RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread Nick Hayer 
Dunno - I just grepped my logs to find the FP.  You will have to get some 
complete examples to test on. Maybe do a COPYTO on any emails that fail your 
regex and then fine tune out the false positives.

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm






From: "David Barker" 
Sent: Monday, October 18, 2010 12:05 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?



Does the source have a space or different character after the
end of the string ? we could look for a space. or a > or " 
 
(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[>"]))
 
David
 
 

From: supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Nick Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 
Hi
David,

I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though

We have been wacking the guy w/sniffer General and dnsbl tests.  I cannot
tell you which ones of the latter as they are not shown in my logs.

-Nick




MadRiverAccess.com|Skywaves.com
Tech Support

US/Canada
877-873-6482 or International +1-802-229-6574 
Emergency
Support 24/7: supp...@skywaves.net 
General
and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm


 





From: "David
Barker" 
Sent:
Monday, October 18, 2010 10:17 AM
To:
declude.junkmail@declude.com
Subject:
RE: [Declude.JunkMail] Good filter?
Provided the prefix to these is either www or http:// the regex
will trigger on these
 


From: supp...@declude.com
[mailto:supp...@declude.com] On
Behalf Of Dave Beckstrom
Sent:
Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject:
RE: [Declude.JunkMail] Good filter?


 
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
 
 





From: supp...@declude.com
[mailto:supp...@declude.com] On
Behalf Of Nick Hayer
Sent:
Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject:
re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to
be sure we will be taking about the same guy..

Thanks

-Nick




MadRiverAccess.com|Skywaves.com
Tech Support

US/Canada
877-873-6482 or International +1-802-229-6574 
Emergency
Support 24/7: supp...@skywaves.net 
General
and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm


 





From: "Dave
Beckstrom" 
Sent:
Monday, October 18, 2010 9:38 AM
To:
declude.junkmail@declude.com
Subject:
[Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the
linked spam site is pretty consistent.  They all have a
"/" followed by some kind of home-grown obfuscation
which his server recognizes:   


 


 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 


 


Anyone come up with a clever filter for this?


 


Also, these spammers are using domainsite.com as their registrar
for their spamvertized domains.  Has anyone worked on a solution where the
URI can be checked against the registrar and if its registered with
domainsite.com then weight can be added or it can be blocked?


 


 


---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread Dave Beckstrom 
Would checking for the DOT, followed by one or more characters, at the end
of the long string serve to eliminate the false positives?  

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Monday, October 18, 2010 10:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?



Does the source have a space or different character after the end of the
string ? we could look for a space. or a > or " 

 

(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[>"]))

 

David

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

Hi David,

I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though

We have been wacking the guy w/sniffer General and dnsbl tests.  I cannot
tell you which ones of the latter as they are not shown in my logs.


-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "David Barker" 
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

Provided the prefix to these is either www or http:// the regex will trigger
on these

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1

cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343

 

 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?

Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   

 

 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 

 

Anyone come up with a clever filter for this?

 

Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?

 

 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
[This E-mail was scanned

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread David Barker 
Does the source have a space or different character after the end of the
string ? we could look for a space. or a > or " 

 

(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[>"]))

 

David

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 11:50 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

Hi David,

I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though

We have been wacking the guy w/sniffer General and dnsbl tests.  I cannot
tell you which ones of the latter as they are not shown in my logs.


-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "David Barker" 
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

Provided the prefix to these is either www or http:// the regex will trigger
on these

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1

cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343

 

 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?

Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   

 

 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 

 

Anyone come up with a clever filter for this?

 

Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?

 

 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread Nick Hayer 
Hi David,

I think it will FP though -
Here is an example:
http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120
ed17cc24cd3567fd4396424914.gif
with some tweaking I think it could be very effective though

We have been wacking the guy w/sniffer General and dnsbl tests.  I cannot 
tell you which ones of the latter as they are not shown in my logs.

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm






From: "David Barker" 
Sent: Monday, October 18, 2010 10:17 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?



Provided the prefix to these is either www or http:// the regex
will trigger on these
 


From: supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Dave Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?


 
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
 
 





From: supp...@declude.com
[mailto:supp...@declude.com] On Behalf Of Nick Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to
be sure we will be taking about the same guy..

Thanks

-Nick




MadRiverAccess.com|Skywaves.com
Tech Support

US/Canada
877-873-6482 or International +1-802-229-6574 
Emergency
Support 24/7: supp...@skywaves.net 
General
and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm


 





From: "Dave
Beckstrom" 
Sent:
Monday, October 18, 2010 9:38 AM
To:
declude.junkmail@declude.com
Subject:
[Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the
linked spam site is pretty consistent.  They all have a
"/" followed by some kind of home-grown obfuscation
which his server recognizes:   


 


 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 


 


Anyone come up with a clever filter for this?


 


Also, these spammers are using domainsite.com as their registrar
for their spamvertized domains.  Has anyone worked on a solution where the
URI can be checked against the registrar and if its registered with
domainsite.com then weight can be added or it can be blocked?


 


 


---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
[This E-mail was scanned by Declude] 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread David Barker 
Provided the prefix to these is either www or http:// the regex will trigger
on these

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 10:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Good filter?

 

ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1

cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343

 

 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?

Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm

 

  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?

There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   

 

 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 

 

Anyone come up with a clever filter for this?

 

Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?

 

 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread Dave Beckstrom 
ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1
cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343
 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?


Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick



MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm



  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?


There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   
 
 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for this?
 
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
 
 

---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread Dave Beckstrom 
Here is another one:
 
gseo35.pennyonello.info/132694139742636427312a49fad18963925fb
 
I've deleted all the previous and hopefully won't get any more after
implmenting the filter David sent.

I would still like to be able to block URIs by the DNS server or Registrar
used.  There may be some legitimate domains registered through
domainsite.com but I've not seen any.
 

  _  

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick
Hayer
Sent: Monday, October 18, 2010 8:53 AM
To: declude.junkmail@declude.com
Subject: re: [Declude.JunkMail] Good filter?


Post a few of his/her base domains - just to be sure we will be taking about
the same guy..

Thanks

-Nick



MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm



  _  

From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?


There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   
 
 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for this?
 
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
 
 

---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

re: [Declude.JunkMail] Good filter?

2010-10-18 Thread Nick Hayer 
Post a few of his/her base domains - just to be sure we will be taking 
about the same guy..

Thanks

-Nick

MadRiverAccess.com|Skywaves.com Tech Support 
US/Canada 877-873-6482 or International +1-802-229-6574 
Emergency Support 24/7: supp...@skywaves.net 
General and Non-Emergency support ticket: 
https://www.skywaves.com/content/secure/support_ticket.htm






From: "Dave Beckstrom" 
Sent: Monday, October 18, 2010 9:38 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?


There is pervasive
spammer who's uri pattern for the linked spam site is pretty
consistent.  They all have a "/" followed by some kind of
home-grown obfuscation which his server
recognizes:   
 
 http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for
this?
 
Also, these spammers are using domainsite.com as their registrar for
their spamvertized domains.  Has anyone worked on a solution where the URI
can be checked against the registrar and if its registered with
domainsite.com then weight can be added or it can be
blocked?
 
 

---
[This E-mail was scanned by Declude]


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Routing and IP 6?

2010-10-18 Thread Andy Schmidt 
Hi,

 

I may be barking up the wrong tree. But since the following email only had a
single IP v4 hop to our Imail, I can't see how this could possibly be caught
by "spamrouting" - unless there is some confusion on how to treat the IP v6
address address:

 

Received: from SDKENG01.dkeng.co.uk [81.143.158.102] by hm-software.com with
ESMTP

  (SMTPD-11.02) id 3f5e0001d39c4dd5; Fri, 8 Oct 2010 04:44:53 -0400

Received: from SDKENG01.dkeng.co.uk ([::1]) by SDKENG01.dkeng.co.uk ([::1])

 with mapi; Fri, 8 Oct 2010 09:43:21 +0100

.

X-RBL-Warning: This E-mail was routed in a poor manner consistent with spam
[211f]. See: http://tools.declude.com/headercode.php?code=211f 

X-Declude: Version 4.10.51; Code 0x211f from
host81-143-158-102.in-addr.btopenworld.com [81.143.158.102]

 

The only other server uses the standard IP v6 loopback address
(0:0:0:0:0:0:0:1), equivalent to the 127.0.0.1 in IP v4 - which clearly is
internal and thus should not be evaluated for the Spamrouting test.

 

If Spamrouting (or Declude?) does not handle IP v6, then it probably should
at least SKIP those headers entirely? 

 

Best Regards,

Andy




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good filter?

2010-10-18 Thread David Barker 
This problem was posted to the list a few weeks back. This regex seems to
work well for that. It is in the latest FILTER-SPAM.

 

(?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40})
 

 

 

 

From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Monday, October 18, 2010 9:29 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Good filter?

 

There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   

 

 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 

 

Anyone come up with a clever filter for this?

 

Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?

 

 


---
[This E-mail was scanned by Declude] 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Good filter?

2010-10-18 Thread Dave Beckstrom 
There is pervasive spammer who's uri pattern for the linked spam site is
pretty consistent.  They all have a "/" followed by some kind of home-grown
obfuscation which his server recognizes:   
 
 
http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 
 
Anyone come up with a clever filter for this?
 
Also, these spammers are using domainsite.com as their registrar for their
spamvertized domains.  Has anyone worked on a solution where the URI can be
checked against the registrar and if its registered with domainsite.com then
weight can be added or it can be blocked?
 
 



---
[This E-mail was scanned by Declude]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.