Thanks Andrew...I like my apples :)
Some stuff could be put back in that I took out while testing the filter
for the body before I found out that it caught attachments. I was
careful to take out things like ql because of MSSQL, and I searched a
dictionary file for matches on the other strings
Dan Patnode wrote:
Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it.
Top 2 or 3 names?
Thanks,
Dan
?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?=
There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test.
Dan
On Monday, September 8, 2003 19:05, Matthew
Doug McKee wrote:
What is your test setup for the above string, please?
SUBJECT 15 CONTAINS =?ISO-8859-1?b?
>From what I can tell, there's no valid reason to encode Latin-1 in the
subject since that character set is supported by default in E-mail, so
it's quite safe to fail on just
+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?=
Dan
On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote:
How about 4 different super tests? I fail automatically on
=?ISO-8859-1?B?, and that accounts for more than 1% of the
E-mail coming in to my server, but only a handful of additional
catches in what
Add www.spamchk.com
Base64 encoded subject lines will be decoded before the keyword-check.
Markus
It's on my list of things to do. That would be the best of both worlds
since this stuff always seems keyword rich.
Right now I'm writing custom filters, and loving the results...
Thanks,
, but guaranteed to be spam (IMO) and
1/10th of the hits are things that would have otherwise gotten through
on my machine.
Matt
Mike Leonard wrote:
Matthew Bramble wrote:
Use a text filter and add something like:
SUBJECT 40 CONTAINS =?ISO-8859-1?b?
to it.
I tried this all the way down
Scott,
I've been trying out a custom gibberish filter made up of two character
strings that are extremely uncommon in order to find a way to detect the
spam that comes through with a linked image and a smattering of text.
So far it's doing a great job of detecting this stuff, however it does
Mike Leonard wrote:
We got about 10 of these for V-pill over the weekend, that's why I set
it up. I haven't seen any legitimate email get caught by this filter,
but we don't normally get email from any non-English speaking
countries (unless it's spam).
Mike
I've been meaning to share this
X-Mozilla-Status: 0001
X-Mozilla-Status2:
Received: from igaia.com [24.195.119.188] by igaia.com with ESMTP
(SMTPD32-7.13) id A6CC195016C; Tue, 09 Sep 2003 17:31:56 -0400
Message-ID: [EMAIL PROTECTED]
Date: Tue, 09 Sep 2003 17:32:17 -0400
From: Matthew Bramble [EMAIL PROTECTED
Thanks Scott, that explains pretty much everything.
I'm sure you are well aware of the problem with gibberish in spam,
especially if you are moving towards Bayes filtering with Declude. Is
it possible to come up with a filter like say BODYTEXT that processes
just decoded text and ignores
Bernie,
The DSN failure means that your server isn't set up to receive messages
sent from senders (null senders). There's a checkbox for this in
IMail's SMTP configuration menu. You also might want to go to
rfc-ignorant.org and see what you need to do in order to get out of
their list, but
e is doing the testing :) please let us know of the FP rate
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble
Sent: Friday, September 05, 2003 7:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Configuration Question -
I just insta
Why not just whitelist @returns.groups.yahoo.com or even just
groups.yahoo.com? You don't need to match the whole line, just a part
of it.
You might also be failing yahoo.com E-mail accounts, and if so, you
might want to reduce the scoring of the blocklist that is catching this
domain. Some
Use
a text filter and add something like:
SUBJECT 40 CONTAINS =?ISO-8859-1?b?
to it.
I tried this all the way down to ust ?b? and a SUBJECT filter didn't
catch it. The SUBJECT filter also doesn't catch the decoded text.
I found though that if you use the HEADERS filter, it
In an attempt to keep the original thread going, here's some anecdotal
evidence of the problem and relevance of this test.
In the last 60 hours, 15 separate pieces of spam have gotten through to
my own account, out of those, 6 contained no displayable text, just
comments (and other crap in
Please let me know if you are finding opt-in ads like Amazon.com,
JCrew.com, etc, are passing the IMail tests confidently. Also,
newsletters, especially of the graphical type. The two herustics-types
of tests that I have tried so far have been catching such things. This
gray area stuff
znle io
Only the graphic and the last line of text plus the equal sign above it
displays in the message window. This type of thing probably accounts
for around 10%-20% of my total spam volume currently, though some has
more content.
Matt
Matthew Bramble wrote:
Ah, I see now. This ca
I just installed SORBS last night and am busy monitoring the results. I
have found that they mostly tagg what others are tagging thus far, but
what will take more time to figure out is if they are finding stuff that
has been slipping through the others. I monitor things that fail with a
com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Thursday, September 04, 2003 1:36 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Increased AOL, Hotmail, Yahoo, etc. false
positives positives
It's just you :)
The From ad
This seems to be the wave of the future in spamming. There's a lot of
spam coming in with no text, just other HTML, mainly to display an image
and get by heuristics. Most of this stuff gets caught by the various
lists, but I get a couple a day to addresses pointed at my own account
that
All of the text is in the image, and the image is linked. If that IMG
tag came through to you, follow it and you will see what I am talking
about. A variation on this is to primarily use the image and link for
the content, and include some bogus text, typically random characters
below the
Ah, I see now. This can get tricky though -- looking for no visible
text at all (just HTML tags) would be easy for spammers to bypass.
Checking for the amount of visible text compared to the amount of HTML
code seems like a good idea at first, except thanks to Microsoft Word
E-mail, that
Keith,
Assuming that it's a cascade effect from being near capacity, have you
taken a look at saving processing and/or memory from other tasks. For
instance, real-time anti-virus software can cause significant load on a
busy machine. Even if you have it excluding log files and the like,
SORBS and FIVETEN seem to be the most popular replacements. FIVETEN is
overzealous though, so score low.
Matt
Chuck Schick wrote:
Since Osirusoft has gone away I am looking at replacing it with other
Blacklists. Here are some I am considering -
BLARS
Reynolds
SORBS
Anyone else using these
If I am using Declude as a gateway and block the offending IP, will I not also have to block the IP in the real mail server as well?
Doug
IMail actually hands off the mail to Declude after running it's
filters. The recommendation apparently will reject the messages based
on IP during the
I've found a lot of foreign mail servers associated with spam and
missing many of the lists, so I'm looking to create a filter for it.
Since there are about 250 country codes that I would want to score on,
it seems more prudent to do the test the other way around and only add
points if an
It's just you :)
The From address is often forged. The address that matters the most is
the server from which the E-mail came, which is listed in the top of
the headers, i.e.
Received: from declude.com [24.107.232.14] by igaia.com with ESMTP
(SMTPD32-7.13) id A78F250118; Thu, 04 Sep 2003
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Matthew Bramble
Sent: Thursday, September 04, 2003 11:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Black List Questions.
SORBS and FIVETEN seem to be the most popular replacements.
FIVETEN is
overzealous though, so score
://www.dnsbl.sorbs.net/SpamDBFAQ.html
Matt
Matthew Bramble wrote:
I haven't yet configured them because I have been testing other
configurations, but when I do, I will add all of them except for
SORBS-BLOCK (because it's not a test for spam IMO).
SORBS-SPAM had a report earlier this week of blocking at least
I thought the essence of the argument against this is the fact that
such testing doesn't happen one at a time, but instead in unison with
one another. So if 20 queries are sent out and the first 10 that come
back to put the score high enough to fail, there isn't really that much
overhead in
Sandy,
I was also looking forward to seeing what you had up there, thanks for
the login info.
Question...how did you process the configuration changes? Are you just
using IMail rules as the filter (configuring that by way of IMail's
tags) or did you actually get their Web server to execute
I'm with you on how this would be accomplished, though it would
probably be a somewhat laborious rewrite in how scoring was handled in
comparison to how it is handled now. Just guessing of course.
This was actually my first feature request to Scott after purchasing
the application some time
Cute! I see how you did that now. I was really hoping though that you
discovered some convoluted way to get IMail's Web server to run
scripts...or maybe not depending on how convoluted it might have been.
Thanks,
Matt
Sanford Whiteman wrote:
Question...how did you process the
crust."
Matt
Matthew Bramble wrote:
I'm with you on how this would be accomplished, though it would
probably be a somewhat laborious rewrite in how scoring was handled in
comparison to how it is handled now. Just guessing of course.
This was actually my first feature request to S
crust."
Matt
Matthew Bramble wrote:
I'm with you on how this would be accomplished, though it would
probably be a somewhat laborious rewrite in how scoring was handled in
comparison to how it is handled now. Just guessing of course.
This was actually my first feature request to S
.8 is one of those F-U blacklists that punishes every user on a system
because a network administrator saw fit to complain. I would think that
most of these organizations are bandwidth providers with some sort of
firewall that got tripped by the testing. Spammers don't rely on open
relays in
://www.mediares.com
[EMAIL PROTECTED]
1-888-395-4678 |Ext. 101
972-889-0201 |Ext. 101
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Monday, September 01, 2003 6:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SORBS
I reduced the scores of those test's. Messages that fail BAHDEADERS
seem to often fail HELOBOGUS in my experience. It would be good to know
the error code returned by the BADHEADERS test because this shouldn't be
failed by most mailing applications (even automated ones). If you look
in your
You can name the tests anything you want. I'm not sure if that's
exactly the question you were asking though.
Watch out for scoring FIVETEN too high though, while they pick up a lot
of things not listed elsewhere, they are definitely overzealous in their
listing...last week, they even had
I'm very interested in this myself, the only thing that is stopping me
is knowing what future plans that Scott might have for his configuration
files and how that might impact the design.
I can see that there have been a good deal of other folks designing
interfaces from a search of the
Wrong list, but your answer appears in the Declude Virus manual with
other important settings:
http://www.declude.com/virus/manual.htm
Matt
Doris Dean wrote:
What is the 'SCANFILE is the
location of the command-line virus scanner' for fprot ... in the virus
cfg file ???
be
the best
Benny
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of Matthew Bramble
Sent: 1. september 2003 17:59
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] User Interface
I'm very interested in this myself, the only thing
]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matthew
Bramble
Sent: 1. september 2003 20:15
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] User Interface
Well, you can't always have it all :)
Using IMail's Web server would seem like the most global choice,
however I
A correction is in order I believe. According to John's site, his
application counts how often you send messages to a particular address
instead of how many messages are received from that address.
Matt
Markus Gufler wrote:
John Tolmachoff [[EMAIL PROTECTED]] has written a nice addon for
Could someone help me with a little more detail on this. I'm wondering
specifically about if this affects networks behind Webshield SMTP, or
E-mail coming from a network protected by Webshield SMTP...or something
else?
The message below seems to be generated by Webshield SMTP in response
to
orated's E-mail service
(www.igaia.com) for spam.
X-Note: This E-mail was sent from bay8-f106.bay8.hotmail.com
([64.4.27.106]).
X-Spam-Tests-Failed: NOPOSTMASTER, BADHEADERS, IPNOTINMX, HEURISTICS-2
[4]
X-RCPT-TO: [EMAIL PROTECTED]
Status: R
X-UIDL: 362044561
Matthew Bramble wrote:
Could someone hel
Scott, first thanks for all the answers you provide here, I know that it
takes you a ton of time to monitor this group and provide the assistance
that you do!
Secondly... :( I'm afraid that all the E-mail addresses are on the
same line. Blocking Hotmail could be a bad thing, though I
My father was just blocked by Cox from reaching my SMTP server the other
day. They did it without any warning/notice. Their resolution was to
use their own mail server for SMTP, but he could still reach my server
by way of POP3.
It does introduce another potential point of failure into the
Scott, add to your list broadband cable providers that are also now
starting to block port 25 outgoing. That was the issue with my father,
and his IP doesn't change that often, though RR doesn't hardly ever
change, maybe they know how to monitor appropriately?
Matt
R. Scott Perry wrote:
With the news of Osirusoft's troubles, Do I need to disable them in
Declude?
Absolutely.
What are the repercussions of having Osirusoft enabled right now?
Legit E-mail failing their tests and slowdowns in processing E-mail.
The word is that they are blacklisting the world...if you can
I'm deep into monitoring false positives, passed spam, and valid near
misses. I'll post some info tonight or tomorrow.
One thing that is very clear thus far is that FIVETEN detects a lot of
spam that other blacklists don't, however they also have a very high
false positive rate which is why I
FYI Andy, Netscape 7's mail program can't see your information
(winmail.dat problem).
Regarding the discussion, I included several of the FIVETEN tests a few
months back when I saw that Ipswitch was including them in their default
configuration file (figured this would help that source's
And here's my newly edited file:
DSBLip4rlist.dsbl.org*50
MONKEYPROXIESip4rproxies.relays.monkeys.com *
50
ORDBip4rrelays.ordb.org*40
SPAMCOPip4rbl.spamcop.net
Let me also correct one thing. I mentioned SPEWS as an alternative to
Osirusoft, but that one also comes from their servers :) In otherwords,
don't use that either (as noted in Hank's recent message).
Matt
Andy Schmidt wrote:
Here is the replacements that I'm using (marked up red) with
There's not even a date header in that message. What would an E-mail
client even do with that? 1969?
I probably switched from Scott's methodologies very early on, requiring
a message to fail BADHEADERS, SPAMHEADERS (combined score of 8) plus at
least one other test before it gets rejected
I've found that my scoring in Declude shouldn't be indicative of what
is most
commonly associated with spam only, but also what is most commonly
associated with other tests and false positives. This speaks to the
trouble with rating
the individual blacklists, scoring them in isolation from one
I've found that automated mail including opt-in newsletters, E-commerce
receipts, and product notifications, and renewal notices commonly fail
the BADHEADERS, SPAMHEADERS and HELOBOGUS tests. For example, Network
Solutions' own renewal notices were being caught by SPAMHEADERS back in
March
Dan,
It appears that E-mail is first scanned by the virus scanner (F-Prot or
whatever), and then if it passes, the excluded extensions are tested.
So as soon as your virus scanner became Sobig.F aware, the excluded
extensions test doesn't get done because it is blocked by the scanner.
Maybe
from being scanned by the spam system, including those tagged soley by attachment names like *.pif?
Thanks,
Dan 'Sobig Egg on Face' Patnode
On Sunday, August 24, 2003 18:30, Matthew Bramble [EMAIL PROTECTED] wrote:
Dan,
It appears that E-mail is first scanned by the virus scanner
(F
) wrote:
Check what ftp server you are connecting to.
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of Matthew Bramble
Sent: Monday
We have a little less volume than you do, but it's amazing how
concentrated the messages can be. My personal account which has many
domains pointed at it has not received a single copy of the virus, but
one account on our server has been hit over 500 times in the last 48
hours. We run Declude
Here's what I do. I send outside notifications by way of
[EMAIL PROTECTED], and then I use IMail rules to delete any
replies. The text of the message says to reply to our postmaster
address and that replies to bouncer will be automatically deleted. The
rule.ima file takes care of it with
I've been a Declude Virus and JunkMail customer for about a year and a
half now. At first the spam blocking was just something that only a few
of my ~250 users (hosting) found beneficial, but in the last 6 months I
have had to continually push the limits with the tests in order to keep
it
I'd also like to share my configuration. We have about 50 E-mail
domains with about 250 users, with many addresses listed in who-is
records and on Web sites, along with nobody alias redirection for all
domains. This results in a lot of garbage coming our way. We are
definitely capturing
John,
I just joined the list today, but I found your configuration file from
back in June and it was very helpful in understanding how to fine tune
Alligate. I'm going to study it's logs more closely before I start that
phase though, looking for false positives. I've turned that test down
401 - 466 of 466 matches
Mail list logo
