RE: [Declude.JunkMail] Detecting disguised url's in headers
Where is this set in imail? Is it antispam of imail as we do not use it. Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
It is a rule. They are located in a rules.ima (inbound rules file). The rules.ima file gets placed in the top directory of the domain that you want to use it on. There is lots of data about this in the knowledge base on Imails web site. Regards, Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers Where is this set in imail? Is it antispam of imail as we do not use it. Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
I am not sure if my request here is being understood. I would not want to mark all messages with an IP in the url as spam. Only those messages that use %nnn%nnn%nnn etc. When you view source of an html message you can see this kind of coding. As in this case: //205.159.%372.%32%30/mort/ We always do a view source and take the url out of the source and then blacklist that, for those messages that were no caught by anti-spam at the time. I do not know what that process is called and have only ever seen it in source code of certain spam e-mail Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
Well, let us ask the entire list if there are valid reasons that people would send an IP in a URL. I tested this for 2 months and didn't have a single legitimate e-mail like this. We did have people sending IP addresses, but not as a url. For example: My server IP is 156.23.140.10. Not one case had someone say my website is http://[insert ip here] Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers I am not sure if my request here is being understood. I would not want to mark all messages with an IP in the url as spam. Only those messages that use %nnn%nnn%nnn etc. When you view source of an html message you can see this kind of coding. As in this case: //205.159.%372.%32%30/mort/ We always do a view source and take the url out of the source and then blacklist that, for those messages that were no caught by anti-spam at the time. I do not know what that process is called and have only ever seen it in source code of certain spam e-mail Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W. Kitchener, ON N2M 1L2 519-741-1222 Did you know we offer: - Province wide dial-up and high speed internet access - Web accessible email with anti-spam\antivirus protection - Computer hardware sales and service - Experienced website developers -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Friday, March 19, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Detecting disguised url's in headers We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Detecting disguised url's in headers
Watch out for this rule. There will be false positives. We've tried it long ago in sniffer. It turns out that there are quite a few legit messages sent with numbered links in them... so now we only code rules for specific numbered links (or stubs of them anyway). You might try rules for partially encrypted numbered links (we've been adding these for a while). That is... look for a numbered link where a % is contained in any one of the octets. There's no good reason to encode part of a numbered link except to obfuscate it... our corpus shows this is pretty safe too. hope this helps, _M At 01:40 PM 3/19/2004, you wrote: We created an Imail rule to block these. Here is what we use: (http\://\d\d\.|http\://\d\d\d\.):spambox This seems to work very well. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Friday, March 19, 2004 12:30 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Detecting disguised url's in headers IE this url: //205.159.%372.%32%30/mort/ obviously gets translated and I could do so also. It would take a lot of extra time. I copy the url out of headers of spam that gets through and put it into my filter file. These are bothersome however. Is there a way that we could just mark these kind of mails as spam? I think it would be just spammers that do this. thanks Harry Vanderzand inTown Internet Computer Services --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.