RE: [Declude.JunkMail] MAILFROM like Imail Test..
Here are the headers... How this can be caught with Declude ?? 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 11:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0
RE: [Declude.JunkMail] MAILFROM like Imail Test..
In a filter file: HEADERS (weight)CONTAINSX-IMAIL-SPAM-INVALIDFROM Imail is checking to see if the sender exists and places that into the header. (If you have Imail configured to add headers.) HOWEVER, this does not work for @yahoo.com addresses. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 10:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] MAILFROM like Imail Test.. Here are the headers... How this can be caught with Declude ?? 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 11:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude
Re: [Declude.JunkMail] MAILFROM like Imail Test..
Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? No. The problem is that such a test is very resource intensive -- specifically, it will use about 10 times as much bandwidth as the MAILFROM test, and will often have false negatives (E-mail addresses that do not exist, but pass the test), and occasional false positives (E-mail addresses that do exist, but fail the test). Also, it will delay the delivery of the E-mail by anywhere from several seconds to a minute or so (lots of mailservers take a long time to respond to commands), as there are about 8 round trips that need to be made rather than just 1 -- and those round trips also require more effort on the remote end. Then, imagine if a spammer joe jobs you, using your E-mail address as the return address. If everyone plays this game, then your mailserver is going to receive thousands to millions of hits in a very short period of time, causing a DDoS attack on your server. So I'm not a big fan of this type of test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM like Imail Test..
Ok, I didn't noticed how easy could spam pass this test. Thanks Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 6:00 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? No. The problem is that such a test is very resource intensive -- specifically, it will use about 10 times as much bandwidth as the MAILFROM test, and will often have false negatives (E-mail addresses that do not exist, but pass the test), and occasional false positives (E-mail addresses that do exist, but fail the test). Also, it will delay the delivery of the E-mail by anywhere from several seconds to a minute or so (lots of mailservers take a long time to respond to commands), as there are about 8 round trips that need to be made rather than just 1 -- and those round trips also require more effort on the remote end. Then, imagine if a spammer joe jobs you, using your E-mail address as the return address. If everyone plays this game, then your mailserver is going to receive thousands to millions of hits in a very short period of time, causing a DDoS attack on your server. So I'm not a big fan of this type of test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MAILFROM like Imail Test..
Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GAMBLING external 059 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GREYMAIL external 060 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-SPAM external 062 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 You would need to adjust the weights to fit your own needs. However, this will at
