Re: [Declude.JunkMail] Major SPF Kick!

2004-01-08 Thread Matthew Bramble
Consider this to be constructive as I'm still on the fence about the whole thing. I've been seeing more and more zombie spam that is coming from the client computer using an address on their ISP, and sent through the ISP's mail server. I'm not seeing a lot of it, but it is most definitely

Re: [Declude.JunkMail] IP4 Tests

2004-01-07 Thread Matthew Bramble
BONDEDSENDER doesn't catch much, maybe 0.5% at best on my system, probably more like 0.2% though. I'm not getting anything on XBL, and I just found that the test entry returned 127.0.0.4 instead of the 2 in my config. That's not that I read on their site originally, but it now says to use

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
Scott, It took about 1 minute to figure out that this will be a very valuable test as I'm seeing similar hit rates. What matters most though is the type of thing that will FP, and what other tests will generally fail along with it. I'm guessing that an FP with CMDSPACE will probably also

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
BADHEADERS will FP a whole lot more, even on Outlook and other Microsoft mailers if they don't include a To address, and it only hits about 35% of the time. With it being over 99% accurate, I still only score it at 40% of my hold weight, and that's what I'm applying to this test...to start.

Re: [Declude.JunkMail] IP4 Tests

2004-01-07 Thread Matthew Bramble
Yes. XBL integrates CBL now, and maybe more. Matt Kami Razvan wrote: Matt: Is CBL this: CBL:*:cbl.abuseat.org Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Wednesday, January 07, 2004 6:01 AM To: [EMAIL PROTECTED

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
a zombie. It's hitting about 62% of my total mail volume. Matt System Administrator wrote: on 1/7/04 6:35 AM, Matthew Bramble wrote: BADHEADERS will FP a whole lot more, Over 95% of the outgoing messages from our subscribers are failing the CMDSPACE test (75+ messages in about 50

Re: [Declude.JunkMail] Major Change in Declude Log File Format? Effects Reporting Applications?

2004-01-07 Thread Matthew Bramble
Also, please add the score in on the low setting, preferrably at the beginning of the line. Note that this reduced my log file size by 80% :) Matt Andy Schmidt wrote: Hi Scott: With this latest build, the log file no longer has single line entries for each failed test? I don't have a big

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
Second FP to report. Also, the last FP was from that company using software better associated with spamware than for legit server apps. This FP was automated from a server doing a small mail blast: Received: from nbc_cmg_srv1.xx [xx] by mx1.mailpure.com (SMTPD32-7.15) id AE7913B02A8;

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
Markus, Something is happening because you're also failing SPAMHEADERS on Scott's server. I think that's Outlook 2003. Scott??? If those #*$(#@ ruin our tests...grrr. Matt Markus Gufler wrote: Do you have a firewall that interferes with SMTP transactions (such as Cisco)? No, not

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
System Administrator wrote: on 1/7/04 9:39 AM, Matthew Bramble wrote: FP to report. Here's what I'm seeing. The Outlook, Outlook Express and Eudora programs are all on the same XP computer. New message from Outlook to me. Failure. Reply message from Outlook to me. Failure. New message from

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
Another FP. This one also has the X-EM headers which is related to something most often used in spamware, though it appears to be commonly used for mailer software on legit companies. Received: from progressive.com [67.39.105.65] by mx1.mailpure.com with ESMTP (SMTPD32-7.15) id A5E08FC01DA;

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
4th FP, they're starting to flow now. This is the first personal E-mail, though I think it came by way of Exchange's Web mail if I'm not mistaken??? Received: from recreation.bombardier.com [207.236.181.3] by igaia.com with ESMTP (SMTPD32-7.15) id A9F2D92023A; Wed, 07 Jan 2004 10:46:58

Re: [Declude.JunkMail] New CMDSPACE test in latest interim release

2004-01-07 Thread Matthew Bramble
Just a thought...if this is primarily a Microsoft thing, affecting several of their products, then maybe the pattern can be excluded. For the most part, WHITELIST AUTH should resolve issues with mail clients connecting directly to your server, but it's these Web scripts and Web mail programs

Re: [Declude.JunkMail] Existential crisis

2004-01-07 Thread Matthew Bramble
Kami, If you're asking for a fool proof way to add a lot of points for randomized TLD's, then I don't think it can be done reliably with a lot of weight. You have to hit this from every end possible, and this is where custom filters come in. I can't think of current functionality that would

Re: [Declude.JunkMail] Strange Looking Headers

2004-01-07 Thread Matthew Bramble
Not really garbled, though I'm not sure if it's compliant. =2E is the same thing as a period. I think they call this MIME encoding, though I'm not sure. I also see that they are marking the To, From and Subject as US-ASCII, which is totally useless, possibly non-compliant, and very, very

Re: [Declude.JunkMail] Major Change in Declude Log File Format? Effects Reporting Applications?

2004-01-07 Thread Matthew Bramble
Scott, Forgive me for being repetitive, I think that you might have missed this request. If you could add the total score in at the low setting, that would provide a critical piece that I think everyone would like to have without bloating the line excessively. If not, I can always use an

Re: [Declude.JunkMail] Major Change in Declude Log File Format? Effects Reporting Applications?

2004-01-07 Thread Matthew Bramble
Thanks again :) R. Scott Perry wrote: Forgive me for being repetitive, I think that you might have missed this request. If you could add the total score in at the low setting, that would provide a critical piece that I think everyone would like to have without bloating the line excessively.

Re: [Declude.JunkMail] Atriks - Pt.2

2004-01-06 Thread Matthew Bramble
Forgive me for repeating myself on this one, but I'm a proponent of blocking outright on SBL. There's a good reason for spammers to be in their list, and it's not some community project where anyone and everyone makes nominations, so it's practically flawless. Another trick for Green Horse is

Re: [Declude.JunkMail] IP4 Tests

2004-01-06 Thread Matthew Bramble
Matthew Bramble wrote: I fail on a weight of 10, only score the last hop, and use the following (see notes below, config updated yesterday for new weights and tests): BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10-50 AHBL-RELAYSip4r

[Declude.JunkMail] OBFUSCATION v2.0.1 for JunkMail Pro v1.77i7+

2004-01-06 Thread Matthew Bramble
I found that the OBFUSCATION filter can FP on UNICODE attachments (which are uncommon). The new version of this filter fixes this problem. Note that I'm only updating the version that uses functionality introduced and fully supported in JunkMail Pro v1.77i7 or higher. For users of the older

Re: [Declude.JunkMail] Atriks - Pt.2

2004-01-06 Thread Matthew Bramble
Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Tuesday, January 06, 2004 6:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Atriks - Pt.2 Forgive me for repeating myself on this one, but I'm a proponent of blocking outright on SBL. There's

[Declude.JunkMail] Two small bugs

2004-01-06 Thread Matthew Bramble
Scott, Virus Bug == The first bug is more straightforward, however it is related to Declude Virus, so please forgive me for not joining that group. In an E-mail that was forwarded from monstor.com, it tripped on a banned extension of .com because a cookie reference was

Re: [Declude.JunkMail] IP4 Tests

2004-01-05 Thread Matthew Bramble
I fail on a weight of 10, only score the last hop, and use the following (see notes below, config updated yesterday for new weights and tests): BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10-50 AHBL-RELAYSip4rdnsbl.ahbl.org127.0.0.2

Re: [Declude.JunkMail] Message Not Processed by Declude

2004-01-05 Thread Matthew Bramble
Burzin, My experience is that this happens while the services are shutting down and not while they are coming back up. I don't think there is anything that you can do except to contact IMail. I'm using IMail 7.15r3, but this also apparently (hearsay) happens with IMail 8.05 still, though

Re: [Declude.JunkMail] attachments

2004-01-05 Thread Matthew Bramble
Check out my GIBBERISH filter for a bunch of counterbalances that are used to detect base64 and UNICODE attachments or other things that use base64 encoding, and disable the filter when found. Alternatively, when you have short words, follow them by a space. Base64 encoding doesn't utilize

Re: [Declude.JunkMail] Mailer type

2004-01-03 Thread Matthew Bramble
I've seen legit stuff from MIME::Lite personally. The easiest way to verify this stuff is to search Google for the whole X-Mailer string and look for legit messages from it. MIME-tools is also used legitimately. I think that one of these can have problems with BADHEADERS also, though that

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam?

2004-01-03 Thread Matthew Bramble
I think that Markus is mostly on the same page as I am on this issue. So far today, I have managed to catch 22 bounces from a Joe Job on one customer's account that started late last night, and this is only what my server caught due to the bounces containing the original content that tripped

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam?

2004-01-03 Thread Matthew Bramble
not block NDRs (only during rush hours) and whitelist NDRs containing the original header with some declude specific X-Header lines? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Saturday, January 03, 2004 6:49 PM

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam? spam? spam?

2004-01-03 Thread Matthew Bramble
during rush hours) and whitelist NDRs containing the original header with some declude specific X-Header lines? Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Saturday, January 03, 2004 6:49 PM To: [EMAIL PROTECTED

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam? spam? spam?

2004-01-03 Thread Matthew Bramble
Matthew Bramble wrote: I'm wondering if spam blocking works for this without me setting up a separate directory under Declude??? I'll have to test that out, seems strange that when he forwarded them back to me they were caught, but not caught when they were coming through my system. FYI

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam? spam? spam? spam? spam?

2004-01-03 Thread Matthew Bramble
That ain't all of it by far actually. A very common one is also mailer-daemon@, however these are often customized, for instance [EMAIL PROTECTED], or bounce@, postmaster@, etc. To have a complete filter, you would need to figure out the body text that is unique to each of the mail servers

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam?

2004-01-03 Thread Matthew Bramble
Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Saturday, January 03, 2004 3:44 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Any thoughts on blocking

Re: [Declude.JunkMail] CONSECUTIVECHAR test!

2004-01-02 Thread Matthew Bramble
John, This would FP on messages that include ID's in the subject such as receipts, and also base64 encoded subjects, some of which are perfectly valid and Declude doesn't decode subjects at this time. I also tend to see receipts with more characters than I tend to see in spam that appends

Re: [Declude.JunkMail] Another scam

2004-01-02 Thread Matthew Bramble
The payload on this goes to a site that pops up a window using Zap The Ding Bat URL obfuscation to make the URL look like it is the real Citibank site. Very dangerous and because it's being redirected on that site, you can't catch the technique in the E-mail. I contacted the hosting provider

Re: [Declude.JunkMail] Another scam

2004-01-02 Thread Matthew Bramble
The site's down now. The hosting provider said it was probably signed up with a stolen credit card. He had it down within just a minute of me sending the message. Good deed done for the day :) Matt Matthew Bramble wrote: The payload on this goes to a site that pops up a window using Zap

Re: [Declude.JunkMail] CONSECUTIVECHAR test!

2004-01-02 Thread Matthew Bramble
a weight of say nor more that 5 would help. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, January 02, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: Re

Re: [Declude.JunkMail] Another scam

2004-01-02 Thread Matthew Bramble
) wrote: FYI, I did add this for it: HEADERS 15 CONTAINS citibanksecure John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, January 02, 2004 9:30 AM

Re: [Declude.JunkMail] CONSECUTIVECHAR test!

2004-01-02 Thread Matthew Bramble
and add a weight of say nor more that 5 would help. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, January 02, 2004 9:14 AM To: [EMAIL PROTECTED

Re: [Declude.JunkMail] CONSECUTIVECHAR test!

2004-01-02 Thread Matthew Bramble
BADCOUNTRYNOREVDNS would have stopped this. http://www.mailpure.com/software/decludefilters/badcountrynorevdns/BadCountryNoREVDNS_v1-0-0.zip This was sent from an IP block where at least the entire class C belongs to spammers that host in China. Even before I added this filter, over 99%

[Declude.JunkMail] AUTOWHITELIST issue

2004-01-02 Thread Matthew Bramble
Scott, I just noticed that one of my users has listed his own address in his Web address book, and I'm thinking this could become an occasional circumstance with unintended consequences. Since I turned AUTOWHITELIST ON, this means that anything with a MAILFROM that forges his personal

Re: [Declude.JunkMail] AUTOWHITELIST issue

2004-01-02 Thread Matthew Bramble
R. Scott Perry wrote: I'll see if we can do this. It may get a bit tricky with the various combinations of user aliases, host aliases, and forwarding, but we could probably get it to work in most cases. I'll bet that you could fix 95% or more of the potential issue with just the real account

Re: [Declude.JunkMail] AUTOWHITELIST issue

2004-01-02 Thread Matthew Bramble
Glenn \\ WCNet wrote: Yes, that happened to me. I had entered my address in the WebMail addy book for one of my accounts (don't recall why), and I started getting spam that showed as WHITELISTED. It wasn't obvious why at first because I wasn't the primary To recipient on the spam, but I finally

Re: [Declude.JunkMail] [BUMP] Files locked but not process ed ed

2004-01-01 Thread Matthew Bramble
Andrew, Did you reboot SMTP or the server? There's an issue where it doesn't seem to call Declude while it is in the process of shutting down, but it's only a matter of a few seconds. I'm not sure if this has been reported to Ipswitch either, although Scott and Kami are aware of it. Matt

Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam?

2003-12-29 Thread Matthew Bramble
Sanford Whiteman wrote: Do I target all bounces for deletion? Not if you want to retain your customers. Well, that's what this is about. I'm starting to get calls about people wanting me to block this stuff. I'm not getting any calls asking about where one's message went. In

Re: [Declude.JunkMail] GoodAOL

2003-12-29 Thread Matthew Bramble
I think this is something that good use could be made of in general with your conditional statements, i.e. NOTCONTAINS, NOTIS, NOTENDSWITH, etc. I would have to really rethink filtering again though :) I've been trying not to ask you for too much, but since the topic came up and you agreed,

Re: [Declude.JunkMail] Filter for CIDR's

2003-12-29 Thread Matthew Bramble
Ahh, great! Thanks again. This will work nicely with the whitelisting capability that you discussed as well. Matt R. Scott Perry wrote: I'm sure this might have come up before, but it would be real nice, especially with the new functionality, to have the ability to match IP's to CIDR

Re: [Declude.JunkMail] GoodAOL

2003-12-29 Thread Matthew Bramble
statements.. He just agreed to one. I think you are making hidden subliminal suggestions :) Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 29, 2003 10:03 AM To: [EMAIL PROTECTED] Subject: Re

Re: [Declude.JunkMail] man, what the heck?

2003-12-29 Thread Matthew Bramble
Here's what I've done. A subject filter for three points, a body filter for 1 point, my FOREIGN/TLD filters (most of this comes from China), and some body filters for about 4 different domain names. I had the body and subject filters in the first day that I heard about the video :) This was

[Declude.JunkMail] Filter for CIDR's

2003-12-27 Thread Matthew Bramble
Scott, I'm sure this might have come up before, but it would be real nice, especially with the new functionality, to have the ability to match IP's to CIDR ranges in custom filters as opposed to blacklist files or ipfile types. Something like the following, though I understand that the

Re: [Declude.JunkMail] Comments - revisited

2003-12-26 Thread Matthew Bramble
Kami, Anything in these days is a legit HTML tag unfortunately. At the same time, most of these patterns aren't used and can be filtered for. If this one spammer wants to keep using that one pattern, nail him with the following: BODY 30 CONTAINS alt=3D I've been coding

Re: [Declude.JunkMail] Web-O-Trust or ?

2003-12-26 Thread Matthew Bramble
Kami, This guy also links to the following: http://users.adelphia.net/~equalizer/web-o-trust.txt Which includes what appears to be all of Adelphia. I'm not sure if people are paying attention, but I pointed both of these files out when the topic first came up. Now the mistakes have

Re: [Declude.JunkMail] OT - What works?

2003-12-26 Thread Matthew Bramble
Chuck, All of those products need to be trained by the user, and they work primarily on heuristics instead of the types of things we do with Declude, so they won't be nearly as effective, nor as reliable. I'm not aware of a plug-in for Eudora, but Netscape and new versions of Outlook have

Re: [Declude.JunkMail] Web-O-Trust or ?

2003-12-25 Thread Matthew Bramble
Merry Christmas everyone. Any way...the problem was eluded to before, in fact the listings that caused this problem have always been there: http://www.mail-archive.com/[EMAIL PROTECTED]/msg13918.html We shouldn't be trusting ISP mail servers. If isolated instances like this aren't enough,

Re: [Declude.JunkMail] Bonded Sender

2003-12-24 Thread Matthew Bramble
Cyan, Thanks for coming on board. If you don't mind, I would like to jump right into a early Christmas Eve discussion on the topic :) Recently I came across a service that was listed in both Bonded Sender as well as Spamhaus, out003.toptx.com - 38.113.200.23. The company, Topica (

Re: [Declude.JunkMail] SpamCop listing Webtv.net IP

2003-12-24 Thread Matthew Bramble
SpamCop and MailPolice both got demoted on my system by a point today, and I hope to bring them down another point soon (after measuring the effect on my system). When I see ISP mail servers listed, it is generally due to one of two things...they either have no controls on someone doing a bulk

Re: [Declude.JunkMail] Suggestions on whitelisting web servers

2003-12-24 Thread Matthew Bramble
Scot, The E-mail that comes in for accounts that are no longer hosted on that server can be safely refused after 2 days passes. I believe a lot of mail servers will try the A record when delivery fails to the MX, or the MX can't be resolved. The E-mail should be queued on the sending server

Re: [Declude.JunkMail] Suggestions on whitelisting web servers

2003-12-24 Thread Matthew Bramble
Scot, If you delete the domain from the old IMail server, and leave the HOSTS entry in there along with the relay settings, I believe that the old IMail server will forward the E-mail from the default domain's IP address. The trick is to delete the domain from IMail, then you can IPBYPASS

Re: [Declude.JunkMail] Bypassing User IP addresses

2003-12-24 Thread Matthew Bramble
If I recall correctly, when you IPBYPASS a single hop message, this can throw off some of the technical tests that are built into Declude since there will be no data element for the IP, REVDNS and HELO. If that's the case, it's because it wasn't designed for that use. This can be tested by

[Declude.JunkMail] Funny false positives :)

2003-12-24 Thread Matthew Bramble
This came to a customer that recently move over to our service from Verizon because they were deluged with spam. I found it to be funny that we blocked it since most of it points to a very poorly configured mail server, and the topic of the announcement from Verizon was E-mail maintenance.

[Declude.JunkMail] Order of processing various filter types.

2003-12-23 Thread Matthew Bramble
Scott, I know this has been discussed at least in pieces in the past, but I was hoping that maybe you could put it all together for me (and maybe also add the order to the manual when the new functionality finds its way into a full release). Could you give me an idea about the order of

Re: [Declude.JunkMail] Overflow

2003-12-23 Thread Matthew Bramble
] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow Nick, I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way. The theory

Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.

2003-12-23 Thread Matthew Bramble
as the filter contents are resequenced by my system. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter

[Declude.JunkMail] Wondering about a few features in development.

2003-12-22 Thread Matthew Bramble
Scott, I was wondering about the progress of a couple of things. First, has the END functionality been fixed in a recent release, and second, has the weight listed in the WARN action been updated to include the sum of the Global.cfg and filter file weights? Thanks, Matt --- [This E-mail

[Declude.JunkMail] EASYNET-DYNA replacement, NJABL-DYNABLOCK

2003-12-22 Thread Matthew Bramble
I don't recall seeing this posted here, but while doing a little research on the NJABL blocklists, I came upon a page on their site saying that they were integrating the now defunct EASYNET-DYNA: http://njabl.org/dynablock.html The following line should work for integrating this test:

Re: [Declude.JunkMail] Wondering about a few features in development.

2003-12-22 Thread Matthew Bramble
Very cool Scott, my test scores now add up :) I'll have to try the END functionality later on today though. Any chance of exposing a %WEIGHT% and a %LINE% or %LINES% variable for the WARN action? I can't say that I've tried these in the last month, but I couldn't get anything like this to

[Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality.

2003-12-22 Thread Matthew Bramble
I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg

Re: [Declude.JunkMail] Stupid question

2003-12-22 Thread Matthew Bramble
I would use the following: HEADERS 15 CONTAINS quill.com This message was sent through a third-party bulk mailer, and the MAILFROM address may change from server to server, but they are using a Reply-To address that will get picked up with that line. Matt Doug Anderson

Re: [Declude.JunkMail] Stupid question

2003-12-22 Thread Matthew Bramble
Just another follow-up. This might be dangerous to blacklist anything from quill.com since they are an ecommerce site and you may very well be blocking receipts and other order related information. It would then be safer to go after the MAILFROM, though this won't work if they change the

[Declude.JunkMail] Score not being added correctly, very serious...

2003-12-22 Thread Matthew Bramble
Scott, I have a feeling that one of the recent changes created a bug in the way that scores are added in combination from the Global.cfg and the custom filter file when combined. Here's an example: X-MailPure: == X-MailPure:

Re: [Declude.JunkMail] Overflow

2003-12-22 Thread Matthew Bramble
Is this all being found on Windows 2003? I'm a couple of months away from adding a new server and this would definitely resolve any questions that I might have about Windows 2003 being an option. I know why John needs to play with the latest and greatest, but I have no such inclination or

Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.

2003-12-22 Thread Matthew Bramble
on a continual rather that a fairly static filter such as these two. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISH 2.0.1, single file

Re: [Declude.JunkMail] Overflow

2003-12-22 Thread Matthew Bramble
I've been rethinking my strategy for dealing with dictionary attacks on my server. While the nobody alias has proved to be problematic, so does not having a nobody alias due to the possibility of being dictionary attacked. I'm thinking of setting up all the nobody aliases to redirect E-mail

Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.

2003-12-22 Thread Matthew Bramble
on in the FILTER files Bill - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 12:17 PM Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I

Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.

2003-12-22 Thread Matthew Bramble
the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH

Re: [Declude.JunkMail] Overflow

2003-12-22 Thread Matthew Bramble
Nick, I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way. The theory here is that domains which accept every E-mail address in the HELO won't be dictionary attacked past a few attempts because the attacker's software will

Re: [Declude.JunkMail] Overflow

2003-12-22 Thread Matthew Bramble
John Tolmachoff (Lists) wrote: This is a cache only setup, no domains. Cost is a concern at this time, unless I can prove that would be the answer. However, as I said earlier, the problem was first experienced using BIND DNS servers. I need to follow up on this. Keith had a problem after a

Re: [Declude.JunkMail] Comments test

2003-12-22 Thread Matthew Bramble
R. Scott Perry wrote: The problem is that it is nearly impossible to determine which are valid HTML tags and which are not -- that would require a database of known good HTML tags, which would need to be constantly updated. This was the first filter that I tried writing actually :) I got a

Re: [Declude.JunkMail] Junkmail Tests and Configs

2003-12-21 Thread Matthew Bramble
Kami, I'm using a trick to show %ALLRECIPS% only when a message is held. I added an extra weight test as the hold weight and added the WARN action as follows: - Global.cfg - HIGH-RECIPSweightxx100 - $Default$.junkmail HIGH-RECIPSWARN

[Declude.JunkMail] Messages not scanned before shutdown...possible solution

2003-12-20 Thread Matthew Bramble
I was worried when I saw another message come through last night without Declude headers in it considering that the queue issue has only been fixed in IMail 8.05 and not 7.15H3 which is what I'm using (and I don't yet care to upgrade, though I'm starting to get tempted with that fix). What

Re: [Declude.JunkMail] 8.05- Declude not seen..

2003-12-20 Thread Matthew Bramble
Keith, I would imagine that this affects versions all the way back to 7.0 and quite possibly far before then. The issue is very rare on an IMail 7 server because the window of opportunity for swiping a message by a queue run is so much smaller due to the speed at which something is passed on

Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..

2003-12-20 Thread Matthew Bramble
Bill, This can result in two copies of the file, one passed to Declude, and one stolen by the running of the queue. So it can still appear in the Declude logs, and chances are probably 80% that the Declude copy will at least be held on one of our systems and therefore we may not know about

Re: [Declude.JunkMail] Weight processing

2003-12-20 Thread Matthew Bramble
Kami Razvan wrote: I wish we could also skip the tests for negative weight.. Because right now the emails that we want to be delivered by negative weight actually will go through all tests since none can exit on a negative limit. I believe the idea here is to place the negative weight filters

Re: [Declude.JunkMail] SPF support to be added to next beta

2003-12-19 Thread Matthew Bramble
Scott, I've been looking over this trying to figure out how to best implement it for my domains. It seems that since they are all on one class C, I should do the following: v=spf1 +a/24 +mx/24 -all Now three very important questions... 1) If I implement this, will intra-server E-mail

Re: [Declude.JunkMail] SPF vs. Form Mail

2003-12-19 Thread Matthew Bramble
R. Scott Perry wrote: I'm not sure if this is in the RFC, but it would be a lot more accurate if you could compare the HELO to the SPF data. Some scripts to also falsify the HELO, but no where near the number of forged domains in MAILFROM. The original design for SPF allowed for that, but

Re: [Declude.JunkMail] Outbound Port 25, was - Virginia Indicts Indicts

2003-12-19 Thread Matthew Bramble
Pete McNeil wrote: A tip-off is that the counter to this argument is up-front in their proposal. Specifically that they will create and manage a mechanism that tracks the end-user's subscrbe/unsubscribe requests... I think this is a lot like putting the foxes in charge of the hen house. I

Re: [Declude.JunkMail] OT: DNS Issue (HELP)

2003-12-19 Thread Matthew Bramble
Darrell, It looks like your name server records were maybe munged for a period of time from a root update that is now fixed. Those munged records though are being cached and they should get a good copy once they expire. This might explain why all of us seem to be able to resolve your domain,

[Declude.JunkMail] They got the pill spammer

2003-12-19 Thread Matthew Bramble
...or at least one of them. There's no way this guy gets past Elliot Spitzer. I hope they take away his passport for obvious reasons. Target Spam: NY AG, Microsoft File $38M Suits http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2985 This sounds a lot like the guy (ring) with the

[Declude.JunkMail] ZAPTHEDINGBAT v1.0.0 and Y!DIRECTED v1.0.4

2003-12-18 Thread Matthew Bramble
The obfuscation exploit for IE that was reported a week ago is now being seen on my server (2 times yesterday). Both were PayPal scams, and in both instances, I would have passed the messages if I didn't have this filter in place because the only other test they failed was FRAUDDOMAINS (a

Re: [Declude.JunkMail] Active X filter

2003-12-18 Thread Matthew Bramble
The parm name entry is used outside of ActiveX, maybe not a good idea to include it here? Also, your scoring is going to be incremental with 4 for the filter in Global.cfg as well as 4 points for each line of the filter this hits. I'm not sure if that's what you intended. While this is

Re: [Declude.JunkMail] SPF vs. Form Mail

2003-12-18 Thread Matthew Bramble
Andy, I'm with you on the idea being that this is much like SPAMDOMAINS, however, I don't think that I will be subtracting any points for E-mails that pass. I see spam coming through legit servers every day, and what's to stop a static spammer from adding these records to their own server?

Re: [Declude.JunkMail] SPF vs. Form Mail

2003-12-18 Thread Matthew Bramble
R. Scott Perry wrote: I think whitelisting E-mail based on an SPF PASS probably isn't a wise idea, but I'm sure that spammers that do use SPF will be much easier to catch (they are providing a list of IPs that they may be spamming from G). If I was a spammer, I would use this to my advantage.

[Declude.JunkMail] Something to be blocking

2003-12-18 Thread Matthew Bramble
The most troublesome crud spammer of them all (the p-patch guy) is currently sending out E-mails with the following line in the headers: X-Ki: random characters I'm going to throw in a filter for this as follows: HEADERS 30CONTAINS X-Ki: I suspect this pattern may be

Re: [Declude.JunkMail] Does anyone not have Reverse DNS?

2003-12-17 Thread Matthew Bramble
Why not just require everyone in the world to show the secret sign before having their E-mail accepted? Sarcasm obviously, but reverse DNS entries are not necessary for E-mail to function properly, and in many cases won't even match the domain given in HELO...so why require it? This also

Re: [Declude.JunkMail] Any suggestions on some tests ??

2003-12-16 Thread Matthew Bramble
If you have Declude JunkMail Pro, then the custom filters shared on my site are all generally good at detecting this sort of thing. This one in particular would have been it by DYNAMIC, FOREIGN, TLD-WESTERNEUROPEAN, and TLD-MIDDLEEASTERN for a total of 9 points (or 90% of fail weight

Re: [Declude.JunkMail] recipient in the subject line

2003-12-16 Thread Matthew Bramble
Jeffrey Di Gregorio wrote: Hello, Does anyone know of a way to add a weight to a message that has the recipients name in the subject line? My experience was that almost all of such stuff that reaches my server is from one spammer. You can set up a filter as follows if you have

Re: [Declude.JunkMail] recipient in the subject line

2003-12-16 Thread Matthew Bramble
Kami, et al., I know it's a bit of a pain to maintain, and it doesn't take away from the benefits of having some variables for filtering, but there is an effective filter for something related that I haven't yet shared. The filter is called ADDRESSSUB, and it's quite simple and highly

Re: [Declude.JunkMail] RR.COM

2003-12-16 Thread Matthew Bramble
Scott, Your HELO (nerosoft.com) doesn't match your reverse DNS domain (mail.netbound.com). This could be the result of some idiot at AOL rejecting your E-mail based on those things not matching. The switch should be easy enough to test out this theory. Try changing your domain in IMail to

Re: [Declude.JunkMail] RR.COM

2003-12-16 Thread Matthew Bramble
Sheldon Koehler wrote: I would LOVE to see AOL start blocking on RDNS! If they do it, then we can start doing it. Then within a few months, all of the legitimate mail servers on the planet will have proper RDNS and the Spammers will have a much harder time with life. Spam will decline a LOT!!!

Re: [Declude.JunkMail] RR.COM

2003-12-16 Thread Matthew Bramble
Maybe not necessarily a reply to your comments, but the problem is that SMTP wasn't designed for security. Heck, how many years was it before they came up with SMTP AUTH? SMTP needs to be reworked, and then you need to give the Internet another 5 to 10 years to catch up with the new

Re: [Declude.JunkMail] RR.COM

2003-12-16 Thread Matthew Bramble
, Matthew Bramble wrote: Your HELO (nerosoft.com) doesn't match your reverse DNS domain (mail.netbound.com). This could be the result of some idiot at AOL rejecting your E-mail based on those things not matching. The HELO changes depending on the virtual domain sending the email. If [EMAIL

  1   2   3   4   5   >