ilto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
> Sent: Wednesday, June 23, 2004 2:56 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [Declude.JunkMail] OT: Find Command
>
> Bill, you caught me red-handed. I was hoping you'd do the heavy
lifting
Title: Message
The executive summary: expect
perfectly normal spam subject lines more often.
http://www.techweb.com/wire/story/TWB20040623S0007
Andrew
8)
Your webservers, sure. That's the easy part, the patch was available in
early April.
Your desktops, no, not if your users use Internet Explorer. There is no
patch yet, and it's been exploited for at least 2 months.
For a whitehat demonstration, use your fully patched IE to go to:
http://62.131
Me three.
I installed FireBird a long, long time ago at home. I had no problems,
ever. But then I got the upgrade itch, so I'm on the latest FireFox now,
with nifty extensions. And I cut the cord last weekend, by deleting all my
Favorites out of IE (years and years worth!). Now I use IE for a
Title: Message
Todd, in addition
to checking for your own IP address in the inbound mail HELO, another handy
"anti-spoofing" test is to check for your own mailhost.
HEADERS 20
CONTAINS Received: from yourmailhost.yourdomain.com
because, hey,
your mailserver is receiving this message, so
Sorry, Matt!
http://www.theinquirer.net/?article=16960
... which seems to bear fruit. I've received exactly 4 zombie spams from
the ComCast network since June 17, 2004, and my usual rate is tens to
hundreds per day from them.
Unfortunately, there's no indication that ComCast will take any furth
At the same volume level, I see thirty times more legitimate messages with a
leading space in the subject message. Most are from users, with one to
three leading spaces. Three different legitimate "news alerts" are using up
to 6 leading spaces, presumably to make their subject line stand out in t
Well, I'm late to the party!
I love Sandy's idea, it's a great way to "stem the tide".
Matt, absolutely, the problem with the "dir" based delete commands is
reading through the tree that NTFS creates, which on a busy disk will be
literally all over the hard drive. This would then be complicated
John, let's say that you have a Postfix gateway in front of your
IMail+Declude server.
If you whitelist the gateway, then all mail from that server or passed
through that server will be whitelisted. That would be *bad*. You would
instead use IPBYPASS, so that all the IP based tests are not again
;t use the DUHL tests!
-Original Message-
From: Colbeck, Andrew
Sent: Thursday, July 08, 2004 6:19 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] IPBYPASS and WHITELIST IP
John, let's say that you have a Postfix gateway in front of your
IMail+Declude server.
If y
Meh. I think most angles on this incident have been covered. Stuff was
definitely done wrong, but with reasonable business goals behind Computing
Horizon's thinking. Some of those didn't mesh well with the active 10-20
power users on the mailing list. For example, I'm sure that a GUI featured
Title: Message
Thank you,
Barry.
In addition to a
community support channel, we've become accustomed to using this mailing list as
a communications channel to and from Computerized Horizons. You may
miss out on the pulse of your customer base if are not a
subscriber.
I'm sure we all
a
Dave, if you move your reporting level from MID to HIGH, you will see a log
line for every hit in your filter files.
Andrew 8)
-Original Message-
From: Dave Doherty [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 14, 2004 7:53 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Filter r
No, the slashes have no special meaning. There is no regexp parsing in
Declude, every search expression is a literal, but is case-insensitive.
The most common item that arises as a result:
You can't search for a term with a leading space, e.g. BODY 1 CONTAINS "
spam" (remove the quotes).
On the
The results would have been the same. Declude searches the whole message
"raw", so the inside of attachments get scanned too. Using:
ANYWHERE 1 CONTAINS spam
is the same as using:
HEADERS 1 CONTAINS spam
BODY1 CONTAINS spam
So, the ANYWHERE filter can save you a line, but may open you to
Hey, Scott. If you'd like, send me a sample off-list. I could use a short
brain teaser this morning.
The general idea I think would be to do a grep and only look for lines with
well-formed IP addresses.
e.g. egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" sample.txt
>result.txt
[0-9] me
Serge, POP and IMAP are certainly available in Exchange, but if I read this
architecture correctly, what you client probably wants is the ETRN extension
to SMTP.
I used this once under Exchange 5.5 to fetch mail over dial up. Here's an
ancient article on the subject to get you started on some bas
Hey, Bill. You've got your thinking cap on too tight!
> Find "@aol.com" \*\forward.ima >found.txt
>
> The idea is to search all subdirectories of the current director for
> forward.ima and look to see if @aol.com is in there.
fgrep -r -i -l "@aol.com" forward.ima *.
fgrep instead of egrep means
It's perfectly legit, Dave. Go ahead and follow the instructions precisely.
You don't expect your OS to ship with a perfect database of second-level or
third level cert suppliers do you?
And no, clients making an SSL connection to your new server won't need to
jump through any special hoops at al
Brute force works well for this particular virus, because it has so few
possibilities and doesn't use common enough attachment names for me to
consider it any risk for false positives:
#Jul-20-2004 AC broken BAGLE.AH and so forth
BODY 0 CONTAINS filename="cat.
BODY 0 CONTAINS filename="Cool_MP3.
B
Brad, several of the ip4r tests list whole subnets, and I've seen hits from
IPs in that and similar subnets across the last week.
More likely is that your DNS didn't respond in time when Declude inspected
this particular message.
Andrew.
-Original Message-
From: Brad Morgan [mailto:[EMAI
Edit the Q.smd file so that your own addressee information is listed
instead of the regular addressee. If it is delivered, it goes to your own
mailbox instead of the original user.
Then copy the Q.smd and and D.smd file into your C:\IMail\Spool
folder and wait for your IMail to notice
>From http://isc.sans.org/
Handlers Diary July 26th 2004
Updated July 26th 2004 16:04 UTC (Handler: Johannes Ullrich)
* latest MyDOOM search engine use
Latest MyDoom search engine use
(initial analysis. more details, and eventual corrections, will be posted as
they become available)
The lates
Title: Message
The actual URL in the href is:
http://www.secureusbank.com/internetBanking/RequestRouter/requestCmdId/DisplayLoginPage/login.htm
The sending IP is: 140.116.177.114 which is apparently belongs to
an educational institute in Taiwan.
Andrew 8)
Body text is as follows:
D
but I think the
subject line randomization is bad software, or more deliberate antispam
measures. Only the spammer knows...
Andrew
8)
-----Original Message-From: Colbeck, Andrew
Sent: Tuesday, July 27, 2004 1:36 PMTo:
'[EMAIL PROTECTED]'Subject: [Declude.JunkMail] A bu
Another week, another variant.
http://isc.sans.org/
Judging from possible strings in the message body and subject, this virus
uses a password protected zip (or pretends to), and pretends to be about
security, possibly faking your own domain name, just like last week.
I don't know what it's tryin
Definitely SpamAssassin. If you want these tests and more, check out the
signature at the bottom of one of Sanford Whiteman's recent posts.
Andrew 8)
-Original Message-
From: Scott MacLean [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 04, 2004 10:44 AM
To: [EMAIL PROTECTED]
Subject:
Title: Message
http://www.ftc.gov/opa/2004/07/creaghan.htmI
like the part about freezing his assets, as he tried to move his finances to a
bank in Latvia.Andrew 8)p.s.http://groups.google.ca/groups?q=%22Creaghan+A.+Harry%22+group:news.admin.net-abuse.*&hl=en&lr=lang_en&ie=UTF-8&group=news.admi
I submitted a copy to both McAfee and TrendMicro; McAfee already detects it
as W32/Bagle.aq
http://isc.sans.org/
Each copy I received had no subject line, and one word in the visible body
text, "price".
The virus was in a zip file, called price_new.zip and contained an HTML file
called price.htm
Dear PayPal User,
We regret to inform you but due to recent suspicious activity regarding
your
account we are forced to ask you to verify your identity for security
purposes.
In order to continue using your PayPal account normally and avoid any
account
restrictions please provide us with your f
Title: Message
Not a virus, spam combined
with social engineering combined with a malware installation
attempt.
We've received spam from this
dynamic IP in Brazil:
200-153-121-39.customer.tdatabrasil.net.br
[200.153.121.39]
Which was HTML formatted with
the message:
"Hey...haven't t
The "[EMAIL PROTECTED]" has been around for a long time.
Legitimate mailers (and others) use the format to encode very specific
information about their target, presumably so that they can effectively
determine the email address when a complaint is made or the sender receives
a bounce.
I rarely get
Yes, Brad, the correct thing for him to do is to change the HELO greeting.
Here are the instructions for Exchange Server 2000, which I think will be
close enough for you.
http://support.microsoft.com/default.aspx?scid=kb;en-us;266686
Scroll down to the section:
"How to Change the Fully Qualifie
Script schmipt!!
Use the Explorer Find/Search tool, look at only *.eml files and search the
body for the name of the domain that you're interested in.
I don't have any applications that use the .eml format, but I'm sure that
each message is a single file, unlike the Q*.smd + D*.smd files that IMa
Title: Message
Ok, so who's the
list member which is infected by the NetSky virus??? From:
stmary-1-306.atm-cip.trvnet.net
[64.71.64.38]
AS: 64.71.64.0/19 AS14814 Twin
Rivers Valley Internet Serv Livermore/Iowa
The virus
is being sent to the list and to the list
members.
Andrew.
Putting my two cents in ...
I also would rather have both options. I would choose the keywords:
ABORT (same as END, and deprecate use of END as a keyword)
STOP (end processing with the accumulated weight, and the test status
status as having triggered, as requested by Matthew Bramble
Bill, I think the matter of the licensing and potential patent problems with
SPF are limiting factors only for the Open Source movement's software
development, as it affects developers, not implementors. As we see with the
Apache Software Foundations' letter to the MARID group, they won't put
supp
Andy, Microsoft certainly is an important player.
I just wish that they would stick to the standards that everyone else does.
In order to get mail to them in an orderly fashion, I need to use a static
copy of their DNS record in the DNS server on my mailserver, that I've
cooked to know only about
Kevin, I suspect that you're right, and that 99.9% of the time, your rule
would hold true.
I would suggest that the IP address in the HELO would have to match the
reverse DNS exactly, though.
I also think that it this observation would also hold true if the HELO is an
IP address and there is no r
Title: Message
http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html
Friend
Greetings is the classic "greeting card virus", back in 2002. There were
hoaxes previous to that.
Andrew
8)
-Original Message-From: Sharyn Schmidt
[mailto:[EMAIL PROTECTED]
Title: Message
You
can hide the problem by going into your IMail configuration under SMTP, then the
SMTP Security tab and adding the IP address to the IMail Kill File. When
IMail sees a connection from that IP, it drops it, without returning an
error to the sender, and without logging the a
Title: Message
Whups,
yeah, what John said.
Andrew
8)
-Original Message-From: John Tolmachoff
(Lists) [mailto:[EMAIL PROTECTED] Sent: Monday,
September 27, 2004 11:40 AMTo:
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Stop
one IP address
Andrew and Goran,
Title: Message
That
should be 512 bytes in the UDP packet, and only in the reply. Another good
tip is to tell your firewall that DNS over TCP is fine.
Usually if this is turned off, it is to prevent bad actors from doing a
"zone transfer" to scoop up all of your DNS hosts so that they c
Title: Message
Trend
calls it something else and claims that it is 13 hours old. We haven't
seen any copies yet.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AM
Andrew
8)
-Original Message-From: Don Hickey
[mailto:[EMAIL PROTECTED] Sent: Tue
I heavily depend on:
http://openrbl.org
Which lists dnsstuff and moenstad as similar services. For the last year,
they've been subject to on-again off-again Denial of Service attacks, and
now have many regional mirrors, and they've recently introduced a timeout on
the first lookup submission, pr
TrendMicro also catches some phishing attempts:
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=citifrau
d&alt=citifraud
But I've no idea what exactly their triggering on. If it's a body URL,
their release updates are probably too far apart, but their CPR (Controlled
Pattern
... If you're going to go nuts on this, I'd also suggest the accented
characters, and case folding e.g.
Ò -> o
Á -> a
Andrew 8)
-Original Message-
From: Darin Cox [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 07, 2004 12:34 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Fi
A dozen users in my domain have received a fake invitation to pick up a
postcard from postcards.com since 8 PM PDT. It came from a clean ADSL IP,
so it didn't get caught.
It's actually an HTML page with a URL that says one thing and takes the user
somewhere different (another dynamic IP, and yet
END NOTENDSWITH .postcards.com
- Original Message -
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 07, 2004 3:20 PM
Subject: [Declude.JunkMail] Spyware alert - fake postcards.com invitation
> A dozen users in my domain h
... And she inflicts a lot of collateral damamge while trying to kill them.
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=49900272
At least, that's my take on it.
Andrew ;)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail c
I'm getting spam from the following netblock, but with zero ip4r tests
triggering.
I haven't seen any legitimate mail coming here, so I'm putting a
conservative weight on this, and you might find it useful too in a filter
file:
REMOTEIP 4 CIDR 69.200.64.0/19
Matt from MailPure.com has a DYNAMIC
Scott, you have far less ham on weekends. Hypothetically, a company like
yours might use the day of week test to add a little weight on the weekend,
on the basis that your false positives from doing so will be fewer.
I have a similar volume pattern.
And to answer Mark's initial question, another
Yes. For that matter, a BODY filter could also catch text that is in an
attached document.
Andrew 8)
-Original Message-
From: Danny K [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 19, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] WordFilter BODY
Will a wordfilter B
No, you can't do this directly with Declude, but indirectly, heck yes.
I just wrote a piddling batch file that will let you do this. You can use
it for any external test, not just sniffer.
You should read it carefully, and then edit your global.cfg accordingly, in
particular to put in the correc
Title: Message
Microsoft software is probably the "most guilty" for using the vague
application-octet-stream MIME type instead of something more explicit, like
application/msexcel. PDF is also very likely to come as a stream. I
place viruses and malware as a distant 3rd for using
stream.
Title: Message
They
go in the body because ... that's where they go.
Take a
look at a message in your spam folder. The header ends where you see a
blank line (two carriage returns, or two line feeds). The attachment type
line descriptions do not appear in the header.
I
don't understan
No, I haven't seen this.
But I have meant to ask if others on the list are seeing that their spam
volumes are up in the last week. I have, by a 10% increase. What I'm
seeing is not more spam getting to mailboxes, just more spam volume. Viral
activity has been constant.
Andrew 8)
-Original
According to their "lists" page, I don't see any other lists that are:
a) small enough to reasonably search with declude BODY filters
b) differentiated enough from the SpamCop-derived info to be worth the cost
For example, the Outblaze list is ten times the size of the SpamCop list.
This may cha
2 GB is the danger zone for .pst files. They can be bigger, but if they do
get corrupted, the Inbox Repair Tool will truncate it just short of 2 GB. I
don't know if there is a fixed maximum of messages.
Andrew 8)
-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
Sent: Frid
The RelayWatcher RBL hosted by number13.com is dead. The domain expired two
weeks ago. The "business domain" at n13mbl.com is still valid, but the
website is dead, as it redirects to the dead domain.
I don't know where Richard Sloman has gone or why the second site hasn't
come back, but the list
John, why are you worried about viruses being held in your spam folder? If
they're held, they're effectively quarantined and the user isn't bothered by
it, just as they're not bothered by the spam in that folder.
Please share,
Andrew 8)
-Original Message-
From: John Carter [mailto:[EMAI
Title: Message
tip:
if you don't trust a requestor but need to supply a valid address and would
prefer to simply filter the mail, rather than clutter the requestor's database,
you can use SpamHole instead. SpamHole will give you a time-limited valid
address on their domain, so that you can
Title: Message
Of
course! It's a free country. Oh wait. I'm in
Canada.
Andrew
8)
-Original Message-From: Kevin Bilbee
[mailto:[EMAIL PROTECTED] Sent: Wednesday, November
03, 2004 1:13 PMTo: [EMAIL PROTECTED]Subject:
RE: [Declude.JunkMail] OT: [EMAIL PROTECTED]
Th
Keith, I think you've caught a bug in Declude.
I've verified what you found, and I'm enclosing a sample GMail with complete
header (not mangled through a mail client).
What I think Declude is doing is finding the text "subject:" in the domain
keys header, instead of the the subject: line that fol
An Off Topic thread ...
On various domains I administer, a single point of failure mailhost has been
good enough, but I'm shortly going to add a second host on a second network
for redundancy.
Now, I understand *how* to do that, but what I would like to hear from those
who've been there before me
Thanks, everyone.
I was hoping for more war stories, or specific gotchas with more ornate
configurations, so I'm suprised at the few responses. For example, I've
noted that IMail has a queuing problem with HotMail advertising MX servers
that don't actually accept mail, or that don't exist, which
mber 05, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] OT: expanding beyond one mailhost
Colbeck, Andrew wrote:
>Thanks, everyone.
>
>I was hoping for more war stories, or specific gotchas with more ornate
>configurations, so I'm suprised at the few responses.
Yeah, what Matt said.
In my own words: Everybody has a custom configuration, so what works for
them WON'T work for you.
Since you've only just re-joined the list, I'll mention that Markus Gufler
and Pete McNeil have collaborated on the back-end for a nifty graph
indicating just how useful the tes
Well, Glen, there's a LOT more that you could be doing. I see that you've
only put forward the names of built-in tests and IP4R tests. Do you have
Declude Junkmail Lite, Standard or Pro? And have you upgraded to the
current version of the declude.exe application?
The manual is here: http://www.
And if you *really* have horsepower to spare (and some of your own time),
implement Sandy's spamc to hook into a SpamAssassin daemon and run SURBL.
Me, I'm waiting for SURBL support in Declude, as the Outblaze and Phishing
URI tests in the multi.surbl.org cover a lot of fresh phishing domains.
An
For what it's worth, I don't have the Declude Virus product. The Declude
Virus product may catch the IFRAME technique in HTML, but you won't see this
technique in HTML, which is why Dave probably thought it was a useful
heads-up in the antispam forum.
I can add to Dave's description:
Trend Micro
I give it a small negative weight, and then a big positive weight with the
HIL IP4R test.
I see very little of bad-guy spammers using the Habeas warrant. I also see
very little in the way of useful mailers taking advantage of the warrant.
So from my traffic, Habeas is a failure.
Andrew 8)
Title: Message
Or if
this guy's email address is an indicator of spam
ALLRECIPS 480 CONTAINS [EMAIL PROTECTED]
so if
the president of the company and [EMAIL PROTECTED] are in the To:, CC: or BCC:,
the message will still get held or deleted for everyone.
That
might be handy for you, but
Sandy, I'm having problems in getting this working on a test machine. I'm
missing some obvious step...
Recap:
My production environment is such that I run IMail+Declude as my gateway, in
front of an Exchange 2000 environment, so I'm a good candidate for using
your exchange2aliases script. We ga
ng. Also, I
introduced the alias loop because after failing to get it to work, I cribbed
the idea of the alias from the recent ldap2alias discussion.
Andrew 8(
-Original Message-
From: Colbeck, Andrew
Sent: Saturday, November 13, 2004 8:05 PM
To: '[EMAIL PROTECTED]'
Subject: [D
Thank you for the help, Sandy. It's greatly appreciated, especially at this
late hour.
Andrew 8)
-Original Message-
From: Sanford Whiteman [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 13, 2004 8:53 PM
To: Colbeck, Andrew
Subject: Re: [Declude.JunkMail] [OT] exchange2aliase
192.0.1/cn=users,dc=bentall,dc=local
mydomain.com mydomain.com
Going for a test ride tomorrow.
Thanks for the aid,
Keith
-Original Message- From:
[EMAIL PROTECTED] on behalf of Colbeck, Andrew
Sent: Sat 11/13/2004 11:04 PM To:
'[EMAIL PROTECTED]
Yeah, what Matt said.
Chipping in another 2 cents, the "?stderr." in particular I find in bulk
mail as opposed to spam mail, and they are more likely to have a a valid
opt-out routine that works like you expect it to work.
I believe that is a built-in feature with Postfix and SendMail.
Andrew 8)
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4
ae7-96ee-b18c4790cffd&displaylang=en
The "free" Windows Server 2003 Resource Kit. I use these things all the
time.
It seems weird to shell out of a .vbs script to run a command line tool,
though.
Andrew 8)
-Original M
Yeah, what Pete said!
This is especially true with monster log files being moved around on the same
spindle(s).
And it's a great tip when you want to delete or update a file that is in use,
even if it's running. Rename it, and you're done. I've had to use this tip
many times when patching a
Another consideration in the "distributed dictionary attack" is that it
may simply be viral behaviour from infectees who have multiple
addressees in your domain in their address book or elsewhere on their
hard drive.
There are several viruses that fake the left hand side of the mailfrom
address, w
Chuck, that suggestion could be useful for me, but I can two bits...
I've noticed that some legitimate bulk mailers, like spammers, are
completely brain dead when it comes to removing e-mail addresses that have
bounced. For example, I saw a spammer consistently using an address that
hadn't existe
Chipping in my two cents (Hi, I'm back from vacation!) I'm waiting for
something like BODYTEXT instead of BODY so that I can stop getting false
positives from short sequences showing up in attachment encoding.
I had to stop trying to filter:
grx
grx2
t1t
MLM
d0rm
/ad
/ads
because they came up an
Sorry, I've no great insight on the positive uses of this test, but I can
point out another exception. E-mail enabled pagers and RIM Blackberries
often have their phone number as the e-mail address @TheProviderDomain.com
instead of or in addition to the subscriber's name.
Andrew.
---
[This E-mail
Here's some examples of mailing lists that have lots of numbers (and
letters) in the MAILFROM. You may find that you'll have to put in a
counterweight everytime a user reports that they're missing mail when they
sign up for a newsletter.
Andrew 8)
p.s. I've deliberately munged the addresses a li
JT> Pagers have 10 numbers, so I would actually start at either 11 or 15.
JT> An old CompuServe address will most likely not be failing other tests to
JT> where this one would put it over. How many numbers do those addresses
have
JT> in them?
Nine digits, e.g [EMAIL PROTECTED] (that was mine for
MB> GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0
MB> SUBJECT2CONTAINSqb
(snip)
This looks good, Matthew.
The weight is low enough to be cautious, and I suspect the only false
positives you will get are on subject lines with that raw
=?ISO-8859-1?B?UmU6U2lsZG stuff.
> SUBJECT 40 CONTAINS =?ISO-8859-1?b?
I'm seeing quite a few of these coming in, but they are getting held.
I'm including a sample from my log, which is set to HIGH so that others can
see what tests have been useful for me.
An interesting point that came out of my following this thread is that I
How about some thoughts on selectively running tests, based on the HOP
count?
Specifically, one of my strong reasons to buy Declude+IMail (yes, that's the
way I view it!) for my gateway was because of the HOPHIGH feature for
running ip4r tests against more than just the IP of the host that sent th
For those who are using the BASE64 test and finding that you have to
counterweight for Exchange Servers that uselessly encode plain ASCII
messages, note that there is a new patch level:
HEADERS -10 CONTAINS Microsoft Exchange V6.0.6375.0
in addition to John Tolmachoff's research:
HEADERS -10 CON
27;m only looking
at uncaught spam, perhaps these guys are getting nailed by other tests.
Dan
On Thursday, September 11, 2003 13:16, Colbeck, Andrew
<[EMAIL PROTECTED]> wrote:
>> SUBJECT 40 CONTAINS =?ISO-8859-1?b?
>
>I'm seeing quite a few of these coming in, but they a
Title: Message
For those who like to use http://openrbl.org but found it unavailable for
longer than any usual system maintenance, your guess that it was due to a DDOS
is right.
Meanwhile, Declude's own http://www.dnsstuff.com/ and http://moensted.dk/spam/ can get you
the lookup information.
Here's this morning's biggest loser: we HOLD on 20, and this spammer
achieved a whopping:
DSBL:6 SPAMCOP:10 BADHEADERS:6 HELOBOGUS:6 REVDNS:4 ROUTING:8 IPNOTINMX:2
NOLEGITCONTENT:2 COUNTRY:10 COMMENTS:153 SNIFFER:7 FIVETENSRC:5
EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BH-CNKR:10 SORBS-HTTP
Title: Message
Received: from 66.38.133.97 [200.252.69.131] by mail.bentall.com
(SMTPD32-8.02) id A3E5113000F4; Wed, 17 Sep 2003 10:03:33 -0700Received:
from [73.250.175.174]
by 66.38.133.97 with
SMTP for ; Wed, 17 Sep
2003 06:00:29 +Message-ID:
<[EMAIL PROTECTED]>From:
>> DSBL:6 SPAMCOP:10 BADHEADERS:6 HELOBOGUS:6 REVDNS:4 ROUTING:8 IPNOTINMX:2
>> NOLEGITCONTENT:2 COUNTRY:10 COMMENTS:153 SNIFFER:7 FIVETENSRC:5
>> EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BH-CNKR:10 SORBS-HTTP:7
>> PSBL:5 CBL:5 GIBBERISHBODY:3 VERISCAM:7 BENTALLIPBL:7 BENTALLSPAMHINT:22
>>
I'm seeing some false positives for mail from .comcast.net hosts that are
falling into various ip4r lists. It's very sporadic. It seems like quite a
few are being "tested" as mail relay hosts, but aren't.
Other providers provide a sensible naming convention to make it
straightforward to identify
>>Who has had any luck in trapping spam written in a foreign language. I
>>seem to be getting what appears to be spam from what appear to be
>>written in Russian and I have no clue has to how to stop the messages.
>Could you send the full headers of one of the E-mails? The actual foreign
>langu
phone in Moscow: 1-0-5-5-1-8-6
-Original Message-
From: Colbeck, Andrew
Sent: Thursday, September 18, 2003 10:09 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] Foreign language Spam Mail
>>Who has had any luck in trapping spam written in a foreign language. I
Title: Message
According to
external DNS, you only have one mail host.
For starters, you
can whitelist your own IP. And if that server is the only machine of yours
that is going to identify itself as wcnet.net,
HELO 20
ENDSWITH wcnet.net
should do nicely
until someone called mail.n
Title: Message
I should
add:
If you want to go
the extra mile and say:
MAILFROM 20
ENDSWITH wcnet.net
Then you'll find
that works great against spammers who fake their mailfrom address so it looks
your own name (or say, [EMAIL PROTECTED] while trying to send
to you!), but:
You'll a
401 - 500 of 708 matches
Mail list logo