RE: [Declude.JunkMail] ALERT BOUNCE
http://www.declude.com/relnotes.htm Is this the permanent link for the release notes? Yes. Currently it is pointing at the 1.78 notes. Are there notes for 1.79? They will be back up soon. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SURBL filter script 1.2
The SURBL filter script has been updated again and now includes: - a maxweight variable that sets both MAXWEIGHT and the weight of individual entries (so that filter processing stops at the first match) - an exclusion file where domains and ip addresses that should be excluded from the filter can be added The updated script can be downloaded at http://www.botany.gu.se/download/decludescript/SURBL_filter.zip. /Roger --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Hm - isn't that already covered in the HELOBOGUS test? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland Sent: Sunday, April 18, 2004 07:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Andy Schmidt wrote: Hm - isn't that already covered in the HELOBOGUS test? Not really: Received: from morden-res-206-45-166-10.mts.net [206.45.166.10] morden-res-206-45-166-10.mts.net is a valid host name that will not trip HELOBOGUS, but will trip HELOISIP. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Bud, Is this the proper format for the config file? : HELOISIPexternalweight C:\imail\declude\heloisip\heloisip.exe 10 0 Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland Sent: Sunday, April 18, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Thanks Bill. All I can say is WOW. This test seems to be working very very well. It is snagging tons of stuff. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, April 18, 2004 8:13 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud's documentation says should be setup as a nonzero test, for example: HELOISIP external nonzero C:\imail\declude\heloisip\heloisip.exe 10 0 rather then a weight test. Bill - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 18, 2004 5:59 PM Subject: RE: [Declude.JunkMail] New test Bud, Is this the proper format for the config file? : HELOISIP external weight C:\imail\declude\heloisip\heloisip.exe 10 0 Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland Sent: Sunday, April 18, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
I get an unknow filter type in the log files... HELOISP filter C:\imail\declude\heloisipx.exe 10 0 this apth would point to the exe file is this not correct? At 02:00 AM 4/19/2004 +, you wrote: any chance to get the source code ? Thanks - Original Message - From: Bud Durland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 12:21 AM Subject: Re: [Declude.JunkMail] New test Andy Schmidt wrote: Hm - isn't that already covered in the HELOBOGUS test? Not really: Received: from morden-res-206-45-166-10.mts.net [206.45.166.10] morden-res-206-45-166-10.mts.net is a valid host name that will not trip HELOBOGUS, but will trip HELOISIP. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
any chance to get the source code ? Thanks - Original Message - From: Bud Durland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 12:21 AM Subject: Re: [Declude.JunkMail] New test Andy Schmidt wrote: Hm - isn't that already covered in the HELOBOGUS test? Not really: Received: from morden-res-206-45-166-10.mts.net [206.45.166.10] morden-res-206-45-166-10.mts.net is a valid host name that will not trip HELOBOGUS, but will trip HELOISIP. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Glenn Brooks wrote: I get an unknow filter type in the log files... HELOISP filter C:\imail\declude\heloisipx.exe 10 0 this apth would point to the exe file is this not correct? It is not a filter; it is an external non-zero test. Your GLOBAL.CG file entry would look like something like this: HELOISIPXexternalnonzero C:\IMail\Declude\HELOISIP\HELOISIPX.EXE50 This line adds 5 points to the overall weight of hte message if it fails. Hope that helps -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Jason wrote: Thanks Bill. All I can say is WOW. This test seems to be working very very well. It is snagging tons of stuff. The question is, is it generating false positives? I hope not; the FP ratio here is very, very low, but I realize everyone's traffic pattern is different. While testing, I had it set of 0 weight, and a HOLD action. That let me review what it caught and determine the appropriate weight value. YMMV -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamDomain question
Scott, where did spamdomain test get the Address of [EMAIL PROTECTED] ? Also, for matt, how can we make your dynamic test detect this type of dynamicIP in the helo and/or revdns ? Received: from Dynamic-IP-cr20011850137.cable.net.co [200.118.50.137] by mail.cefib.com (SMTPD32-8.05) id ADD4CF200D4; Mon, 19 Apr 2004 01:39:32 + Received: from rwsuvw (c10-386-593.ftw.prodigy.net [207.24.184.179]) by pop-2.qdw.att.net (8.12.8/8.12.8) with ESMTP id x3N5J5NM542104 for [EMAIL PROTECTED]; Sun, 18 Apr 2004 21:39:31 -0500 Message-ID: [EMAIL PROTECTED] Reply-To: Hattie Forrest [EMAIL PROTECTED] From: Hattie Forrest [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SpamIndex=33]Re: Card Declined, dasm app Date: Sun, 18 Apr 2004 21:39:31 -0500 Organization: barbiturate MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=200.118.50.137; X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.118.50.137; X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-RBL-Warning: SPAMDOMAINS: Spamdomain 'att.' found: Address of [EMAIL PROTECTED] sent from invalid dynamic-ip-cr20011850137.cable.net.co. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: Failed Foreign Filter X-RBL-Warning: FIVETEN-SPAM: 137.50.118.200.blackholes.five-ten-sg.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
I'm trying to figure out WHY spammers would bother to include dial-up reverse DNS as HELO string? And if so, why not just check the reverse DNS? And, how much does this test overlap with existing dynamic host/dial up blacklists? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Andy, This is almost completely a zombie spammer thing. Just like they need to create a valid Mail From, they also need to create a HELO, and hopefully one that is valid, though of course not many ISP's will enter both A records and reverse DNS entries for this type of address. The predominance with zombie spammers is to use one of three things: - The reverse DNS entry of the hijacked computer - The domain name of the recipient - the IP address There are unfortunately some pieces of software that will generate the HELO dynamically, and a fair number of Windows computers with similar computer naming conventions which might be relaying E-mail from Web sites and other software. These same computers are also highly likely to also fail HELOBOGUS when they false positive. Matt Andy Schmidt wrote: I'm trying to figure out WHY spammers would bother to include dial-up reverse DNS as HELO string? And if so, why not just check the reverse DNS? And, how much does this test overlap with existing dynamic host/dial up blacklists? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Here is one FP Where's the IP ? Received: from alias-1.c10-ave-mta1.cnet.com [206.16.1.130] by mail.cefib.com with ESMTP - Original Message - From: Bud Durland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 2:43 AM Subject: Re: [Declude.JunkMail] New test Jason wrote: Thanks Bill. All I can say is WOW. This test seems to be working very very well. It is snagging tons of stuff. The question is, is it generating false positives? I hope not; the FP ratio here is very, very low, but I realize everyone's traffic pattern is different. While testing, I had it set of 0 weight, and a HOLD action. That let me review what it caught and determine the appropriate weight value. YMMV -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomain question
Serge, I'll answer both questions. The From: address listed in the headers is only cosmetic. Declude tests these things based on the MAILFROM address. You can insert a line in your headers by placing the following code in your Global.CFG XSENDERON As far as the DYNAMIC test detecting the REVDNS of this type, you can insert a line in the REVDNS Markers for Dynamic Ranges of ISP's section that says: REVDNS2STARTSWITHdynamic As far as the HELO goes, Bob's new test can take care of this, but if you wanted to do it in Declude using a filter, you could take my DYNAMIC filter, delete all of the counterbalances, and then change all of the lines remaining from REVDNS to HELO. Matt serge wrote: Scott, where did spamdomain test get the Address of [EMAIL PROTECTED] ? Also, for matt, how can we make your dynamic test detect this type of dynamicIP in the helo and/or revdns ? Received: from Dynamic-IP-cr20011850137.cable.net.co [200.118.50.137] by mail.cefib.com (SMTPD32-8.05) id ADD4CF200D4; Mon, 19 Apr 2004 01:39:32 + Received: from rwsuvw (c10-386-593.ftw.prodigy.net [207.24.184.179]) by pop-2.qdw.att.net (8.12.8/8.12.8) with ESMTP id x3N5J5NM542104 for [EMAIL PROTECTED]; Sun, 18 Apr 2004 21:39:31 -0500 Message-ID: [EMAIL PROTECTED] Reply-To: Hattie Forrest [EMAIL PROTECTED] From: Hattie Forrest [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SpamIndex=33]Re: Card Declined, dasm app Date: Sun, 18 Apr 2004 21:39:31 -0500 Organization: barbiturate MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-RBL-Warning: CBL: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=200.118.50.137; X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.118.50.137; X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-RBL-Warning: SPAMDOMAINS: Spamdomain 'att.' found: Address of [EMAIL PROTECTED] sent from invalid dynamic-ip-cr20011850137.cable.net.co. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: Failed Foreign Filter X-RBL-Warning: FIVETEN-SPAM: 137.50.118.200.blackholes.five-ten-sg.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Bud, I have a few suggestions that you might want to consider. The first one would be to skip processing of the message and just have Declude pass off the HELO as an argument to your script. This can be done with %HELO%. This will speed processing and ensure that the HELO comes in the proper context. Declude can be configured for IPBYPASS settings which are used to skip over gateway mail servers and forwarding servers so that you have the HELO of the computer that is actually sending the E-mail. Combining both of your tests into one program instead of two would also be useful. You can use any code over 10 for this. Declude also will only call the script once if the command is the same, and it will determine which test would be failed based on the result code that is returned. The last thing that I'm not very clear about is the logic of the detection. I have a custom filter called DYNAMIC listed in the beta section of my site (http://www.mailpure.com/software/decludefilters/beta/) that does something similar for reverse DNS entries. I found from testing and according to the capabilities of the environment that using values below 20, i.e. -20- or .20., would produce false positives similar to the one that Serge just pointed out. It's extremely unlikely that you would miss detecting a zombie using the reverse DNS entry as the HELO if you ignored hits below 20 because there aren't many ISP class A's in use below that level (I think just IBM), an you have 4 chances to hit a number above 20. The pattern that you identified is of course a very nice addition to spam fighting. Thanks! Matt Bud Durland wrote: Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Mark vs Hold vs Delete
A domain with a lot of 40+ year old women that love deal sites, newsletters, greeting cards and ecommerce though can be a huge headache... Is it necessary to use such a sexist and ageist profile? And is this _really_ the only notable demographic giving you a disproportionate support headache? And, finally, let's not forget what a wonderful job some young bucks did blowing hot air into the bubble--with ideas that only the Internet Generation could understand. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message... Just a little note here: while this test is surely valuable and its development much appreciated, I think creating a slew of external Declude helpers is suboptimal--for desktop heap overhead, if nothing else--when many of the tests could be wrapped by SpamAssassin custom rules and run all at once using SPAMC32. Remember that SpamAssassin has full Perl regular expression support and allows for auxiliary rules to be contributed via any number of external files (each rule with its own weight, at that). If the community concentrated on contributing SA rulesets, test development time could be sliced down to nearly zero. Now, I know that for some of you, this might seem vaguely treasonous--if you think of Declude and SA as rivals. We don't run SA without Declude, though, so I see it as more of a parent-child relationship. Anyway, it's just an idea. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Anybody already using a handy way to record the HELO in the decMMDD.log file? I'd like to save the step of going to my sysMMDD.txt file if I could. I've run Bud's test for a few hours and had quite a few hits. The only false positive wasn't a false positive at all, but a correctly identified case of the mailhost with a revdns that reflected the host IP, with a matching HELO. And it did not hit on HELOISIPX. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Mark vs Hold vs Delete
Sanford Whiteman wrote: Is it necessary to use such a sexist and ageist profile? Statistically speaking it's a very accurate generalization and I see little reason to ignore such things based on what might be more politically correct. Zombie spam is less gender-biased because of how the addresses are collected, i.e. domain name registrations, Web sites, newsgroups, message boards and some from static spammers methods, static spammers on the other hand gather addresses from things like free offers and contests which are definitely gender-biased. As a result of this women, and especially women over the age of 30 represent a disporportionally large number of the accounts that receive over 100 spams a day. If this was a discussion of spyware instead of spam, I would be talking abou the 13-30 year old male as being the primary demographic. And is this _really_ the only notable demographic giving you a disproportionate support headache? You can classify this in many different ways and get many different answers. One domain for instance receives 40 times the average number of viruses/user and accounts for about half of our total virus traffic which is a problem as far as performance goes (about 60 viruses per address per day). The demographic in question is mostly on my mind because this domain operates a large listserv targeted at 50+ year old women, and the fact that they operate a large listserv and their demographic contribute to the huge imbalance here. I also have several smaller domains that only have 2 or 3 spammed addresses, and apart from the addresses listed on their site or that their domain is registered with, it is regularly women that made the mistake of getting on one or several ROKSO spammer's lists. I do have other issues also, such as a single user domain where the guy does a ton of Ebay business selling stamps, and he gets probably half of our total number of Nigerian scams, and probably 2-3 times a week, these messages get through to his account. So another demographic that might be of use is that it appears Ebayers might tend to attract Nigerian scam E-mails, but that's only a theory at the moment. Companies that do business with foreign countries are another issue because I punish many foreign senders and I need to exempt such domains from these filters. Something of note here is that I learned several years ago while working for a large multi-national corporation is that it is more politically correct to refer to this as international traffic. Hopefully I haven't offended anyone :) And, finally, let's not forget what a wonderful job some young bucks did blowing hot air into the bubble--with ideas that only the Internet Generation could understand. Let me get this straight, you didn't like my association of a particular demographic with spam, but you feel that it is appropriate to then classify young men as what created the Internet bubble? Two things...first, that's incorrect, it was the :old bucks that created the bubble, the young Internet entrepreneurs were just patsies in the game that created billions of dollars in underwriting profits and trading fees for brokerage firms. The same companies were then selling their holdings while raising price targets for the less educated retail investors to chase. This game isn't unique in any way to the Internet stocks either, that's just the biggest example, and it still continues today in markets like nanotechnology where revenue-less story-stock companies are making 30% gains per day at some points on nothing but speculation. I, being an informed observer and careful study, made money on the bubble going both up and down...lots of money :) To sum this all up, hopefully people can learn to be a little less sensitive in regards to such discussions, and the only reason why I mentioned this is because I found the trend to be quite remarkable and unexpected. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Sandy, Good points. However, some may prefer just to add a test or two rather than add SA. Plus specialized tests may run more quickly via specific parsing than a general regexp engine. Or some may just prefer not to implement cygwin on their machines (I seem to remember it being necessaary to implement SA). In any case, I think this is a situation where there are many ways to implement, and for each different environment different solutions may be preferred. Darin. - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Bud Durland [EMAIL PROTECTED] Sent: Monday, April 19, 2004 12:15 AM Subject: Re: [Declude.JunkMail] New test I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message... Just a little note here: while this test is surely valuable and its development much appreciated, I think creating a slew of external Declude helpers is suboptimal--for desktop heap overhead, if nothing else--when many of the tests could be wrapped by SpamAssassin custom rules and run all at once using SPAMC32. Remember that SpamAssassin has full Perl regular expression support and allows for auxiliary rules to be contributed via any number of external files (each rule with its own weight, at that). If the community concentrated on contributing SA rulesets, test development time could be sliced down to nearly zero. Now, I know that for some of you, this might seem vaguely treasonous--if you think of Declude and SA as rivals. We don't run SA without Declude, though, so I see it as more of a parent-child relationship. Anyway, it's just an idea. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
