVSMTP 3.1.3.37) with SMTP id M2004031909522726515 for mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]; Fri, 19 Mar 2004 09:52:29 -0500 Message-ID: mailto:[EMAIL PROTECTED] als.com [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 08:52:30 -0600 (CST) From: Point.com mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Reply-To: American Family Deals mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: Nancy Gladwell mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Subject: [~23]Cell Phone, Accessories Shipping at NO Cost Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_1277094_8887513.1079707950959 X-nb: zspttavsabivfviftpfnfnnn maifvvbmwpmfifmpa pmfwstssn X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-3-1800] X-RBL-Warning: SNIFFER: Message failed SNIFFER: 63. [2-6-3000] X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. [2-17-8800] X-RBL-Warning: MAILPOLICE-BULK: This E-mail came from mxllvniqnx.americanfamilydeals.com, a potential spam source listed in MAILPOLICE-BULK. [2-26-d000] X-RBL-Warning: SBL-XBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613; http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613 [2-33-10800] X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 426, weight 3) [2-57-1c800] X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [69.56.11.46] X-Declude-Spoolname: D09300e8a005e2c5b.SMD X-RBL-Warning: Total weight: 23 X-Note: Sent from: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Note: Sent from Reverse DNS: mail13.americanfamilydeals.com ([69.56.11.46]). X-Note: This E-mail was scanned by TCB [1.78i21] for virus. --=_Part_1277094_8887513.1079707950959 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This message contains an HTML formatted message but your email client does = not support the display of HTML. Please view this message in a different ma= il client or forward this email to a web-based mail system. --=_Part_1277094_8887513.1079707950959 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message - From: R. Scott Perry mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] To: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Friday, March 19, 2004 11:46 AM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. It should be treated the same way as regular spam that you would report, but there is a big exception here: you can almost certainly find someone responsible that allowed the spam through. If you have the headers, feel free to post them here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] , and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com http://www.mail-archive.com . ---
Re[2]: [Declude.JunkMail] SPFPASS (Junk)
As noted in the last 2 weeks, current wisdom is to add points to those senders that trigger a SPFFAIL, and that rewarding a SPFPASS or SPFUNKNOWN will reveal no joy. I've never done anything but penalize SPF FAIL. It's pretty common knowledge, as you say. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
Watch out for this rule. There will be false positives. We've tried it long ago in sniffer. It turns out that there are quite a few legit messages sent with numbered links in them... so now we only code rules for specific numbered links (or stubs of them anyway). You might try rules for partially encrypted numbered links (we've been adding these for a while). That is... look for a numbered link where a % is contained in any one of the octets. There's no good reason to encode part of a numbered link except to obfuscate it... our corpus shows this is pretty safe too. hope this helps, _M At 01:40 PM 3/19/2004, you wrote: We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.