RE: [Declude.JunkMail] Verizon
Checking that IP at: http://openrbl.org Shows that SORBS-HTTP is listing that last hop, which looks like Verizon Wireless. It's been all too common for ip4r lists to nominate smtp and webmail based servers due to spam or worse, viruses being sent through them by infected clients. CBL has also chimed in, presumably because SORBS has listed that IP. DSBL no longer lists that IP. As for the SPAMHEADERS test, you can check the returned code at: http://www.declude.com/tools/ which says that the message is missing the MESSAGE-ID: header, which from this list I understand to be a failing of MS Outlook, which does appear listed in the headers. As for what to do about it, you could give SPAMHEADERS and SORBS-HTTP lower weights, or you could put in a counterweight for any mail coming from 66.174.6.205 if you generally trust mail from that service. Andrew 8) -Original Message- From: Mike Barnett [mailto:[EMAIL PROTECTED] Sent: Saturday, March 20, 2004 3:46 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Verizon Is anyone having problems with Verizon? Here is the header from one of my messages... Received: from D6SR0641 [66.174.6.205] by mail.internetcrusade.net with ESMTP (SMTPD32-8.02) id AA79ECC006A; Sat, 20 Mar 2004 03:26:49 -0800 Received: from (166.155.59.200) by (66.174.6.205); 20 Mar 2004 10:48:08+ From: Mike Barnett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM Warning: High] Let me know Date: Sat, 20 Mar 2004 03:20:24 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcQObIrN4vUe8amvRFmLBn/hbzDPwg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: DSBL: http://dsbl.org/listing?ip=66.174.6.205 X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-RBL-Warning: WEIGHT10: Weight of 20 reaches or exceeds the limit of 10. X-RBL-Warning: WEIGHT20: Weight of 20 reaches or exceeds the limit of 20. X-Declude-Sender: [EMAIL PROTECTED] [66.174.6.205] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CBL, DSBL, SORBS-HTTP, IPNOTINMX, SPAMHEADERS, WEIGHT10, WEIGHT20 [20] X-RCPT-TO: [EMAIL PROTECTED] Thx MB Mike Barnett CRS, e-PRO, GRI VP Technology, InternetCrusade http://InternetCrusade.com MailTo:[EMAIL PROTECTED] 619-283-7302 Press 0 and ask Operator to find me ;-) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPFPASS (Junk)
SPF does not prevent SPAM, only spoofing - which in turn can reduce spam. I don't even run the SPFPASS test because I think its quite pointless. If I receive an SPFFAIL on the other hand I block the email straight away - don't even bother weighting it. If a spammer adds SPF to their own domain, when you know its a spammers domain you can blacklist it. That makes them easier to blacklist before they go buy another domain. And you would only be blacklisting the domain, not an ISP with many other innocent users. -Original Message- From: Colbeck, Andrew [mailto:[EMAIL PROTECTED] Sent: 19 March 2004 20:49 To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] SPFPASS (Junk) Makes perfect sense to me. Everyone, including ROKSO spammers, can benefit from implementing SPF defensively, resulting in a valid SPFPASS. And *their* doing so dilutes the incentive for antispammers to reward those who implement SPF defensively, which in turn dilutes SPF. As noted in the last 2 weeks, current wisdom is to add points to those senders that trigger a SPFFAIL, and that rewarding a SPFPASS or SPFUNKNOWN will reveal no joy. Andrew 8) -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Friday, March 19, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPFPASS (Junk) So zombie spamers forge Habeas, and ROKSO spammers give themselves SPF records. Not a surprise. You can't stop them from doing this, so I might suggest not crediting any points to those that pass. Matt Frederick Samarelli wrote: This is the offending header. Received: from mail13.americanfamilydeals.com ([69.56.11.46]) by DNS2.tcbinc.net (SAVSMTP 3.1.3.37) with SMTP id M2004031909522726515 for [EMAIL PROTECTED]; Fri, 19 Mar 2004 09:52:29 -0500 Message-ID: [EMAIL PROTECTED] Date: Fri, 19 Mar 2004 08:52:30 -0600 (CST) From: Point.com [EMAIL PROTECTED] Reply-To: American Family Deals [EMAIL PROTECTED] To: Nancy Gladwell [EMAIL PROTECTED] Subject: [~23]Cell Phone, Accessories Shipping at NO Cost Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_1277094_8887513.1079707950959 X-nb: zspttavsabivfviftpfnfnnn maifvvbmwpmfifmpa pmfwstssn X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. [2-3-1800] X-RBL-Warning: SNIFFER: Message failed SNIFFER: 63. [2-6-3000] X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. [2-17-8800] X-RBL-Warning: MAILPOLICE-BULK: This E-mail came from mxllvniqnx.americanfamilydeals.com, a potential spam source listed in MAILPOLICE-BULK. [2-26-d000] X-RBL-Warning: SBL-XBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9613; [2-33-10800] X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 426, weight 3) [2-57-1c800] X-Declude-Sender: [EMAIL PROTECTED] [69.56.11.46] X-Declude-Spoolname: D09300e8a005e2c5b.SMD X-RBL-Warning: Total weight: 23 X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: mail13.americanfamilydeals.com ([69.56.11.46]). X-Note: This E-mail was scanned by TCB [1.78i21] for virus. --=_Part_1277094_8887513.1079707950959 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable This message contains an HTML formatted message but your email client does = not support the display of HTML. Please view this message in a different ma= il client or forward this email to a web-based mail system. --=_Part_1277094_8887513.1079707950959 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 11:46 AM Subject: Re: [Declude.JunkMail] SPFPASS (Junk) What do we do when we find Junkmail passing the SPF Test. Is there a place to report it. It should be treated the same way as regular spam that you would report, but there is a big exception here: you can almost certainly find someone responsible that allowed the spam through. If you have the headers, feel free to post them here. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at
[Declude.JunkMail] BlackIce
Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BlackIce
Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BlackIce
We had a single Colo'd server fall ill to this vulnerability on Friday night. It wasn't a pretty sight to say the least. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Wiegers Sent: Sunday, March 21, 2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] BlackIce Thanks for the heads up on this. Unless you have updated your BlackICE in the last week you are at risk. http://xforce.iss.net/xforce/alerts/id/166 http://www.eeye.com/html/Research/Advisories/AD20040318.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Sunday, March 21, 2004 5:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BlackIce Warning for anyone using BlackIce. We were hit by a destructive worm. http://www.washingtonpost.com/wp-dyn/articles/A11310-2004Mar20.html Destroyed most of our servers. We are in the process of recovering from backups. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [209.184.248.29] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Block on HELO
The HELO is often passed intact from the client to the destination. That is not true. The only reason that checks like HELOBOGUS (and equivalent checks in other anti-spam packages) can be conducted against unauthenticated sessions is that malware and crooked MTAs often do not obey SMTP and DNS best practices when connecting to your server. If ANY software, including commercial MUAs on far-remote machines, might result in a useless HELO all the way through to the destination, these checks (long-standing and long-understood to have validity) would have long fallen by the wayside. An end user's HELO, which is not usually not a valid public FQDN, would only be passed intact by joke MTAs which I'd be delighted to block. Invalid HELOs from your own end users is another situation, one best dealt with using WHITELIST AUTH, or with WHITELIST IP if necessary, as noted by others. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.