Consider this to be constructive as I'm still on the fence about the
whole thing.
I've been seeing more and more zombie spam that is coming from the
client computer using an address on their ISP, and sent through the
ISP's mail server. I'm not seeing a lot of it, but it is most
definitely hap
Thanks again :)
R. Scott Perry wrote:
Forgive me for being repetitive, I think that you might have missed
this request. If you could add the total score in at the low
setting, that would provide a critical piece that I think everyone
would like to have without bloating the line excessively.
Scott,
Forgive me for being repetitive, I think that you might have missed this
request. If you could add the total score in at the low setting, that
would provide a critical piece that I think everyone would like to have
without bloating the line excessively. If not, I can always use an
dif
Not really garbled, though I'm not sure if it's compliant.
=2E is the same thing as a period. I think they call this MIME
encoding, though I'm not sure. I also see that they are marking the To,
From and Subject as US-ASCII, which is totally useless, possibly
non-compliant, and very, very spam
Kami,
If you're asking for a fool proof way to add a lot of points for
randomized TLD's, then I don't think it can be done reliably with a lot
of weight. You have to hit this from every end possible, and this is
where custom filters come in. I can't think of current functionality
that would
Just a thought...if this is primarily a Microsoft thing, affecting
several of their products, then maybe the pattern can be excluded.
For the most part, WHITELIST AUTH should resolve issues with mail
clients connecting directly to your server, but it's these Web scripts
and Web mail programs th
4th FP, they're starting to flow now. This is the first personal
E-mail, though I think it came by way of Exchange's Web mail if I'm not
mistaken???
Received: from recreation.bombardier.com [207.236.181.3] by igaia.com
with ESMTP
(SMTPD32-7.15) id A9F2D92023A; Wed, 07 Jan 2004 10:46:58 -050
Another FP. This one also has the X-EM headers which is related to
something most often used in spamware, though it appears to be commonly
used for mailer software on legit companies.
Received: from progressive.com [67.39.105.65] by mx1.mailpure.com with ESMTP
(SMTPD32-7.15) id A5E08FC01DA; We
Matt
System Administrator wrote:
on 1/7/04 9:39 AM, Matthew Bramble wrote:
FP to report.
Here's what I'm seeing.
The Outlook, Outlook Express and Eudora programs are all on the same XP
computer.
New message from Outlook to me. Failure.
Reply message from Outlook to me. Failure.
N
Markus,
Something is happening because you're also failing SPAMHEADERS on
Scott's server. I think that's Outlook 2003. Scott???
If those #*$(#@ ruin our tests...grrr.
Matt
Markus Gufler wrote:
Do you have a firewall that interferes with SMTP transactions
(such as Cisco)?
No, not und
Second FP to report. Also, the last FP was from that company using
software better associated with spamware than for legit server apps.
This FP was automated from a server doing a small mail blast:
Received: from nbc_cmg_srv1.xx [xx] by mx1.mailpure.com
(SMTPD32-7.15) id AE7913B02A8;
Also, please add the score in on the low setting, preferrably at the
beginning of the line. Note that this reduced my log file size by 80% :)
Matt
Andy Schmidt wrote:
Hi Scott:
With this latest build, the log file no longer has "single line" entries for
each failed test? I don't have a big p
FP to report. So far I've managed to only hold one that didn't get
deleted, but this one was legit, but didn't get held. It's from a
company that sends out notifications by E-mail, and the headers look
like they at least modified the mailer's source code if not written it
themselves.
Receive
a zombie.
It's hitting about 62% of my total mail volume.
Matt
System Administrator wrote:
on 1/7/04 6:35 AM, Matthew Bramble wrote:
BADHEADERS will FP a whole lot more,
Over 95% of the outgoing messages from our subscribers are failing the
CMDSPACE test (75+ messages in abo
Block the following address in the body. I only caught this on
FRAUDDOMAINS plus FOREIGN/TLD. Already notified Akami to pull the zone
as it redirects to 8 IP's in China.
BODY28CONTAINSpaypal.neuxshells.com
We'll see how quickly Akami responds (services provided by Yahoo to the
cl
hits this morning on CMDSPACE, and every last one reached
my delete weight so far. Fixing the XBL problem also made a noticeable
impact on what's getting held. I can't recall ever seeing an FP on XBL
(CBL).
Matt
Matthew Bramble wrote:
Yes.
XBL integrates CBL now, and maybe more
Yes.
XBL integrates CBL now, and maybe more.
Matt
Kami Razvan wrote:
Matt:
Is CBL this: CBL:*:cbl.abuseat.org
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Wednesday, January 07, 2004 6:01 AM
To: [EMAIL PROTECTED
BADHEADERS will FP a whole lot more, even on Outlook and other Microsoft
mailers if they don't include a To address, and it only hits about 35%
of the time. With it being over 99% accurate, I still only score it at
40% of my hold weight, and that's what I'm applying to this test...to
start. T
Scott,
It took about 1 minute to figure out that this will be a very valuable
test as I'm seeing similar hit rates. What matters most though is the
type of thing that will FP, and what other tests will generally fail
along with it. I'm guessing that an FP with CMDSPACE will probably also
ten
BONDEDSENDER doesn't catch much, maybe 0.5% at best on my system,
probably more like 0.2% though.
I'm not getting anything on XBL, and I just found that the test entry
returned 127.0.0.4 instead of the 2 in my config. That's not that I
read on their site originally, but it now says to use that
Thanks Scott, the fix appears to be working.
Regarding that cookie "bug," I understood that Declude tagged the file
appropriately based on the COM extension, but Outlook Express screwed up
attaching it in the way that it did. This was actually a gif used for
tracking, and it named the file acc
Scott,
Virus Bug
==
The first bug is more straightforward, however it is related to Declude
Virus, so please forgive me for not joining that group. In an E-mail
that was forwarded from monstor.com, it tripped on a banned extension of
.com because a cookie reference was attached
ploy the same tactics?
Darrell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Tuesday, January 06, 2004 6:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Atriks - Pt.2
Forgive me for repeating myself on this one, but I'm a
I found that the OBFUSCATION filter can FP on UNICODE attachments (which
are uncommon). The new version of this filter fixes this problem.
Note that I'm only updating the version that uses functionality
introduced and fully supported in JunkMail Pro v1.77i7 or higher. For
users of the older v
Matthew Bramble wrote:
I fail on a weight of 10, only score the last hop, and use the
following (see notes below, config updated yesterday for new weights
and tests):
BONDEDSENDERip4rquery.bondedsender.org
127.0.0.10-50
AHBL-RELAYSip4r
Forgive me for repeating myself on this one, but I'm a proponent of
blocking outright on SBL. There's a good reason for spammers to be in
their list, and it's not some community project where anyone and
everyone makes nominations, so it's practically flawless.
Another trick for Green Horse is
Check out my GIBBERISH filter for a bunch of counterbalances that are
used to detect base64 and UNICODE attachments or other things that use
base64 encoding, and disable the filter when found.
Alternatively, when you have short words, follow them by a space.
Base64 encoding doesn't utilize spa
Burzin,
My experience is that this happens while the services are shutting down
and not while they are coming back up. I don't think there is anything
that you can do except to contact IMail. I'm using IMail 7.15r3, but
this also apparently (hearsay) happens with IMail 8.05 still, though
the
I fail on a weight of 10, only score the last hop, and use the following
(see notes below, config updated yesterday for new weights and tests):
BONDEDSENDERip4rquery.bondedsender.org
127.0.0.10-50
AHBL-RELAYSip4rdnsbl.ahbl.org127.0.0.2
none. :((
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Saturday, January 03, 2004 3:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Any thoug
That ain't all of it by far actually. A very common one is also
mailer-daemon@, however these are often customized, for instance
[EMAIL PROTECTED], or bounce@, postmaster@, etc. To have a complete
filter, you would need to figure out the body text that is unique to
each of the mail servers an
Matthew Bramble wrote:
I'm wondering if spam blocking works for this without me setting up a
separate directory under Declude??? I'll have to test that out, seems
strange that when he forwarded them back to me they were caught, but
not caught when they were coming through my syste
, but why not block NDRs (only during rush hours) and whitelist NDRs
containing the original header with some declude specific X-Header lines?
Markus
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Saturday, January 03, 200
An idea:
Unfortunately NDRs are somewhat of undefined that it's not a general
solution, but why not block NDRs (only during rush hours) and whitelist NDRs
containing the original header with some declude specific X-Header lines?
Markus
-----Original Message-
From: [EMAIL PROTEC
I think that Markus is mostly on the same page as I am on this issue.
So far today, I have managed to catch 22 bounces from a Joe Job on one
customer's account that started late last night, and this is only what
my server caught due to the bounces containing the original content that
tripped my
I've seen legit stuff from MIME::Lite personally.
The easiest way to verify this stuff is to search Google for the whole
X-Mailer string and look for legit messages from it. MIME-tools is also
used legitimately. I think that one of these can have problems with
BADHEADERS also, though that mig
Glenn \\ WCNet wrote:
Yes, that happened to me. I had entered my address in the WebMail addy book
for one of my accounts (don't recall why), and I started getting spam that
showed as WHITELISTED. It wasn't obvious why at first because I wasn't the
primary "To" recipient on the spam, but I finall
R. Scott Perry wrote:
I'll see if we can do this. It may get a bit tricky with the various
combinations of user aliases, host aliases, and forwarding, but we
could probably get it to work in most cases.
I'll bet that you could fix 95% or more of the potential issue with just
the real account b
Scott,
I just noticed that one of my users has listed his own address in his
Web address book, and I'm thinking this could become an occasional
circumstance with unintended consequences. Since I turned AUTOWHITELIST
ON, this means that anything with a MAILFROM that forges his personal
address
BADCOUNTRYNOREVDNS would have stopped this.
http://www.mailpure.com/software/decludefilters/badcountrynorevdns/BadCountryNoREVDNS_v1-0-0.zip
This was sent from an IP block where at least the entire class C belongs
to spammers that host in China. Even before I added this filter, over
99% of
ss filters. Being about to count consecutive characters and add a
weight of say nor more that 5 would help.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent
Lists) wrote:
FYI, I did add this for it:
HEADERS 15 CONTAINS citibanksecure
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Friday, January 02, 2004 9:30
pass filters. Being about to count consecutive characters and add a
weight of say nor more that 5 would help.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sen
The site's down now. The hosting provider said it was probably signed
up with a stolen credit card. He had it down within just a minute of me
sending the message.
Good deed done for the day :)
Matt
Matthew Bramble wrote:
The payload on this goes to a site that pops up a window usin
The payload on this goes to a site that pops up a window using Zap The
Ding Bat URL obfuscation to make the URL look like it is the real
Citibank site. Very dangerous and because it's being redirected on that
site, you can't catch the technique in the E-mail.
I contacted the hosting provider a
John,
This would FP on messages that include ID's in the subject such as
receipts, and also base64 encoded subjects, some of which are perfectly
valid and Declude doesn't decode subjects at this time. I also tend to
see receipts with more characters than I tend to see in spam that
appends gib
Andrew,
Did you reboot SMTP or the server? There's an issue where it doesn't
seem to call Declude while it is in the process of shutting down, but
it's only a matter of a few seconds. I'm not sure if this has been
reported to Ipswitch either, although Scott and Kami are aware of it.
Matt
Let me just clarify first that these filters must not be used on any
version of Declude JunkMail Pro before version 1.77i7. Search the
recent archives for information about the interim releases. I wouldn't
recommend upgrading just for the filtering enhancements unless you have
issues with cus
John,
Fromfiles are configured to warn comment blocks that trail the address.
IPfiles do the same thing, i.e.:
[EMAIL PROTECTED] Matt's E-mail
---
X-RBL-Warning: GOODMAILFROM: Matt's E-mail.
It would seem to be a bit of a kludge to have it both ways. It's
probably better to constru
Here's what I've done. A subject filter for three points, a body filter
for 1 point, my FOREIGN/TLD filters (most of this comes from China), and
some body filters for about 4 different domain names. I had the body
and subject filters in the first day that I heard about the video :)
This was
don't see Scott saying he is going for
conditional statements.. He just agreed to one.
I think you are making hidden subliminal suggestions :)
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Monday, December 29, 200
Ahh, great! Thanks again.
This will work nicely with the whitelisting capability that you
discussed as well.
Matt
R. Scott Perry wrote:
I'm sure this might have come up before, but it would be real nice,
especially with the new functionality, to have the ability to match
IP's to CIDR ran
I think this is something that good use could be made of in general with
your conditional statements, i.e. NOTCONTAINS, NOTIS, NOTENDSWITH, etc.
I would have to really rethink filtering again though :) I've been
trying not to ask you for too much, but since the topic came up and you
agreed, I
Sanford Whiteman wrote:
Do I target all bounces for deletion?
Not if you want to retain your customers.
Well, that's what this is about. I'm starting to get calls about people
wanting me to block this stuff. I'm not getting any calls asking about
where one's message went.
In anothe
I'm all of a sudden starting to get a lot of bounce messages on accounts
that I'm filtering for. It's the trick where the spammer co-opts either
a domain name or a full address, and proceeds to send out their spam
with the co-opted address. I previously ran into issues with forging
viruses se
Scott,
I'm sure this might have come up before, but it would be real nice,
especially with the new functionality, to have the ability to match IP's
to CIDR ranges in custom filters as opposed to blacklist files or ipfile
types. Something like the following, though I understand that the
archit
Chuck,
All of those products need to be trained by the user, and they work
primarily on heuristics instead of the types of things we do with
Declude, so they won't be nearly as effective, nor as reliable. I'm not
aware of a plug-in for Eudora, but Netscape and new versions of Outlook
have som
Kami,
This guy also links to the following:
http://users.adelphia.net/~equalizer/web-o-trust.txt
Which includes what appears to be all of Adelphia.
I'm not sure if people are paying attention, but I pointed both of these
files out when the topic first came up. Now the mistakes have managed
Kami,
Anything in <> these days is a legit HTML tag unfortunately. At the
same time, most of these patterns aren't used and can be filtered for.
If this one spammer wants to keep using that one pattern, nail him with
the following:
BODY 30 CONTAINS
I've been coding since
Merry Christmas everyone.
Any way...the problem was eluded to before, in fact the listings that
caused this problem have always been there:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg13918.html
We shouldn't be trusting ISP mail servers. If isolated instances like
this aren't enough,
This came to a customer that recently move over to our service from
Verizon because they were deluged with spam. I found it to be funny
that we blocked it since most of it points to a very poorly configured
mail server, and the topic of the announcement from Verizon was E-mail
maintenance. Th
If I recall correctly, when you IPBYPASS a single hop message, this can
throw off some of the technical tests that are built into Declude since
there will be no data element for the IP, REVDNS and HELO. If that's
the case, it's because "it wasn't designed for that use." This can be
tested by
Scot,
If you delete the domain from the old IMail server, and leave the HOSTS
entry in there along with the relay settings, I believe that the old
IMail server will forward the E-mail from the default domain's IP
address. The trick is to delete the domain from IMail, then you can
IPBYPASS the
Scot,
The E-mail that comes in for accounts that are no longer hosted on that
server can be safely refused after 2 days passes. I believe a lot of
mail servers will try the A record when delivery fails to the MX, or the
MX can't be resolved. The E-mail should be queued on the sending server
SpamCop and MailPolice both got demoted on my system by a point today,
and I hope to bring them down another point soon (after measuring the
effect on my system).
When I see ISP mail servers listed, it is generally due to one of two
things...they either have no controls on someone doing a bulk
Cyan,
Thanks for coming on board. If you don't mind, I would like to jump
right into a early Christmas Eve discussion on the topic :)
Recently I came across a service that was listed in both Bonded Sender
as well as Spamhaus, out003.toptx.com - 38.113.200.23. The company,
Topica ( http://www
ats). I do strip out comments since they
become meaningless as the filter contents are resequenced by my system.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Monday, December 22, 2003 10:32 PM
To: [EMAIL PROTECTED]
--
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Monday, December 22, 2003 9:47 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Overflow
Nick,
I think I might have been asking the question the other way around,
though I'm not positive it was ta
Scott,
I know this has been discussed at least in pieces in the past, but I was
hoping that maybe you could put it all together for me (and maybe also
add the order to the manual when the new functionality finds its way
into a full release).
Could you give me an idea about the order of process
R. Scott Perry wrote:
The problem is that it is nearly impossible to determine which are
valid HTML tags and which are not -- that would require a database of
known good HTML tags, which would need to be constantly updated.
This was the first filter that I tried writing actually :) I got a li
John Tolmachoff (Lists) wrote:
This is a cache only setup, no domains. Cost is a concern at this time,
unless I can prove that would be the answer. However, as I said earlier, the
problem was first experienced using BIND DNS servers. I need to follow up on
this.
Keith had a problem after a Micro
Nick,
I think I might have been asking the question the other way around,
though I'm not positive it was taken the wrong way.
The theory here is that domains which accept every E-mail address in the
HELO won't be dictionary attacked past a few attempts because the
attacker's software will quic
orkload but effectively destroy the
validity of the statistical data which is now skewed by my filtering
control.
George
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Monday, December 22, 2003 3:17 PM
To: [EMAIL PROTECTED]
Subjec
FILTER files
Bill
- Original Message -
From: "Matthew Bramble" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, December 22, 2003 12:17 PM
Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END
functionality. functionality.
George,
Th
I've been rethinking my strategy for dealing with dictionary attacks on
my server. While the nobody alias has proved to be problematic, so does
not having a nobody alias due to the possibility of being dictionary
attacked.
I'm thinking of setting up all the nobody aliases to redirect E-mail to
s hit count, although that's more important with
filters that are being modified on a continual rather that a fairly static
filter such as these two.
George
-----Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Monday, December 22, 2
Is this all being found on Windows 2003? I'm a couple of months away
from adding a new server and this would definitely resolve any questions
that I might have about Windows 2003 being an option. I know why John
needs to play with the latest and greatest, but I have no such
inclination or nee
with MAXWEIGHT.
Sorry for the confusion that this might have caused.
Matt
Matthew Bramble wrote:
Scott,
I have a feeling that one of the recent changes created a bug in the
way that scores are added in combination from the Global.cfg and the
custom filter file when combined. Here'
Scott,
I have a feeling that one of the recent changes created a bug in the way
that scores are added in combination from the Global.cfg and the custom
filter file when combined. Here's an example:
X-MailPure: ==
X-MailPure: IPNOT
Just another follow-up. This might be dangerous to blacklist anything
from quill.com since they are an ecommerce site and you may very well be
blocking receipts and other order related information. It would then be
safer to go after the MAILFROM, though this won't work if they change
the thir
I would use the following:
HEADERS 15 CONTAINS quill.com
This message was sent through a third-party bulk mailer, and the
MAILFROM address may change from server to server, but they are using a
Reply-To address that will get picked up with that line.
Matt
Doug Anderson wro
I've made some huge leaps forward recently in terms of the processing
power required to run Declude with the custom filters that I have
installed. This was done by way of the SKIPIFWEIGHT functionality
introduced in the latest beta, but also by way of re-ordering my filters
in the Global.cfg f
Very cool Scott, my test scores now add up :) I'll have to try the END
functionality later on today though.
Any chance of exposing a %WEIGHT% and a %LINE% or %LINES% variable for
the WARN action? I can't say that I've tried these in the last month,
but I couldn't get anything like this to wor
I don't recall seeing this posted here, but while doing a little
research on the NJABL blocklists, I came upon a page on their site
saying that they were integrating the now defunct EASYNET-DYNA:
http://njabl.org/dynablock.html
The following line should work for integrating this test:
NJ
Scott,
I was wondering about the progress of a couple of things. First, has
the END functionality been fixed in a recent release, and second, has
the weight listed in the WARN action been updated to include the sum of
the Global.cfg and filter file weights?
Thanks,
Matt
---
[This E-mail was
Kami,
I'm using a trick to show %ALLRECIPS% only when a message is held. I
added an extra weight test as the hold weight and added the WARN action
as follows:
- Global.cfg -
HIGH-RECIPSweightxx100
- $Default$.junkmail
HIGH-RECIPSWARN
Kami Razvan wrote:
I wish we could also skip the tests for negative weight.. Because right now
the emails that we want to be delivered by negative weight actually will go
through all tests since none can exit on a negative limit.
I believe the idea here is to place the negative weight filters b
Bill,
This can result in two copies of the file, one passed to Declude, and
one stolen by the running of the queue. So it can still appear in the
Declude logs, and chances are probably 80% that the Declude copy will at
least be held on one of our systems and therefore we may not know about
th
Keith,
I would imagine that this affects versions all the way back to 7.0 and
quite possibly far before then. The issue is very rare on an IMail 7
server because the window of opportunity for swiping a message by a
queue run is so much smaller due to the speed at which something is
passed on
I was worried when I saw another message come through last night without
Declude headers in it considering that the queue issue has only been
fixed in IMail 8.05 and not 7.15H3 which is what I'm using (and I don't
yet care to upgrade, though I'm starting to get tempted with that fix).
What happ
...or at least one of them. There's no way this guy gets past Elliot
Spitzer. I hope they take away his passport for obvious reasons.
Target Spam: NY AG, Microsoft File $38M Suits
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK2985
This sounds a lot like the guy (ring) with the
Darrell,
It looks like your name server records were maybe munged for a period of
time from a root update that is now fixed. Those munged records though
are being cached and they should get a good copy once they expire. This
might explain why all of us seem to be able to resolve your domain,
Pete McNeil wrote:
A tip-off is that the counter to this argument is up-front in their
proposal. Specifically that they will create and manage a mechanism that
tracks the end-user's subscrbe/unsubscribe requests... I think this is a
lot like putting the foxes in charge of the hen house.
I thoug
R. Scott Perry wrote:
I'm not sure if this is in the RFC, but it would be a lot more
accurate if you could compare the HELO to the SPF data. Some scripts
to also falsify the HELO, but no where near the number of forged
domains in MAILFROM.
The original design for SPF allowed for that, but th
Scott,
I've been looking over this trying to figure out how to best implement
it for my domains. It seems that since they are all on one class C, I
should do the following:
v=spf1 +a/24 +mx/24 -all
Now three very important questions...
1) If I implement this, will intra-server E-mail fail
The most troublesome crud spammer of them all (the p-patch guy) is
currently sending out E-mails with the following line in the headers:
X-Ki:
I'm going to throw in a filter for this as follows:
HEADERS 30CONTAINS X-Ki:
I suspect this pattern may be short-lived, but he
R. Scott Perry wrote:
I think whitelisting E-mail based on an SPF PASS probably isn't a wise
idea, but I'm sure that spammers that do use SPF will be much easier
to catch (they are providing a list of IPs that they may be spamming
from ).
If I was a spammer, I would use this to my advantage. T
Andy,
I'm with you on the idea being that this is much like SPAMDOMAINS,
however, I don't think that I will be subtracting any points for E-mails
that pass. I see spam coming through legit servers every day, and
what's to stop a static spammer from adding these records to their own
server? N
The parm name entry is used outside of ActiveX, maybe not a good idea to
include it here? Also, your scoring is going to be incremental with 4
for the filter in Global.cfg as well as 4 points for each line of the
filter this hits. I'm not sure if that's what you intended.
While this is probab
The obfuscation exploit for IE that was reported a week ago is now being
seen on my server (2 times yesterday). Both were PayPal scams, and in
both instances, I would have passed the messages if I didn't have this
filter in place because the only other test they failed was FRAUDDOMAINS
(a vari
1 - 100 of 512 matches
Mail list logo
