Brad, several of the ip4r tests list whole subnets, and I've seen hits from
IPs in that and similar subnets across the last week.
More likely is that your DNS didn't respond in time when Declude inspected
this particular message.
Andrew.
-Original Message-
From: Brad Morgan
Hey, Bill. You've got your thinking cap on too tight!
Find @aol.com \*\forward.ima found.txt
The idea is to search all subdirectories of the current director for
forward.ima and look to see if @aol.com is in there.
fgrep -r -i -l @aol.com forward.ima *.
fgrep instead of egrep means treat
It's perfectly legit, Dave. Go ahead and follow the instructions precisely.
You don't expect your OS to ship with a perfect database of second-level or
third level cert suppliers do you?
And no, clients making an SSL connection to your new server won't need to
jump through any special hoops at
Hey, Scott. If you'd like, send me a sample off-list. I could use a short
brain teaser this morning.
The general idea I think would be to do a grep and only look for lines with
well-formed IP addresses.
e.g. egrep [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} sample.txt
result.txt
[0-9]
Serge, POP and IMAP are certainly available in Exchange, but if I read this
architecture correctly, what you client probably wants is the ETRN extension
to SMTP.
I used this once under Exchange 5.5 to fetch mail over dial up. Here's an
ancient article on the subject to get you started on some
The results would have been the same. Declude searches the whole message
raw, so the inside of attachments get scanned too. Using:
ANYWHERE 1 CONTAINS spam
is the same as using:
HEADERS 1 CONTAINS spam
BODY1 CONTAINS spam
So, the ANYWHERE filter can save you a line, but may open you to
Dave, if you move your reporting level from MID to HIGH, you will see a log
line for every hit in your filter files.
Andrew 8)
-Original Message-
From: Dave Doherty [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 14, 2004 7:53 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Filter
No, the slashes have no special meaning. There is no regexp parsing in
Declude, every search expression is a literal, but is case-insensitive.
The most common item that arises as a result:
You can't search for a term with a leading space, e.g. BODY 1 CONTAINS
spam (remove the quotes).
On the
Title: Message
Thank you,
Barry.
In addition to a
community support channel, we've become accustomed to using this mailing list as
acommunications channel to and from Computerized Horizons. You may
miss out on the pulse of your customer base if are not a
subscriber.
I'm sure we all
/lurk
Meh. I think most angles on this incident have been covered. Stuff was
definitely done wrong, but with reasonable business goals behind Computing
Horizon's thinking. Some of those didn't mesh well with the active 10-20
power users on the mailing list. For example, I'm sure that a GUI
John, let's say that you have a Postfix gateway in front of your
IMail+Declude server.
If you whitelist the gateway, then all mail from that server or passed
through that server will be whitelisted. That would be *bad*. You would
instead use IPBYPASS, so that all the IP based tests are not
tests!
-Original Message-
From: Colbeck, Andrew
Sent: Thursday, July 08, 2004 6:19 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] IPBYPASS and WHITELIST IP
John, let's say that you have a Postfix gateway in front of your
IMail+Declude server.
If you whitelist the gateway
Well, I'm late to the party!
I love Sandy's idea, it's a great way to stem the tide.
Matt, absolutely, the problem with the dir based delete commands is
reading through the tree that NTFS creates, which on a busy disk will be
literally all over the hard drive. This would then be complicated
At the same volume level, I see thirty times more legitimate messages with a
leading space in the subject message. Most are from users, with one to
three leading spaces. Three different legitimate news alerts are using up
to 6 leading spaces, presumably to make their subject line stand out in
Title: Message
Todd, in addition
to checking for your own IP address in the inbound mail HELO, another handy
"anti-spoofing" test is to check for your own mailhost.
HEADERS 20
CONTAINS Received: from yourmailhost.yourdomain.com
because, hey,
your mailserver is receiving this message, so
Sorry, Matt!
http://www.theinquirer.net/?article=16960
... which seems to bear fruit. I've received exactly 4 zombie spams from
the ComCast network since June 17, 2004, and my usual rate is tens to
hundreds per day from them.
Unfortunately, there's no indication that ComCast will take any
Me three.
I installed FireBird a long, long time ago at home. I had no problems,
ever. But then I got the upgrade itch, so I'm on the latest FireFox now,
with nifty extensions. And I cut the cord last weekend, by deleting all my
Favorites out of IE (years and years worth!). Now I use IE for a
Goran, check out the FindStr.exe command in your %windir%\system32 folder,
it does exactly what you want. Specifically, you will keep appending your
search strings as new lines in one text file, and search each line to
include/exclude from your orig.txt
If your needs are going to grow to only a
Bill, you caught me red-handed. I was hoping you'd do the heavy lifting to
offer up an awk equivalent template for findstr.
Andrew 8)
p.s. Goran, grep is your friend. Use fgrep as a straight substitute for
find, but fgrep is a magnitude faster. Use egrep to do nifty things like
Bill's or
-
[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Wednesday, June 23, 2004 2:56 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] OT: Find Command
Bill, you caught me red-handed. I was hoping you'd do the heavy
lifting
to
offer up an awk equivalent template for findstr.
Andrew
Title: Message
The executive summary: expect
perfectly normal spam subject lines more often.
http://www.techweb.com/wire/story/TWB20040623S0007
Andrew
8)
The odds are 100%, Keith.
That's exactly how all the current viruses work. Recently, WORM_SOBER.* has
also generated usernames at the domains it harvests to increase their hit
rate, because they don't care about their failure rate or the massive number
of NDRs that they generate.
Andrew 8)
or distribution is prohibited. If you are not the
intended recipient, please
contact the sender by reply email and destroy all copies of the original
message.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Colbeck, Andrew
Sent: Wednesday, June 16, 2004 11:43 AM
Declude.exe instances fire once for each email, they don't stay resident.
Instead of rebooting the server, stop your IMail SMTP and Queue services so
that no mail is being processed, which means declude.exe instances won't be
run. Then you can do whatever maintenance you require, and restart the
Scam.
You surmised correctly. The HTML snippet shows the reader one URL, but the
real target of the link is somewhere else entirely. China, actually.
Three great web resources to find out who a domain is or where it is:
http://openrbl.org
http://whois.sc
http://www.senderbase.org
Using
Title: Message
This is from the SANS Handler's
diary at http://isc.sans.org
ARIN in-addr.arpaA
post on the NANOG list indicates that the American Registry for Internet Numbers
(ARIN, www.arin.net) is not providing reverse-lookup forwarding for any networks
in the range 206.46.0.0 -
That's a great idea, Sandy.
And I'll contribute a tiny hint and suggest that if anyone were to do so,
using a sniffer like Ethereal with a capture filter would minimize the size
of the actual data file collected, which would then make post-processing
much simpler.
Andrew 8)
-Original
Shoppe
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Thursday, June 03, 2004 12:09 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] OT what a con
I've had them in my filters for a very long time
Title: Message
Ah, the easy
answer is that grep is not the way. You want something a little higher up
on the food chain, awk.
gawk "$4 == 2"
netflow.txt
or the identical
but clearer:
gawk "$4 == 2
{print $0}" netflow.txt
will parse the
file called netflow.txt and only output thethe
Title: Message
fgrep "Total weight = " dec0531.log |
fgrep -v "SNIFFER" | gawk "$NF =20"
result.txt
sample
contents of result.txt:
05/31/2004
00:01:44 Qd84b1ec600561d03 IPNOTINMX:2 HELOBOGUS:6 MAILFROM:9 REVDNS:4
CMDSPACE:5 COUNTRY:10 DSBL:6 SPAMCOP:3 SPAMCOP-DYNA:7 FIVETENSRC:2
Samantha, part of the answer that you're looking for is that when your
misd.net server is connecting to their server to deliver the mail, you're
not connecting to Trend Micro, the company, you're connecting to their
mail server, which has a Trend Micro product in front of their other mail
host,
Title: Message
I've definitely
noticed in the last 2 weeks that pump and dump stock scams have been the lead
type of spam that leaks through. And also that pharmaceutical spam has far
eclipsed pornography. In my Hotmail account, it's about
even.
And I suppose
that this is news to someone,
on it. I had to tell my server to
retry for a day before I could start sending to hotmail again.
R
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew
Sent: Tuesday, May 18, 2004 12:40 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail
Goran, mail.lanshoppe.com is not listed in SPEWS; your provider, HopOne is.
Other than complain to HopOne, there is nothing you can do except switch
your inbound mail server somewhere else, like swapping with your outbound
mail service, for example.
You can read information about SPEWS, and
either, I am seeing
connection resets from them
Rick Davidson
National Systems Manager
North American Title Group
-
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 11, 2004 2:44 PM
Subject: [Declude.JunkMail] Hotmail
http://www.eeye.com/html/Research/Advisories/AD20040512A.html
and Symantec's patch:
http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.ht
ml
which can be downloaded and installed via LiveUpdate.
Unlike the BlackIce worm, there is no report of malware in the wild but
the
Don't poke the bear, Kami.
Andrew 8)
-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] ALLRECIPS CONTAINS END not ending?
There is a new interim release 1.79i7 at
:)
Scott... Now
Title: Message
http://zdnet.com.com/2100-1104_2-5210796.html?tag=zdfd.newsfeed
Quote:
They were wrong, and they were annoying, so now they've
been stopped.
With a new version of Symantec's SMTP (Simple Mail Transfer Protocol) e-mail
security product, the antivirus company is trying to
Anybody else with this trouble? I've got 300+ messages queued to
hotmail.com addresses. Both my cached and a fresh DNS query look fine. I
have a ton of:
MX connect fail 65.54.190.50
messages in my Imail log (lots of different IP addresses whose reverse DNS
ends with hotmail.com)
Andrew.
---
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?datab
ase=JanEE%2edbcommand=viewoneid=15
Both in Germany, and in seemingly unrelated incidents. Whoever informed on
the Sasser author to Microsoft may see a payout of a quarter of a million
dollars.
Andrew 8)
---
[This
Title: Message
John, I'm
thinking that you're not qualifying the right hand side of the message-id
variable as text.
Let me put that
another way: why are you not putting quotes around the parts that are text, and
why are you only escaping the @ sign and not the hyphen or the GT and LT
Title: Message
If you have
JunkMail Pro, and thus text filtering, you could do what I do for a case that
soundssimilar to yours.
We have a domain
which has very few email addresses, and spammers regularly try a certain set of
addresses that simply never existed, along with CC'ing or
Yep, a configuration of WEIGHT10 DELETE and a WEIGHT20 HOLD would indeed
delete a message with a weight of 21.
Something you mentioned earlier prompts me to point out another thing; the
veterans in the list generally regard HOLD messages not as something they
have to check out several times a day
Yep, also 0x20, also #20
Andrew 8)
-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 20, 2004 10:47 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] OT: ASCII code
A space is %20, correct?
John Tolmachoff
Engineer/Consultant/Owner
Good tip!
This is what the web page is using:
http://netsecurity.about.com/cs/generalsecurity/a/aa021504.htm
to download a file it creates called C:\Program Files\Internet
Explorer\Iesearch.exe
by downloading and rename the file http://68.192.132.122:8067/mstasks.dat
which my latest Trend
Title: Message
I just saved some processing
power..
One of my most important text filters is the BODY
search for URL stuff. But it's quite big. To keep my loglevels in
check, I use LOGLEVEL MID, which doesn't log the individual lines
triggered. But whether I use MID or HIGH, the line
This really belongs on the IMail support list, but I don't subscribe to
that...
On the weekend, I had a eureka moment and figured out why we had 25 minute
delays on our inbound messages. It didn't happen often, or at least we
didn't notice it often. Mail would just be stuck in IMail, not
8)
-Original Message-
From: Colbeck, Andrew
Sent: Tuesday, April 20, 2004 8:25 AM
To: '[EMAIL PROTECTED]'
Subject: [Declude.JunkMail] OT: a cautionary note
This really belongs on the IMail support list, but I don't subscribe to
that...
On the weekend, I had a eureka moment and figured
They have weird numeric naming conventions, and use rogers.com for both
client and corporate mail. Try this instead:
#Sep-26-2003 AC Rogers Cable in Canada
REVDNS -10 ENDSWITH .is.net.cable.rogers.com
REVDNS -10 ENDSWITH .cpe.net.cable.rogers.com
REVDNS 10 CONTAINS .cable.
Andrew 8)
:
Colbeck, Andrew wrote:
Jeff, the main problem with figuring out spamdomains entries is that you
really have to receive valid mail from the domain to really know.
If they have an SPF record, that's the easiest way to research them, but
you
can also try the website at http://www.SenderBase.org to see
:
Colbeck, Andrew wrote:
Jeff, the main problem with figuring out spamdomains entries is that you
really have to receive valid mail from the domain to really know.
If they have an SPF record, that's the easiest way to research them, but
you
can also try
My humble opinion on terminology, Scott, is that:
fixed in the next build
would better reflect what you meant. Otherwise us folks out here in the
list start to wonder whether you mean release or Release.
Just another tip for the Declude communications style book.
Andrew 8)
-Original
Anybody already using a handy way to record the HELO in the decMMDD.log
file?
I'd like to save the step of going to my sysMMDD.txt file if I could.
I've run Bud's test for a few hours and had quite a few hits. The only
false positive wasn't a false positive at all, but a correctly identified
Dave, allow me to butt in here with the late night reply and say yes, your
interpretation is exactly right for all 3 of your examples.
And let me also add that clarity certainly does help, for example I saw a
weird false positive and chuckled over it.
I had a sd.txt that listed:
mac.com
http://www.theregister.co.uk/2004/04/16/cosmic_419er/
A little levity for Friday.
Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
Not surprising that you missed this one, based on the subject line:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg17684.html
Sorry if this has already been answered here. My inbound messages on this
list have been highly out of sort order.
Andrew 8)
-Original Message-
From: Scott
This works for me:
wamlog dec0416.log c:\imail\declude\global.cfg
Modify the parameters to suite your environment, of course.
Andrew 8)
-Original Message-
From: Dave Doherty [mailto:[EMAIL PROTECTED]
Sent: Friday, April 16, 2004 8:54 PM
To: [EMAIL PROTECTED]
Subject: Re:
Title: Message
Definitely fake,
Sharyn.
0) Like you said,
it had at least one typo. And would they tell you what "segment" they've
put you in? And to an email address they've never been
given?
1)The link
goes throughanother provider with a 6 month old domain name,through
a Group Telecom
For what it's worth, over the last 2 days, my SURBL success has been 20%
that of the text filter I use to block recent spam we've noticed (which
contains spamvertised domains).
And there has been little overlap between my local test and SURBL. Which
simply shows that my spam is different from
Smokin' Bill!
That's very fast. I certainly found a few surprises at 0 hits for a normal
day.
Some low priority suggestions:
- Change fail wording in the header to trigger or hit or something.
- Ignore Declude directives, e.g. LOOSENSPAMHEADERS, HOPHIGH, CONSOLE,
PREWHITELIST ...
Thanks for
ngement.
Note that the impact of this one change is fairly minor, but with a lot
of minor changes, I have managed to get another half cup of juice out of
my current server.
Matt
Colbeck, Andrew wrote:
Hey, Kevin.
I do get the usual web page when I go to the CBL homepage you listed.
Hey, Kevin.
I do get the usual web page when I go to the CBL homepage you listed. I see
that the last update was March-30-2004 when they stated that they had
harvested out a lot of their old records.
I stopped using CBL on Jan-05-2004, though, because the SpamHaus XBL is a
superset of CBL,
Rick, no, the BODY text filtering searches everywhere, including inside
binary attachments.
Your best bet is to assign those nasty words with very little weight, don't
use very short words, and/or try to match a phrase instead, or use trailing
punctuation.
For example, I've found that although
Nifty!
I'm on the current interim without issue, and it's great to have that log
line at LOGLEVEL MED.
Thanks a bunch,
Andrew 8)
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 2:15 PM
To: [EMAIL PROTECTED]
Subject: Re:
Rob, check your spelling of ANYWHERE there is a typo in it.
Andrew 8)
-Original Message-
From: Robert Grosshandler [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 9:07 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Invalid Whitelist Type: Anywhere
Getting this error
Title: Message
Matt, try the
more verbose:
EXTERNALTEST
external 30 "C:\Windows\System32\cscript.exe
C:\IMail\Declude\test.vbs //B //NoLogo
//T:2" 0 0
I don't know how
that will mangle the order of the parameter passing of the message filename, but
sniffer manages to cope with a
I have my doubts. As with any learning system, accurate training is
paramount. Wiser heads than me have commented here on when learning systems
are a good fit.
He doesn't state how many mailboxes that he is handling and whether it is
for a vanity site, ISP, or corporate mail host. He may be
Title: Message
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS registration is a little more than a week old.
Googling thenet-abuse groupsturns up:
US court skins 'Buffalo Spammer'
http://www.theregister.co.uk/content/55/36732.html
Two men charged with spam felonies
http://www.mercurynews.com/mld/mercurynews/business/7474946.htm
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from
Title: Message
Scott, I'd like
to make the case for moving the:
Last action =
"">
log line from the
LOGLEVEL HIGH setting down to the LOGLEVEL MED setting.
My rationale
being that at the MED level, log items are of a granularity appropriate to the
entire message, whereas the verbose
That would be great! For what it's worth, the new verbose weight and test
results description line is very handy, too.
For example, If I want to count the messages held, I can:
egrep -c Last action = HOLD. dec0316.log
whereas if I want to count the number of recipients for those
Hey, John. How about a 3-fer test to archive messages, like so:
HIDETESTS HOURCOPY
#Mar-23-2004 AC Testing two new features with one go. Archive all
# messages if sent in the hour of 11PM and give a
# weight of none.
HOURCOPY hour 23 23 0 0
HOURCOPY
Ever wonder if anything before the hop that delivered the message to your
server was legit?
Check out this text file attachment, where a spammer's search and replace
didn't quite work. The first instance of the yahoo section worked, and an
extra section leaves his replacement variables... not
(A little late to the party)
No doubt, the initial rollout of SATA was a yawn, and SATA systems including
RAID were regularly trounced by their ATA-133 equivalents. Like IDE, SATA
had growing pains due to rival bodies pulling the standard in too many
directions, but SATA and SATA2 are determined
For what it's worth, I haven't seen anything in the security literature
about spammers operating that way.
Any chance that the affected organizations had, at some time, addresses of
the form:
[EMAIL PROTECTED]
which isn't uncommon? I've seen at least one private company that
advertised
Title: Message
Those lists were
defunctas of Sep-23-2003.To convince you to stop beating on his DNS
servers for no good reason, the guy who created the MONKEYS and PIGS list has
chosen to serve you up a false positive for any IP you try to
check.
See:
Checking that IP at:
http://openrbl.org
Shows that SORBS-HTTP is listing that last hop, which looks like Verizon
Wireless. It's been all too common for ip4r lists to nominate smtp and
webmail based servers due to spam or worse, viruses being sent through them
by infected clients.
CBL has also
Title: Message
Makes perfect
sense to me. Everyone, including ROKSO spammers, can benefit from
implementing SPF defensively, resulting in a valid SPFPASS. And *their*
doing so dilutes the incentive for antispammers to reward those who implement
SPF defensively, which in turn dilutes SPF.
Well, assuming that you have Declude JunkMail Pro and thus text filtering
features available, yes.
See:
http://www.mailpure.com/software/decludefilters/
for the IPFilter tests which would give you a very good example to get you
started.
However, I think that:
a) You don't need to,
Most people have stopped giving Habeas much negative weight, based on the
massive abuse of their mark by a spam gang hosting their pharmacy websites
in China. Habeas was very slow to populate their HIL database of known
abusers to counteract the abuse. Some folks on this list have given up on
Scott, does this error message in my log indicate a problem that you're
interested in, or is declude.exe correctly reporting a problem in the source
data?
X-Country-Chain: 'EU' [corrupt RIPE data]-UNITED
STATES-CANADA-destination
Received: from speedy.lexi.net [198.161.91.18] by mail.bentall.com
Today's related counts:
My own Habeas filter: 17
HIL: 258
Number of my Habeas filters tripped that were in HIL: 1
Number of my Habeas filters tripped on my porn filter: 9
What that means on my server is that HIL is still not coming up to the bar
to stop spammers using zombies to abuse their
Interesting...
The ISP hosting the IP is in Norway, which is not in the EU, fwiw.
Thanks,
Andrew 8)
-Original Message-
From: Colbeck, Andrew
Sent: Friday, February 27, 2004 1:23 PM
To: '[EMAIL PROTECTED]'
Subject: [Declude.JunkMail] COUNTRIES database
Scott, does this error message
(Another country heard from)
Scott, that's an excellent description of how a firewall that does stateful
inspection works, but is wrong if it's just a packet filter. I'll readily
admit that anything called a firewall *should* do stateful inspection, but
Jeff didn't specify the tool.
As Kevin
Sadly, View Headers is not ideal.
Certainly, you can use View Headers to get the routing information etc,
and a Save-As will get you the body text, but every version of Outlook, if
not Outlook Express, decodes the original message. This would be wrong
but tolerable if they also fixed the header
Far be it for me to halt progress...
Scott, I can't wait to put in the new TESTSFAILED logic. I've wanted
exactly this to keep certain multi-answer ip4r tests in check, and Matt is
off to a great start in combining tests...
I also find that CMDSPACE is very handy and has low false positives.
Title: Message
Very convincing;
in the HTML view of the message Kevinsent, you can see the IP address of
the real destination, which is of course not PayPal. The website there
uses all of PayPal's actual images and HTTPS links and forms to provide the user
experience except the sucker
Bennie, blocking spammers by their domain name only is a losing proposition.
You're already using SBL... I'd suggest that you also implement the SORBS
tests and the MAILPOLICE tests.
Checking my own spam, we also received mail from this spammer, but we caught
it without having to check for
is an envelope rejection. It saves many more
resources this way.
Jason
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, February 10, 2004 2:03 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] Kill List not working
not fail those.. what is the line for mailpolice?
Bennie
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 10, 2004 3:34 PM
Subject: RE: [Declude.JunkMail] Kill List not working.
Ah, perhaps you have more time to spend on your
It is more precise to say that Bayesian filters are best suited to
individual mailboxes, and on the opposite scale they are not effective when
the message base is random.
Bayesian filters need to be trained, and for that you need a corpus of
messages that is spam and another that is ham. The
Title: Message
Sharyn and
others, you can make a big dent in the pharmacy spammers'campaigns by
picking theapppropriate RBLs, particularly with a hold weight as low as
10.
As the Chief
SortMonster pointed out, these bad guys make heavy use of zombies, so a trip
to
Many people on the abuse newsgroups consider them spam, and none of them
consider them to be legitimate.
See:
http://www.snopes.com/computer/internet/wordofmouth.asp
and this link (if it survives the email):
http://groups.google.ca/groups?q=group:news.admin.net-abuse.*+%22WordofMouth
Title: Message
http://www.cbizsoft.com/PoweredBy.asp
-Original Message-From: Matt
[mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:28
AMTo: [EMAIL PROTECTED]Subject: Re:
[Declude.JunkMail] OT- Getting a URL de-listed on AOLI
love how you downstaters call
Mark, that's a very interesting decision; would you care to expand on why
you chose to roll-your-own instead of outsourcing your filtering to
Brightmail?
Without Declude, we probably would have gone the other way, choosing a known
cost at the outsourcing company vs. an unknown cost for
Title: Message
I'm all in favour
of the manual being sync'ed with the releases. That's a
no-brainer.
Beta support
handling is a bone of contention, and I'd rather that support maintenance of
those featuresnot interfere with the stellar support we already get from
Declude.
Therefore, I
Title: Message
Doug, that looks
very, very much like SWEN. TrendMicro records 3
variants:
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=qvirus=SWENalt=SWEN
Andrew.
-Original Message-From: Doug Anderson
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 22,
As Jerry Pournelle has often said You may not get this level of service.
http://www.theregister.com/content/55/35044.html
I wonder if all the spammers have this guy on their 17 trillion addresses
CD. I could only hope.
Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus
They're at least a self-inflicted nuisance, but I don't know if they're
spammers. I lump e-mail advertising their websites in the same category and
weighting as geocities.com and angelfire.com ... but I can do that because
we're not an ISP.
Andrew.
-Original Message-
From: Matt
I haven't found a good comparison on the web between SFU (was Interix) and
CygWin, but there are lots of snippets. Here's one good one that is a thread
responding to an announcement of SFU back at v3.0 :
http://www.entmag.com/news/article.asp?EditorialsID=6047
If all you're wanting is to get
401 - 500 of 646 matches
Mail list logo
