Re: [Declude.JunkMail] New Test possibility

[R. Scott Perry]

With Declue removing the data between the   in HTML messages to get the
correct wording.   Deasdsdasdadlude = Declude.
Would a test that counts and/or totals the number of characters between a
single asd or all the aaa's in a message be a viable ne test.
That is a good idea (and one we're already working on).  We already 
calculate the percentage of hidden characters (HTML code) to the total 
number of characters, but aren't doing anything with it yet (except logging 
it at the debug level).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New Test Idea

[Scott Fisher]

This was kind of suggested when the SURBL came out.
Do you use the SURBL code.

I don't know if anyone is interested but I've got a batch file that goes through last 
month's logs (it works on log level high) and pulls out all matches for a Body URL 
filter. It can help trim the deadwood.
I've attached it renamed as a .txt file.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 06/11/04 01:12PM 
Would it be possible for declude to do DNS lookups on the urls in the body
of the email message and then run the IP address against an ipfile or a
filter file using remoteip? This would defeat the registering of tons of
domains that alot of times point back to the same web server. It is easy to
find the netblocks that the large discount web hosting companies use so
using the remoteip 0 cidr could be used better in the weighting system. For
example:

Servpath out of San Francisco has these netblocks, alot of legit (i hate
using that term here) email marketing spam comes from these netblocks (so
much that I block them out right because my users arent allowed to use their
email for non business purposes) but for the sake of this example weight
could be added to a message if  a URL in the body translated to an IP in
these ranges.

remoteip 10 cidr 64.151.64.0/19
remoteip 10 cidr 69.59.128.0/18

It seems to me that it could be pretty effective, have it run with the DNS
tests and before the filters so it could be used in testsfailed end lines

My list of URLs is getting huge and I am sure alot of them are obsolete now.

What do you think? Doable?

Rick Davidson
National Systems Manager
North American Title Group
-

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

@echo off
rem
rem Credit for portions of this code go to [EMAIL PROTECTED]
rem
rem These settings must be done (SETTINGS section below) before the script is used:
rem v_path: path to this folder
rem v_logpath: path to the logs
rem v_maxweight: filter max weight (blank or 0 if no max weight should be used)
rem  and filter entry weight (defaults to 0 if blank)
rem v_skipweight: filter skip weight (blank or 0 if filter never should be skipped)
rem v_filter: name of the Declude Filter as it appears in the log

set v_maxweight=80
set v_skipweight=240
set v_path=d:\imail\declude\fpfilters
set v_logpath=d:\logs\junkmail
set v_filter=BODYURL-KEYWORDS

rem --- Check settings and change current folder (or exit if path is incorrect): ---
set v_result=ok
if %v_maxweight%== set v_maxweight=0
if %v_skipweight%== set v_skipweight=0
if not exist %v_path%\nul (set v_result=path error)  (goto :s_end)
if not exist %v_logpath%\nul (set v_result=log path error)  (goto :s_end)
cd /d %v_path%

Rem --- Get the date for the Log
for /f tokens=* %%a in ('date /t') do set v_time=%%a
for /f tokens=* %%b in ('time /t') do set v_time=%v_time% %%b

Rem --- Get the previous month
for /f tokens=1-2 delims=/  %%a in ('date /t') do set v_Current_month=%%b
if %V_current_month%==01 set v_Previous_month=12
if %V_current_month%==02 set v_Previous_month=01
if %V_current_month%==03 set v_Previous_month=02
if %V_current_month%==04 set v_Previous_month=03
if %V_current_month%==05 set v_Previous_month=04
if %V_current_month%==06 set v_Previous_month=05
if %V_current_month%==07 set v_Previous_month=06
if %V_current_month%==08 set v_Previous_month=07
if %V_current_month%==09 set v_Previous_month=08
if %V_current_month%==10 set v_Previous_month=09
if %V_current_month%==11 set v_Previous_month=10
if %V_current_month%==12 set v_Previous_month=11

Rem --- Extract loglines containing Triggered Contains Filter (filter name)
if exist bodyurl.loglines.txt erase bodyurl.loglines.txt

Rem 
Rem   Previous Month's logs in the folder code
Rem
findstr /i Triggered.CONTAINS.Filter.%v_filter% %v_logpath%\dec%v_Previous_month%*.log 
 bodyurl.loglines.txt

Rem 
Rem   All logs in the folder code
Rem
Rem findstr /i Triggered.CONTAINS.Filter.%v_filter% %v_logpath%\dec*.log  
bodyurl.loglines.txt

Rem --- Extract domain names from filter file
if exist bodyurl.domains.txt  erase bodyurl.domains.txt
for /f tokens=9  %%i in ('findstr /i /r /V FILTER-BYPASS bodyurl.loglines.txt') do 
echo %%i bodyurl.domains.txt

rem --- Sort the domain file
if exist bodyurl.sorted.txt erase bodyurl.sorted.txt
sort bodyurl.domains.txt /o bodyurl.sorted.txt

rem --- Dedup sorted file
if exist bodyurl.dedup.txt erase bodyurl.dedup.txt
setlocal
set infile=bodyurl.sorted.txt
set outfile=bodyurl.dedup.txt
type nul  %outfile%
for /f tokens=1* delims=: %%a in (
  'type %infile%
  ^| sort
  ^| findstr /n /v /c:CoLoRlEsS gReEn IdEaS'
) do call :dedup %%a %%b
endlocal
goto :Makefilter

:dedup
set curr_rec=%2
if [%curr_rec%]==[] set curr_rec=$$$blankline$$$
set 

Re: [Declude.JunkMail] New Test Idea

[Rick Davidson]

I downloaded the surbl code but have not implemented it yet cause of all the
monkey business associated with it, I am working on getting it going

thanks for that batch file!

Rick Davidson
National Systems Manager
North American Title Group
-
- Original Message - 
From: Scott Fisher [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 11, 2004 3:03 PM
Subject: Re: [Declude.JunkMail] New Test Idea


This was kind of suggested when the SURBL came out.
Do you use the SURBL code.

I don't know if anyone is interested but I've got a batch file that goes
through last month's logs (it works on log level high) and pulls out all
matches for a Body URL filter. It can help trim the deadwood.
I've attached it renamed as a .txt file.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 06/11/04 01:12PM 
Would it be possible for declude to do DNS lookups on the urls in the body
of the email message and then run the IP address against an ipfile or a
filter file using remoteip? This would defeat the registering of tons of
domains that alot of times point back to the same web server. It is easy to
find the netblocks that the large discount web hosting companies use so
using the remoteip 0 cidr could be used better in the weighting system. For
example:

Servpath out of San Francisco has these netblocks, alot of legit (i hate
using that term here) email marketing spam comes from these netblocks (so
much that I block them out right because my users arent allowed to use their
email for non business purposes) but for the sake of this example weight
could be added to a message if  a URL in the body translated to an IP in
these ranges.

remoteip 10 cidr 64.151.64.0/19
remoteip 10 cidr 69.59.128.0/18

It seems to me that it could be pretty effective, have it run with the DNS
tests and before the filters so it could be used in testsfailed end lines

My list of URLs is getting huge and I am sure alot of them are obsolete now.

What do you think? Doable?

Rick Davidson
National Systems Manager
North American Title Group
-

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[System Administrator]

on 4/21/04 2:35 PM, ISPHuset Nordic wrote:

 And how do you can the spam if it's a legitime user?

We delete it. Spam is spam no matter who sends it.

Later,
Greg

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[System Administrator]

on 4/20/04 3:16 PM, Matt wrote:

 NOTCONTAINS would be incredibly helpful for lots of filters, though of course
 all forms of NOT filters would be good addition, but NOTCONTAINS is the most
 flexible and therefore capable, especially to defeat a counterbalancing filter
 so that it doesn't credit too much.

I agree 100%! 

 I'm sure you probably have a reason for this, but you might consider
 whitelisting your own address space and using Hijack for spam prevention.  If
 you were on IMail 8, WHITELIST AUTH and PREWHITELIST ON wouldn't be bad ideas
 either if you required AUTH.

We're an ISP and we believe we can't whitelist our addresses and we
definitely can't require authentication.

 I believe that Entourage on a Mac will fail CMDSPACE,

No, you misread one of of my original messages when CMDSPACE was released
and have continued to state that Entourage on a Mac will fail CMDSPACE when
that is not true.
 
 least sometimes fail this new HELOIP test,

Yes, Microsoft's Entourage (Mac) and Apple's Mail both fail the new HELOISIP
test. 

If I get some time I may install some other Mac OS X e-mail clients to see
if they fail the same test. That might let me know if the problem is an
e-mail client problem or a Unix (BSD under the Mac interface) problem.

By the way, have you fixed the problem with your external size program?

Later,
Greg

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Hirthe, Alexander]

Hello Sysadmin,

it would be nice, if you could use a real name.

 We're an ISP and we believe we can't whitelist our addresses and we
 definitely can't require authentication.
Why not? 
We do the same job, and I thought the same. 
But if all would think so, we will never get of the spammers. 
So (about 1,5 years ago) I decided to _require_ Auth, and we informed our
customers about it.
Some of them asked, most not.

Tell them, they will get 10% less Spam, if you will require Auth, and they
will love it :))

Alex 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Markus Gufler]

 We're an ISP and we believe we can't whitelist our addresses and we 
 definitely can't require authentication.


If you haven't your own network (ISP backbone) or users connecting from a
defined range of IP's you SHOULD switch to SMTP-AUTH and you CAN prepare
some usefull how-to pages, then inform your customers and give them some
weeks to adapt the settings.

With a little bit log-parsing you can also identify users that haven't
enabled jet SMTP-AUTH and send them an additional alert.

Markus



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[System Administrator]

on 4/21/04 11:17 AM, John Tolmachoff (Lists) wrote:

 Why are you so much different than other ISPs that you can not force
 authentication?

Try to imagine having to contact thousands of subscribers and walk them
through changing their settings. Even if we only took a minute to help each
subscriber (and I can guarantee you a minute isn't even close to the time it
would take to help our subscribers) were looking at 5+ 24 hour days doing
nothing but that. 


 If you really think about it, if you are not forcing
 authentication, you are ripe to allowing spamming and run-away viruses.

Why? Could you please explain that logic to me as I don't understand it.

We don't seem to be listed on any spam databases, see
http://www.dnsstuff.com/tools/ip4r.ch?ip=12.4.184.4 .

Later,
Greg

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[John Tolmachoff \(Lists\)]

  Why are you so much different than other ISPs that you can not force
  authentication?
 
 Try to imagine having to contact thousands of subscribers and walk them
 through changing their settings. Even if we only took a minute to help
each
 subscriber (and I can guarantee you a minute isn't even close to the time
it
 would take to help our subscribers) were looking at 5+ 24 hour days doing
 nothing but that.

I, as well as every one else, understands that. What you need to do is
formulate a plan to implement over say a month. Start with broadcast
announcements and such. Then, start migrating your users in blocks. Yes, it
would be a lot of work. But the results are worth it.

  If you really think about it, if you are not forcing
  authentication, you are ripe to allowing spamming and run-away viruses.
 
 Why? Could you please explain that logic to me as I don't understand it.

I assume you are relaying for addresses in Imail SMTP. (If you are relaying
for users or domains, you have no idea about relay settings.) That means
that any one using one of those addresses can send out millions of spam
e-mails through your server and there is nothing you can do about it. This
includes users that may have viruses on their computers, and are now acting
as robots.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Matt]

John,

Dial-up ISP's, especially smaller ones, are very unlikely to be
targeted by spammers due to the dynamic nature of the IP space. There
one minute, gone the next...and the bandwidth sucks. Almost all
viruses don't use mail servers to spread, so SMTP AUTH won't stop them
either, but blocking port 25 would along with a host of other
techniques which are less restrictive on legitimate use such as
monitoring/automatic shuttoff of accounts.

I looked up Greg's IP space in SenderBase and there are absolutely no
signs of dial-up IP's leaking spam or viruses, and only his MX servers
have any SpamCop hits, and these might be primarily related to his
gateway accepting all locally addressed mail which then might get
bounced by his primary IMail server for being unaddressable (I'm
guessing here based on his lone abuse newsgroup listing). Even I have
this problem currently due to software limitations, and it's going to
cost me a good deal of money and time to create a work around so that I
can do envelope rejection on the gateways.

Overall I would say he's about as clean as they come and there's no
cause for alarm.

Matt



John Tolmachoff (Lists) wrote:

  

  Why are you so much different than other ISPs that you can not force
authentication?
  

Try to imagine having to contact thousands of subscribers and walk them
through changing their settings. Even if we only took a minute to help

  
  each
  
  
subscriber (and I can guarantee you a minute isn't even close to the time

  
  it
  
  
would take to help our subscribers) were looking at 5+ 24 hour days doing
nothing but that.

  
  
I, as well as every one else, understands that. What you need to do is
formulate a plan to implement over say a month. Start with broadcast
announcements and such. Then, start migrating your users in blocks. Yes, it
would be a lot of work. But the results are worth it.

  
  

  If you really think about it, if you are not forcing
authentication, you are ripe to allowing spamming and run-away viruses.
  

Why? Could you please explain that logic to me as I don't understand it.

  
  
I assume you are relaying for addresses in Imail SMTP. (If you are relaying
for users or domains, you have no idea about relay settings.) That means
that any one using one of those addresses can send out millions of spam
e-mails through your server and there is nothing you can do about it. This
includes users that may have viruses on their computers, and are now acting
as robots.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] New test

[John Tolmachoff \(Lists\)]

  That means
  that any one using one of those addresses can send out millions of spam
  e-mails through your server and there is nothing you can do about it.
 
 How is that statement correct? We scan all outgoing messages for spam and
 viruses and delete them if a message contains one or both.

I made a general warning cautionary warning statement. From the research
that Matt did and the fact that you are actively scanning all outgoing
messages, you are taking the needed steps to minimize the possible problem. 

If your IPs are all or mostly used by dialup users, that in itself, as Matt
pointed out, greatly reduces the possible problem

Again, it was meant as a general warning.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[ISPHuset Nordic]

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 System Administrator
 Sent: 21. april 2004 20:20
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] New test
 
 on 4/21/04 1:40 PM, John Tolmachoff (Lists) wrote:
 
  I assume you are relaying for addresses in Imail SMTP.
 
 Correct.
 
  That means
  that any one using one of those addresses can send out millions of 
  spam e-mails through your server and there is nothing you 
 can do about it.
 
 How is that statement correct? We scan all outgoing messages 
 for spam and viruses and delete them if a message contains 
 one or both.
 
And how do you can the spam if it's a legitime user?

As long as you don't requiere authentication with a user name and password I can send 
an email through your server as long as I have
the correct address.

We had the same problem for about 2 years ago

Solved it by using the mailall function in Imail giving them a mail that they had to 
do changes so and so to use our mailserver to
send through. 

Out of 140 000 mailaccounts we had around 150 contacting us by phone the first 2 - 3 
days after that it was going as usual.

Don't make the problem bigger than it is.

Benny

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

System Administrator wrote:

on 4/19/04 5:30 PM, David Dresler wrote:

 

For the most part, its a great new test and is working well.
However, i've noticed that Entourage seems to be getting caught.
   

Yes, I can confirm this (I'm using Entourage). I've also noticed that some
other e-mail clients are having the same problem (Apple's Mail for one).
 

I'm going to try to have a new release, with refined logic, ready later 
this week.  Other priorities make it impossible to promise anything, but 
I'll give it the old college try.

--
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Matt]

Greg,

NOTCONTAINS would be incredibly helpful for lots of filters, though of
course all forms of NOT filters would be good addition, but NOTCONTAINS
is the most flexible and therefore capable, especially to defeat a
counterbalancing filter so that it doesn't credit too much. I've been
holding back on asking about this again (along with other NOT's), but
since you mentioned it...

As far as your issue is concerned, I'm sure you probably have a reason
for this, but you might consider whitelisting your own address space
and using Hijack for spam prevention. If you were on IMail 8,
WHITELIST AUTH and PREWHITELIST ON wouldn't be bad ideas either if you
required AUTH. For anyone doing filtering on things like HELO, REVDNS,
CMDSPACE and SPAMHEADERS, it helps to exclude hosted/outgoing traffic
from such filters. I believe that Entourage on a Mac will fail
CMDSPACE, at least sometimes fail this new HELOIP test, and it's
possible that they will also fail SPAMHEADERS if you don't turn off
scoring hits on a missing Message-ID (Outlook 2003 fails this on a
direct connection at least, and it seems that Entourage has many of the
same behaviors). Just a general FYI since some around here might not
have happened upon these issues.

Matt



System Administrator wrote:

  on 4/19/04 5:30 PM, David Dresler wrote:

  
  
For the most part, its a great new test and is working well.
However, i've noticed that Entourage seems to be getting caught.

  
  
Yes, I can confirm this (I'm using Entourage). I've also noticed that some
other e-mail clients are having the same problem (Apple's Mail for one).

I sure wish (here I go again) that we could have a NOTCONTAINS filter
action. If we had that command we (an ISP) could use this test and the
CMDSPACE test with filters like

LOCALHELOISIP -

SKIPIFWEIGHT  100
TESTSFAILED   END   NOTCONTAINSHELOISIP
REMOTEIP  -10   CONTAINS   (an ACS subnet)
REMOTEIP  -10   CONTAINS   (another ACS subnet)

LOCALCMDSPACE -

SKIPIFWEIGHT  100
TESTSFAILED   END   NOTCONTAINSCMDSPACE
REMOTEIP  -10   CONTAINS   (an ACS subnet)
REMOTEIP  -10   CONTAINS   (another ACS subnet)

to neutralize the failed HELOISIP and CMDSPACE tests for my local users (due
to the e-mail client they are using).

Later,
Greg

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] New test

[Markus Gufler]

 ... when  
 many  of the tests could be wrapped by SpamAssassin custom 
 rules ...


The only thing I fear, is that as soon as SA will have such a rule spammers
will immediatly rewrite their SW (or bether said email worms) and don't use
anymore IP-like HELO strings.

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Matt wrote:

I have a few suggestions that you might want to consider.

The first one would be to skip processing of the message and just have 
Declude pass off the HELO as an argument to your script.  This can be 
done with %HELO%.  This will speed processing and ensure that the HELO 
comes in the proper context.  Declude can be configured for IPBYPASS 
settings which are used to skip over gateway mail servers and 
forwarding servers so that you have the HELO of the computer that is 
actually sending the E-mail.


That's a great idea!  Not sure why I didn't think of that in the initial 
implementation

Combining both of your tests into one program instead of two would 
also be useful.  You can use any code over 10 for this.  Declude also 
will only call the script once if the command is the same, and it will 
determine which test would be failed based on the result code that is 
returned.


For a non-zero test, I thought any non-zero result evaluates the same.  
I have considered configuring it to take a parameter to determine if the 
X test should be used.

The last thing that I'm not very clear about is the logic of the 
detection.  


Fairly straight forward:  for HELOISIP, convert dashes (-) to dots 
., strip out anything that's not a number or a dot, see if there's 4 
octets of numbers = 255. I'm not sure why Serge's example failed, I'll 
test later today.  It is possible that there would be a FP from a host 
name like host11.rack2.location3.bldg4.example.com.   His example 
(alias-1.c10-ave-mta1.cnet.com) should have become 1.10.1, and not 
failed the test -- only 3 numbers.

The HELOISIPX test only does the last step -- no tinkering with the 
content first.

I have a custom filter called DYNAMIC listed in the beta section of my 
site


Unfortunately, I don't have JM pro, so...

It's extremely unlikely that you would miss detecting a zombie using 
the reverse DNS entry as the HELO if you ignored hits below 20 because 
there aren't many ISP class A's in use below that level (I think just 
IBM), an you have 4 chances to hit a number above 20.

You're right, although ATT is in there as well, and they have a few 
internet customers, I think.

The pattern that you identified is of course a very nice addition to 
spam fighting.  Thanks!


We all try to do our part; thanks for the kind words and good suggestions!



--
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Jason]

These headers didn't trigger the HELOISIP test.  It looks to me like
they should have.  Any Ideas?




Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com
  (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500
Received: from iowiekwaoakkwjehckckw.com (iowiekwaoakkwjehckckw.com
[20.214.235.110])
by adsl-63-202-107-44.dsl.lsan03.pacbell.net (Postfix) with
ESMTP id 24CB5D66BE
for [EMAIL PROTECTED]; Mon, 19 Apr 2004 11:36:16 -0400
Date: Mon, 19 Apr 2004 11:36:16 -0400
From: Counsellors T. Dissenters [EMAIL PROTECTED]
X-Mailer: The Bat! (v2.00.0) Personal
Reply-To: [EMAIL PROTECTED]
X-Priority: 3
Message-ID: [EMAIL PROTECTED]
To: Newlandj [EMAIL PROTECTED]
Subject: A|D|V 1adies tthat wannt to encounter 5trangers
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
X-RBL-Warning: MAILFROM: Domain iowiekwaoakkwjehckckw.com has no MX or A
records [0301]. [2-26-d000]
X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 10. [2-37-12800]
X-RBL-Warning: WEIGHT10: Weight of 32 reaches or exceeds the limit of
10. [2-38-13000]
X-RBL-Warning: WEIGHT20: Weight of 32 reaches or exceeds the limit of
28. [2-41-14800]
X-Declude-Sender: [EMAIL PROTECTED] [63.202.107.44]
X-Spam-Tests-Failed: SORBS-DUHL, MAILFROM, SPAMCHK, WEIGHT10, WEIGHT20
[32]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Jason wrote:

These headers didn't trigger the HELOISIP test.  It looks to me like
they should have.  Any Ideas?
Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com  (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500
 

Because of the 'lsan03', the numeric characters in the host name boil 
down to 63.202.107.44.03.  I'm thinking about how best to make this type 
of entry fail, without jacking up the risk of a false positive.

--
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Matt]

You should be fine as long as you don't do matches on numbers below 20, 
or at least that is my experience.  I'm thinking that you created this 
exception in order to head off that problem.  Minimally it's worth a try.

Matt

Bud Durland wrote:

Jason wrote:

These headers didn't trigger the HELOISIP test.  It looks to me like
they should have.  Any Ideas?
Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com  (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 
10:42:45 -0500
 

Because of the 'lsan03', the numeric characters in the host name boil 
down to 63.202.107.44.03.  I'm thinking about how best to make this 
type of entry fail, without jacking up the risk of a false positive.


--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Glenn Brooks]

Will Heloisp run on NT ...I do not see any activity in task manager or in 
the declude logslog level MID



At 01:57 PM 4/19/2004 -0400, you wrote:
You should be fine as long as you don't do matches on numbers below 20, or 
at least that is my experience.  I'm thinking that you created this 
exception in order to head off that problem.  Minimally it's worth a try.

Matt

Bud Durland wrote:

Jason wrote:

These headers didn't trigger the HELOISIP test.  It looks to me like
they should have.  Any Ideas?
Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44]
by areatech.com  (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 
10:42:45 -0500

Because of the 'lsan03', the numeric characters in the host name boil 
down to 63.202.107.44.03.  I'm thinking about how best to make this type 
of entry fail, without jacking up the risk of a false positive.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
Glenn Brooks
WebWize, Inc.
713-688-4382
http://www.webwize.com 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Jason]

Don't know about NT4, but we are running it on Win2k using log level low
and it is working well.  I don't see it come up in the task manager
either, but it is running.


Jason



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Brooks
Sent: Monday, April 19, 2004 1:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Will Heloisp run on NT ...I do not see any activity in task manager or
in 
the declude logslog level MID



At 01:57 PM 4/19/2004 -0400, you wrote:
You should be fine as long as you don't do matches on numbers below 20,

or
at least that is my experience.  I'm thinking that you created this 
exception in order to head off that problem.  Minimally it's worth a
try.

Matt


Bud Durland wrote:

Jason wrote:

These headers didn't trigger the HELOISIP test.  It looks to me like 
they should have.  Any Ideas?


Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net 
[63.202.107.44] by areatech.com  (SMTPD32-7.14) id A37557AB0118; Mon,

19 Apr 2004 10:42:45 -0500


Because of the 'lsan03', the numeric characters in the host name boil
down to 63.202.107.44.03.  I'm thinking about how best to make this
type 
of entry fail, without jacking up the risk of a false positive.


--
=
MailPure custom filters for Declude JunkMail Pro. 
http://www.mailpure.com/software/
=


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
unsubscribe Declude.JunkMail.  The archives can be found at 
http://www.mail-archive.com.

Glenn Brooks
WebWize, Inc.
713-688-4382
http://www.webwize.com 


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Glenn Brooks wrote:

Will Heloisp run on NT ...I do not see any activity in task manager or 
in the declude logslog level MID


It should run on NT just fine, although I couldn't test it on that 
platform.  No surprise that it's not on the task manager -- it does it's 
thing very quickly an probably doesn't stick around long enough to show up.

--
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[David Dresler]

Below is an example of headers taken from a false positive using this new
test.  For the most part, its a great new test and is working well.
However, i've noticed that Entourage seems to be getting caught.  This is
the second customer of mine that i've noticed getting caught by this and
both are using Entourage.  Is anyone else seeing this?

Thanks for any ideas

Received: from [10.0.0.11] [208.37.231.210] by ilfmedia.com with ESMTP
  (SMTPD32-7.07) id A0A0C7F0140; Mon, 19 Apr 2004 14:12:00 -0700
User-Agent: Microsoft-Entourage/10.1.4.030702.0
Date: Mon, 19 Apr 2004 14:16:46 -0700
Subject: Phone message
From: Rick Delker [EMAIL PROTECTED]
To: Richard Katz [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Mime-version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
X-RBL-Warning: INTRUDERS: This E-mail came from 208.37.231.210, a potential
spam source listed in INTRUDERS. [2-14-7000]
X-Declude-Sender: [EMAIL PROTECTED] [208.37.231.210]
X-Declude-Spoolname: D40a00c7f0140a17c.SMD
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: INTRUDERS, HELOISIP [4]
X-Note: This E-mail was sent from w210.z208037231.nyc-ny.dsl.cnc.net
([208.37.231.210]).
X-Note:  Total Weight for this email is [4]

David Dresler
Choicenet Internet
Network Administrations
509.252.3939




--
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.230 / Virus Database: 262.8.3 - Release Date: 4/15/2004

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Matt]

David (and Bud),

An exception could probably be made for proper usage of the IP being 
used as the HELO (when enclosed in brackets).  Also, a while back in an 
effort to reduce the processing power required for my @LINKED and 
IPLINKED filters, I removed all of the IP space that was reserved which 
amounted to about half of the Class A's.  Both of these things might be 
good exclusions since the real-world use of this by zombie spammers 
won't be impacted by either change.

Matt



David Dresler wrote:

Below is an example of headers taken from a false positive using this new
test.  For the most part, its a great new test and is working well.
However, i've noticed that Entourage seems to be getting caught.  This is
the second customer of mine that i've noticed getting caught by this and
both are using Entourage.  Is anyone else seeing this?
Thanks for any ideas

Received: from [10.0.0.11] [208.37.231.210] by ilfmedia.com with ESMTP
 (SMTPD32-7.07) id A0A0C7F0140; Mon, 19 Apr 2004 14:12:00 -0700
User-Agent: Microsoft-Entourage/10.1.4.030702.0
Date: Mon, 19 Apr 2004 14:16:46 -0700
Subject: Phone message
From: Rick Delker [EMAIL PROTECTED]
To: Richard Katz [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Mime-version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
X-RBL-Warning: INTRUDERS: This E-mail came from 208.37.231.210, a potential
spam source listed in INTRUDERS. [2-14-7000]
X-Declude-Sender: [EMAIL PROTECTED] [208.37.231.210]
X-Declude-Spoolname: D40a00c7f0140a17c.SMD
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: INTRUDERS, HELOISIP [4]
X-Note: This E-mail was sent from w210.z208037231.nyc-ny.dsl.cnc.net
([208.37.231.210]).
X-Note:  Total Weight for this email is [4]
David Dresler
Choicenet Internet
Network Administrations
509.252.3939


--
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.230 / Virus Database: 262.8.3 - Release Date: 4/15/2004
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Bud Durland wrote:

I am testing a small external test program.  A message fails the test 
if there is an discernable IP address in the HELO entry of the message.  


The new test is available for download from http://bud.thedurlands.com.

--

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Andy Schmidt]

Hm - isn't that already covered in the HELOBOGUS test?


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland
Sent: Sunday, April 18, 2004 07:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud Durland wrote:

 I am testing a small external test program.  A message fails the test
 if there is an discernable IP address in the HELO entry of the message.  


The new test is available for download from http://bud.thedurlands.com.

-- 

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Andy Schmidt wrote:

Hm - isn't that already covered in the HELOBOGUS test?
 

Not really:

 Received: from morden-res-206-45-166-10.mts.net [206.45.166.10]

morden-res-206-45-166-10.mts.net is a valid host name that will not 
trip HELOBOGUS, but will trip HELOISIP.

--

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Jason]

Bud,

Is this the proper format for the config file? :

HELOISIPexternalweight
C:\imail\declude\heloisip\heloisip.exe 10 0

Thanks!


Jason




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland
Sent: Sunday, April 18, 2004 6:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud Durland wrote:

 I am testing a small external test program.  A message fails the test
 if there is an discernable IP address in the HELO entry of the
message.  


The new test is available for download from http://bud.thedurlands.com.

-- 

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All 
Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry 
will cause your mail to be treated as spam on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Jason]

Thanks Bill.  All I can say is WOW.  This test seems to be working very
very well.  It is snagging tons of stuff.

Jason


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Sunday, April 18, 2004 8:13 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud's documentation says should be setup as a nonzero test, for
example:

HELOISIP external nonzero C:\imail\declude\heloisip\heloisip.exe 10 0

rather then a weight test.

Bill
- Original Message - 
From: Jason [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, April 18, 2004 5:59 PM
Subject: RE: [Declude.JunkMail] New test


Bud,

Is this the proper format for the config file? :

HELOISIP external weight C:\imail\declude\heloisip\heloisip.exe 10 0

Thanks!


Jason




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland
Sent: Sunday, April 18, 2004 6:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New test


Bud Durland wrote:

 I am testing a small external test program.  A message fails the test 
 if there is an discernable IP address in the HELO entry of the
message.


The new test is available for download from http://bud.thedurlands.com.

-- 

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

[AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse
DNS entry. All Internet hosts are required to have a reverse DNS entry.
The missing reverse DNS entry will cause your mail to be treated as spam
on some servers, such as AOL.]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Glenn Brooks]

I get an unknow filter type in the log files...

HELOISP filter C:\imail\declude\heloisipx.exe 10 0

this apth would point to the exe file

is this not correct?

At 02:00 AM 4/19/2004 +, you wrote:
any chance to get the source code ?
Thanks
- Original Message -
From: Bud Durland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 12:21 AM
Subject: Re: [Declude.JunkMail] New test
 Andy Schmidt wrote:

 Hm - isn't that already covered in the HELOBOGUS test?
 
 

 Not really:

   Received: from morden-res-206-45-166-10.mts.net [206.45.166.10]

 morden-res-206-45-166-10.mts.net is a valid host name that will not
 trip HELOBOGUS, but will trip HELOISIP.


 --
 
 Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017
 
 For sale: Parachute.  Like new, used once.  Small stain.
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
Glenn Brooks
WebWize, Inc.
713-688-4382
http://www.webwize.com 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[serge]

any chance to get the source code ?
Thanks

- Original Message - 
From: Bud Durland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 12:21 AM
Subject: Re: [Declude.JunkMail] New test


 Andy Schmidt wrote:

 Hm - isn't that already covered in the HELOBOGUS test?
 
 

 Not really:

   Received: from morden-res-206-45-166-10.mts.net [206.45.166.10]

 morden-res-206-45-166-10.mts.net is a valid host name that will not
 trip HELOBOGUS, but will trip HELOISIP.


 -- 
 
 Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017
 
 For sale: Parachute.  Like new, used once.  Small stain.
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Glenn Brooks wrote:

I get an unknow filter type in the log files...

HELOISP filter C:\imail\declude\heloisipx.exe 10 0

this apth would point to the exe file

is this not correct?


It is not a filter; it is an external non-zero test.  Your GLOBAL.CG 
file entry would look like something like this:

HELOISIPXexternalnonzero
C:\IMail\Declude\HELOISIP\HELOISIPX.EXE50

This line adds 5 points to the overall weight of hte message if it fails.

Hope that helps

--

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Jason wrote:

Thanks Bill.  All I can say is WOW.  This test seems to be working very
very well.  It is snagging tons of stuff.
 

The question is, is it generating false positives?  I hope not; the FP 
ratio here is very, very low, but I realize everyone's traffic pattern 
is different.  While testing, I had it set of 0 weight, and a HOLD 
action.  That let me review what it caught and determine the appropriate 
weight value. YMMV

--

Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017

For sale: Parachute.  Like new, used once.  Small stain.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Andy Schmidt]

I'm trying to figure out WHY spammers would bother to include dial-up
reverse DNS as HELO string?

And if so, why not just check the reverse DNS?  And, how much does this test
overlap with existing dynamic host/dial up blacklists?


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Matt]

Andy,

This is almost completely a zombie spammer thing.  Just like they need 
to create a valid Mail From, they also need to create a HELO, and 
hopefully one that is valid, though of course not many ISP's will enter 
both A records and reverse DNS entries for this type of address.  The 
predominance with zombie spammers is to use one of three things:

   - The reverse DNS entry of the hijacked computer
   - The domain name of the recipient
   - the IP address
There are unfortunately some pieces of software that will generate the 
HELO dynamically, and a fair number of Windows computers with similar 
computer naming conventions which might be relaying E-mail from Web 
sites and other software.  These same computers are also highly likely 
to also fail HELOBOGUS when they false positive.

Matt



Andy Schmidt wrote:

I'm trying to figure out WHY spammers would bother to include dial-up
reverse DNS as HELO string?
And if so, why not just check the reverse DNS?  And, how much does this test
overlap with existing dynamic host/dial up blacklists?
Best Regards
Andy Schmidt
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[serge]

Here is one FP
Where's the IP ?

Received: from alias-1.c10-ave-mta1.cnet.com [206.16.1.130] by
mail.cefib.com with ESMTP

- Original Message - 
From: Bud Durland [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 2:43 AM
Subject: Re: [Declude.JunkMail] New test


 Jason wrote:

 Thanks Bill.  All I can say is WOW.  This test seems to be working very
 very well.  It is snagging tons of stuff.
 
 
 

 The question is, is it generating false positives?  I hope not; the FP
 ratio here is very, very low, but I realize everyone's traffic pattern
 is different.  While testing, I had it set of 0 weight, and a HOLD
 action.  That let me review what it caught and determine the appropriate
 weight value. YMMV

 -- 
 
 Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017
 
 For sale: Parachute.  Like new, used once.  Small stain.
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Matt]

Bud,

I have a few suggestions that you might want to consider.

The first one would be to skip processing of the message and just have 
Declude pass off the HELO as an argument to your script.  This can be 
done with %HELO%.  This will speed processing and ensure that the HELO 
comes in the proper context.  Declude can be configured for IPBYPASS 
settings which are used to skip over gateway mail servers and forwarding 
servers so that you have the HELO of the computer that is actually 
sending the E-mail.

Combining both of your tests into one program instead of two would also 
be useful.  You can use any code over 10 for this.  Declude also will 
only call the script once if the command is the same, and it will 
determine which test would be failed based on the result code that is 
returned.

The last thing that I'm not very clear about is the logic of the 
detection.  I have a custom filter called DYNAMIC listed in the beta 
section of my site 
(http://www.mailpure.com/software/decludefilters/beta/) that does 
something similar for reverse DNS entries.  I found from testing and 
according to the capabilities of the environment that using values below 
20, i.e. -20- or .20., would produce false positives similar to the one 
that Serge just pointed out.  It's extremely unlikely that you would 
miss detecting a zombie using the reverse DNS entry as the HELO if you 
ignored hits below 20 because there aren't many ISP class A's in use 
below that level (I think just IBM), an you have 4 chances to hit a 
number above 20.

The pattern that you identified is of course a very nice addition to 
spam fighting.  Thanks!

Matt



Bud Durland wrote:

Bud Durland wrote:

I am testing a small external test program.  A message fails the test 
if there is an discernable IP address in the HELO entry of the message.  


The new test is available for download from http://bud.thedurlands.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Sanford Whiteman]

 I am testing a small external test program. A message fails the test
 if  there  is  an  discernable  IP  address in the HELO entry of the
 message...

Just  a  little  note here: while this test is surely valuable and its
development  much  appreciated,  I  think  creating a slew of external
Declude helpers is suboptimal--for desktop heap overhead, if nothing
else--when  many  of the tests could be wrapped by SpamAssassin custom
rules  and  run  all at once using SPAMC32. Remember that SpamAssassin
has  full  Perl  regular  expression  support and allows for auxiliary
rules  to  be  contributed via any number of external files (each rule
with its own weight, at that).

If  the  community  concentrated  on  contributing  SA  rulesets, test
development time could be sliced down to nearly zero. Now, I know that
for  some  of you, this might seem vaguely treasonous--if you think of
Declude  and SA as rivals. We don't run SA without Declude, though, so
I see it as more of a parent-child relationship.

Anyway, it's just an idea.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Colbeck, Andrew]

Anybody already using a handy way to record the HELO in the decMMDD.log
file?

I'd like to save the step of going to my sysMMDD.txt file if I could.

I've run Bud's test for a few hours and had quite a few hits.  The only
false positive wasn't a false positive at all, but a correctly identified
case of the mailhost with a revdns that reflected the host IP, with a
matching HELO.  And it did not hit on HELOISIPX.

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Darin Cox]

Sandy,

Good points.  However, some may prefer just to add a test or two rather than
add SA.  Plus specialized tests may run more quickly via specific parsing
than a general regexp engine.  Or some may just prefer not to implement
cygwin on their machines (I seem to remember it being necessaary to
implement SA).

In any case, I think this is a situation where there are many ways to
implement, and for each different environment different solutions may be
preferred.

Darin.


- Original Message - 
From: Sanford Whiteman [EMAIL PROTECTED]
To: Bud Durland [EMAIL PROTECTED]
Sent: Monday, April 19, 2004 12:15 AM
Subject: Re: [Declude.JunkMail] New test


 I am testing a small external test program. A message fails the test
 if  there  is  an  discernable  IP  address in the HELO entry of the
 message...

Just  a  little  note here: while this test is surely valuable and its
development  much  appreciated,  I  think  creating a slew of external
Declude helpers is suboptimal--for desktop heap overhead, if nothing
else--when  many  of the tests could be wrapped by SpamAssassin custom
rules  and  run  all at once using SPAMC32. Remember that SpamAssassin
has  full  Perl  regular  expression  support and allows for auxiliary
rules  to  be  contributed via any number of external files (each rule
with its own weight, at that).

If  the  community  concentrated  on  contributing  SA  rulesets, test
development time could be sliced down to nearly zero. Now, I know that
for  some  of you, this might seem vaguely treasonous--if you think of
Declude  and SA as rivals. We don't run SA without Declude, though, so
I see it as more of a parent-child relationship.

Anyway, it's just an idea.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[Bud Durland]

Markus;

Thanks for the detailed feedback and kind words.  I haven't had time to 
the study our numbers (and I believe our statistical universe is much 
smaller than yours), but generally speaking I'm pleased with the results 
we're seeing here.

For those who are interested, I'll be posting this test for download  
from my web site (http://bud.thedurlands.com) this weekend Don't look 
for it earlier than Sunday, but I promise it will be there.  There will 
be two executables.  The current one remains unchanged.  The additional 
test, called HELOISIPX only fails if the HELO is a pure IP address:

 Received: from 12.107.134.252 [69.6.65.63] by mrpcap.com with ESMTP

I created this because I see quite a few messages that use an IP for the 
HELO, (and often it is MY mail server's IP).  I have never, ever, not 
once seen such a message that wasn't spam, so on my system that test 
will be weighted quite heavily.

Markus Gufler wrote:

Two days ago Bud has announced HELOISIP as new external test.

After trying this test now for 36 hours I can report the following results
for 04/15/2004
Processed messages: 9832

Hold as Spam:  4728  (48% of all messages)
Detected by HELOISIP:  1340  (28% of hold spam / 14% of all messages)
FP's from SURBL:  55
All of this 55 legit messages has had a final weight below 60% of our hold
weight and so hasn't caused any real FP.
91% of all spam messages catched by HELOISIP has already reached a weight 
200% of our hold weight. So having a possibility to skip this external test
if a certain weight is already reached should significantly save resources.
Good test!

Markus

 



--
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test = EHLOFILTER

[Markus Gufler]

 I created this because I see quite a few messages that use an 
 IP for the HELO, (and often it is MY mail server's IP).  I 
 have never, ever, not once seen such a message that wasn't 
 spam, so on my system that test will be weighted quite heavily.

No other MTA should connect to your MTA using your MTA's IP as HELO string.
I don't know if there is any reason to connect with any other IP-address as
HELO-string.

Several people has set up a filter file containing 

HELO 0 CONTAINS [your.servers.ip.address]

Now add this filter file to your global.cfg file and assign a very high
weight.
My EHLOFILTER catches 4% of all processed messages without any false
positive (looking back the last 50 days)

Most spam (~99%) failing this test has already reached a final weight  200%
of our hold weight. But anything going over 200% helps to decrease our
operators review work.

Markus





---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test = EHLOFILTER

[Bud Durland]

Markus Gufler wrote:

No other MTA should connect to your MTA using your MTA's IP as HELO string.
I don't know if there is any reason to connect with any other IP-address as
HELO-string.
 

My thinking exactly

Several people has set up a filter file containing 

HELO 0 CONTAINS [your.servers.ip.address]

Now add this filter file to your global.cfg file and assign a very high
weight.
 

If I had Declude JM Pro, I probably would. I only have Standard, so no 
filters..

--
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test

[Kevin Bilbee]

I 
would like to test. Looks like a good test.


Kevin 
Bilbee

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Dave 
  DohertySent: Wednesday, April 14, 2004 7:14 PMTo: 
  [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] New 
  test
  I'd like to test it also.
  
  -Dave
  
- Original Message - 
From: 
Bud 
Durland 
To: Declude List 
Sent: Wednesday, April 14, 2004 8:58 
AM
Subject: [Declude.JunkMail] New 
test
I am testing a small external test program. A message 
fails the test if there is an discernable IP address in the HELO entry of 
the message. These fail the test: Received: from 
host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by 
mrpcap.com Received: from ip-62-129-160-91.evhr.net 
[62.129.160.91] by mrpcap.com Received: from 
acs-24-154-41-142.zoominternet.net [24.154.41.142] by 
mrpcap.comOnly the bolded part of the line (HELO name) is 
tested. Basically, dashes become 'dots', and anything other than 
numbers and dots are stripped out. If what remains looks like a valid 
4-octet IP address, the test fails.These entries would NOT fail -- 
stray number make the location of the IP ambiguous Received: 
from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com 
 Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] 
by mrpcap.com For testing, I set it up with 0 weight and a 
HOLD action. So far, it has not flagged anything that was not 
spam.If anyone is interested in trying it out, let me know. 
I'll probably be putting it up for download from my web site later this 
week.-- 
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---

Re: [Declude.JunkMail] New test

[Lyndon Eaton]

I'm interested.

Thanks.

Original Message
From: Bud Durland 
Subject: [Declude.JunkMail] New test 
Date: Wed, 14 Apr 2004 06:05:40 -0700 

I am testing a small external test program.  A message fails the test if
there is an discernable IP address in the HELO entry of the message.
These fail the test:

 Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146]
by mrpcap.com
 Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com
 Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by
mrpcap.com

Only the bolded part of the line (HELO name) is tested.  Basically,
dashes become 'dots', and anything other than numbers and dots are
stripped out.  If what remains looks like a valid 4-octet IP address,
the test fails.

These entries would NOT fail -- stray number make the location of the IP
ambiguous

 Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by
mrpcap.com 
 Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by
mrpcap.com  

For testing, I set it up with 0 weight and a HOLD action.  So far, it
has not flagged anything that was not spam.

If anyone is interested in trying it out, let me know.  I'll probably be
putting it up for download from my web site later this week.
 
 



Email checked by UKsubnet anti-virus service
To prevent email abuse  block spam
contact [EMAIL PROTECTED]
Tel: +44(0)8712360301 Web: www.uksubnet.net
Fax: +44(0)8712360300

Powered by UKsubnet Internet Service Provider
Business to Business Internet (ISP)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test

[andyb]

interested

thanks, andy

  - Original Message - 
  From: 
  Bud 
  Durland 
  To: Declude List 
  Sent: Wednesday, April 14, 2004 8:58 
  AM
  Subject: [Declude.JunkMail] New 
test
  I am testing a small external test program. A message 
  fails the test if there is an discernable IP address in the HELO entry of the 
  message. These fail the test: Received: from 
  host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by 
  mrpcap.com Received: from ip-62-129-160-91.evhr.net 
  [62.129.160.91] by mrpcap.com Received: from 
  acs-24-154-41-142.zoominternet.net [24.154.41.142] by 
  mrpcap.comOnly the bolded part of the line (HELO name) is 
  tested. Basically, dashes become 'dots', and anything other than numbers 
  and dots are stripped out. If what remains looks like a valid 4-octet IP 
  address, the test fails.These entries would NOT fail -- stray number 
  make the location of the IP ambiguous Received: from 
  wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com  
  Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by 
  mrpcap.com For testing, I set it up with 0 weight and a HOLD 
  action. So far, it has not flagged anything that was not spam.If 
  anyone is interested in trying it out, let me know. I'll probably be 
  putting it up for download from my web site later this week.-- 
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---

Re: [Declude.JunkMail] New test

[Glenn Brooks]

interested
At 09:17 AM 4/14/2004 -0400, you wrote:
interested

thanks, andy


- Original Message - 

From: Bud Durland


To: Declude List 

Sent: Wednesday, April 14, 2004 8:58 AM

Subject: [Declude.JunkMail] New test

I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. These fail the test:

 Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by mrpcap.com

 Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com

 Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by mrpcap.com

Only the bolded part of the line (HELO name) is tested. Basically, dashes become 'dots', and anything other than numbers and dots are stripped out. If what remains looks like a valid 4-octet IP address, the test fails.

These entries would NOT fail -- stray number make the location of the IP ambiguous

 Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com 

 Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by mrpcap.com 

For testing, I set it up with 0 weight and a HOLD action. So far, it has not flagged anything that was not spam.

If anyone is interested in trying it out, let me know. I'll probably be putting it up for download from my web site later this week.


-- 

---

illigitimi non carborundum

---

Bud Durland, CNE Mold-Rite Plastics

Network Administrator http://www.mrpcap.com

---


Glenn Brooks
WebWize, Inc.
713-688-4382
http://www.webwize.com

Re: [Declude.JunkMail] New test

[Dave Doherty]

I'd like to test it also.

-Dave

  - Original Message - 
  From: 
  Bud 
  Durland 
  To: Declude List 
  Sent: Wednesday, April 14, 2004 8:58 
  AM
  Subject: [Declude.JunkMail] New 
test
  I am testing a small external test program. A message 
  fails the test if there is an discernable IP address in the HELO entry of the 
  message. These fail the test: Received: from 
  host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by 
  mrpcap.com Received: from ip-62-129-160-91.evhr.net 
  [62.129.160.91] by mrpcap.com Received: from 
  acs-24-154-41-142.zoominternet.net [24.154.41.142] by 
  mrpcap.comOnly the bolded part of the line (HELO name) is 
  tested. Basically, dashes become 'dots', and anything other than numbers 
  and dots are stripped out. If what remains looks like a valid 4-octet IP 
  address, the test fails.These entries would NOT fail -- stray number 
  make the location of the IP ambiguous Received: from 
  wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com  
  Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by 
  mrpcap.com For testing, I set it up with 0 weight and a HOLD 
  action. So far, it has not flagged anything that was not spam.If 
  anyone is interested in trying it out, let me know. I'll probably be 
  putting it up for download from my web site later this week.-- 
---
illigitimi non carborundum
---
Bud Durland, CNE Mold-Rite Plastics
Network Administrator http://www.mrpcap.com
---

RE: [Declude.JunkMail] New test request

[Markus Gufler]

  How about a test like this:
  NUMBERSINMAILFROM
  
  It would be similar to SUBJECTSPACES but would count the amount of 
  numbers in the mail from address. You could then configure 
  it for say if 10 or more,
  add 5 to the weight and so forth.

John,

We already look for sender-addresses containing more then 4
(SenderWithCodeMaybe) or more then 8 digits (SenderWithCode).
So we count around 75% of spam-senders and 25% of FPs.

As Scott sayd there are a lot of tipical Freemailer-Addresses like
[EMAIL PROTECTED] creating FPs with such a test.
But there are also auto-generated mailings having a sender address like
[EMAIL PROTECTED]

On a tipical day we can see around 10% of all incomming messages having
between 4 and 7 digits. Other ~8% of incomming messages has more then 8
digits.

It's not the best but a definitively usefull test in a weighting system.


Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[Kami Razvan]

Hi;

I have been following this discussion and it seems like for weight test it
would be good.  Some observations that could complement this:

1:  Mailing list email addresses are long.  I have not seen autogenerated
addresses that are less than 10 or so characters.  E.g.

[EMAIL PROTECTED] [64.241.105.8]

[EMAIL PROTECTED]

But on the other hand spam like emails are typically about 10 or so
characters.  I think it is worth looking into John's suggestion with a
consideration of the UserID length. E.g. from last night logs:

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

I think we can use the length of the UserID to our advantage in implementing
this test.

2:  I wish we could run tests on UserID and domain separately.  It seems
like it would be much easier if the domain could be separated from the
UserID since for example one could test for two dashes (--) in the domain.
We are getting more  more spam like hot--stuff.com

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
Sent: Thursday, September 11, 2003 7:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] New test request


  How about a test like this:
  NUMBERSINMAILFROM
  
  It would be similar to SUBJECTSPACES but would count the amount of
  numbers in the mail from address. You could then configure 
  it for say if 10 or more,
  add 5 to the weight and so forth.

John,

We already look for sender-addresses containing more then 4
(SenderWithCodeMaybe) or more then 8 digits (SenderWithCode). So we count
around 75% of spam-senders and 25% of FPs.

As Scott sayd there are a lot of tipical Freemailer-Addresses like
[EMAIL PROTECTED] creating FPs with such a test. But there are also
auto-generated mailings having a sender address like
[EMAIL PROTECTED]

On a tipical day we can see around 10% of all incomming messages having
between 4 and 7 digits. Other ~8% of incomming messages has more then 8
digits.

It's not the best but a definitively usefull test in a weighting system.


Markus


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[John Tolmachoff \(Lists\)]

Any thoughts, good or bad?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
 Sent: Tuesday, September 09, 2003 10:32 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] New test request
 
 How about a test like this:
 
 NUMBERSINMAILFROM
 
 It would be similar to SUBJECTSPACES but would count the amount of numbers
 in the mail from address. You could then configure it for say if 10 or
more,
 add 5 to the weight and so forth.
 
 John Tolmachoff MCSE CSSA
 Engineer/Consultant
 eServices For You
 www.eservicesforyou.com
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[R. Scott Perry]

Any thoughts, good or bad?
It's one that we do hope to add.  It's not foolproof (such as 
[EMAIL PROTECTED]), but would be useful in helping catch spam.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test request

[Matthew Bramble]

That would work great at detecting old Compuserve accounts :)

I'm not convinced that this would be a very clear marker for spam
though (depends on what the automated real stuff does), but you could
probably set up a filter to test the theory

First create a filter file test and score it as a negative 2:

SENDERNUM   filter  C:\IMail\Declude\SenderNum.txt 
x -2  0

Then fill the file with an entry for numbers 10-99, scoring each one as
a single point:

MAILFROM  1  CONTAINS 10
MAILFROM  1  CONTAINS 11
MAILFROM  1  CONTAINS 12
...

This would score the number of digits in succession as follows,
note that it will score higher if the address has numbers surrounded by
letters, and lower if it is only numbers:

1 num = N/A
2 num = -1
3 num = 0
4 num = 1
5 num = 2
6 num = 3
7 num = 4
8 num = 5
9 num = 6
10 num = 7
...

Obviously there are two primary problems with this approach. First, it
can have up to 86 points if the string of numbers is long enough (too
bad you can't cap the total score of the filter). Secondly, it
benefits senders by one point with just 3 successive numbers in their
address.

I'm thinking that some autoreply/auto-ticket systems might trip this
filter though if they use the address instead of something in the
subject line to track a communication. This might be same type of
reason that some spammers use this...they might be cleaning their list
with the bounces that get through HELO???

Who knows, maybe it's worth a try if you are really that interested in
exploring whether or not the real thing would work??? Real-people
E-mail shouldn't be failing too many other tests, and the automated
stuff suffers greatly. Maybe having 3 numbers only in an E-mail
address is something that rarely happens with spam???

Matt



John Tolmachoff (Lists) wrote:

  Any thoughts, good or bad?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


  
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists)
Sent: Tuesday, September 09, 2003 10:32 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] New test request

How about a test like this:

NUMBERSINMAILFROM

It would be similar to SUBJECTSPACES but would count the amount of numbers
in the mail from address. You could then configure it for say if 10 or

  
  more,
  
  
add 5 to the weight and so forth.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com

  

RE: [Declude.JunkMail] New test request

[Colbeck, Andrew]

Sorry, I've no great insight on the positive uses of this test, but I can
point out another exception.  E-mail enabled pagers and RIM Blackberries
often have their phone number as the e-mail address @TheProviderDomain.com
instead of or in addition to the subscriber's name.

Andrew.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[Robert Grosshandler]

Title: Message



maybe 
a bad idea -

We send out 
e-mail that has a Variable Return Address, so that we can handle bounces 
well. In our case, that address is a combo of letters and numbers (lots of 
numbers sometimes). And, we work hard to make sure our mail is all 
requested!

Other legit 
mailers use something similar. It does suggest the mail comes from a 
mailing list, but doesn't help to separate legit from spam.

Rob


www.iGive.com

  not convinced that this would be a very clear marker for spam 
  though (depends on what the automated real stuff does), but you could probably 
  set up a filter to test the theoryFirst create a filter file test and 
  score it as a negative 2:

RE: [Declude.JunkMail] New test request

[John Tolmachoff \(Lists\)]

OK, my suggested weights are too high.

Remember, the point of this test is to be used in the weighting system only.

Pagers have 10 numbers, so I would actually start at either 11 or 15. 

An old CompuServe address will most likely not be failing other tests to
where this one would put it over. How many numbers do those addresses have
in them?

I am thinking say if 11 numbers, add weight of 5. If 20 numbers, then add 15
more.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
 Sent: Wednesday, September 10, 2003 12:32 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [Declude.JunkMail] New test request
 
 Sorry, I've no great insight on the positive uses of this test, but I can
 point out another exception.  E-mail enabled pagers and RIM Blackberries
 often have their phone number as the e-mail address @TheProviderDomain.com
 instead of or in addition to the subscriber's name.
 
 Andrew.
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[Colbeck, Andrew]

Here's some examples of mailing lists that have lots of numbers (and
letters) in the MAILFROM.  You may find that you'll have to put in a
counterweight everytime a user reports that they're missing mail when they
sign up for a newsletter.

Andrew 8)

p.s. I've deliberately munged the addresses a little to make sure that our
actual recpients won't get their newsletter interfered with because it was
posted to a public forum.

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

Re: [Declude.JunkMail] New test request

[Matthew Bramble]

Dan Patnode wrote:

Good point,

The goal then should be to differentiate numbers used as codes from numbers used to confuse.  The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters.  Perhaps if the test counted numbers with letters on both sides?

Dan

If you are looking for gibberish, look to the subject line and not the 
sender.  I actually have a decent test for this in the subject line 
(don't use it in the body).  The only false positives would come from 
very strange acronyms and auto-generated code such as tracking/receipt 
numbers.  This scores higher the more gibberish you catch.  It's been 
safe so far for me.

GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt
x10

SUBJECT2CONTAINSqb
SUBJECT2CONTAINSqc
SUBJECT2CONTAINSqd
SUBJECT2CONTAINSqe
SUBJECT2CONTAINSqf
SUBJECT2CONTAINSqg
SUBJECT2CONTAINSqh
SUBJECT2CONTAINSqi
SUBJECT2CONTAINSqj
SUBJECT2CONTAINSqk
SUBJECT2CONTAINSqm
SUBJECT2CONTAINSqn
SUBJECT2CONTAINSqo
SUBJECT2CONTAINSqp
SUBJECT2CONTAINSqr
SUBJECT2CONTAINSqs
SUBJECT2CONTAINSqt
SUBJECT2CONTAINSqv
SUBJECT2CONTAINSqx
SUBJECT2CONTAINSqy
SUBJECT2CONTAINSqz
SUBJECT2CONTAINSvq
SUBJECT2CONTAINSwq
SUBJECT2CONTAINStq
SUBJECT2CONTAINSjq
SUBJECT2CONTAINSxd
SUBJECT2CONTAINSxj
SUBJECT2CONTAINSxk
SUBJECT2CONTAINSxr
SUBJECT2CONTAINSxz
SUBJECT2CONTAINSzb
SUBJECT2CONTAINSzc
SUBJECT2CONTAINSzf
SUBJECT2CONTAINSzj
SUBJECT2CONTAINSzk
SUBJECT2CONTAINSzl
SUBJECT2CONTAINSzm
SUBJECT2CONTAINSzx


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[Colbeck, Andrew]

JT Pagers have 10 numbers, so I would actually start at either 11 or 15. 

JT An old CompuServe address will most likely not be failing other tests to
JT where this one would put it over. How many numbers do those addresses
have
JT in them?

Nine digits, e.g [EMAIL PROTECTED] (that was mine for 5 years before they
really had an Internet gateway...)

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test request

[Matthew Bramble]

I wouldn't consider that to be spam. Amazon? Travelocity? Yahoo
Groups?

Most of these are opt-in sources (by way of membership or purchase),
and doing the bounce test that they are doing is in fact responsible
use of commercial E-mail. If you are going to monitor for failed
receivers, that means that your server isn't moving and you become a
static target for the lists and heuristic filters. It's too bad that
everyone doesn't do this.

I'd much rather have a filter that detects no displayable text, or only
searches decoded-non-HTML body text. Testing for that stuff would be a
negative weight on my system...that's the F-P type of stuff that I'm
trying to solve.

Matt



Colbeck, Andrew wrote:

  Here's some examples of mailing lists that have lots of numbers (and
letters) in the MAILFROM.  You may find that you'll have to put in a
counterweight everytime a user reports that they're missing mail when they
sign up for a newsletter.

Andrew 8)

p.s. I've deliberately munged the addresses a little to make sure that our
actual recpients won't get their newsletter interfered with because it was
posted to a public forum.

  
  

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
  

RE: [Declude.JunkMail] New test request

[Colbeck, Andrew]

MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0

MB SUBJECT2CONTAINSqb
(snip)

This looks good, Matthew.

The weight is low enough to be cautious, and I suspect the only false
positives you will get are on subject lines with that raw
=?ISO-8859-1?B?UmU6U2lsZG stuff.

(For those new to the party, Scott confirmed earlier that with declude.exe
v1.75 (and a JunkMail Pro licence) these (8-bit encoded?) subject lines are
not decoded to US-ASCII before applying a SUBJECT text match.

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] New test request

[John Tolmachoff \(Lists\)]

In your examples, I only see 4 that would be FP under this, the ones from
microsoft.com, unitiedmedia.com, yahoo groups, and Travelocity.com.

newsletters.microsoft.com is already in a whitefilter.
Yahoo groups are already in a whitefilter for known problems.
Travelocity is a legit company, and therefore could go in a whitefilter.
comicsmail.unitedmedia.com is something that can go into a whitefilter.

The point is, someone can always come up with examples of how it can be used
and how it would cause problems. Maybe it means at 15 add 5 and at 25 add
another 10.

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
 Sent: Wednesday, September 10, 2003 1:35 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [Declude.JunkMail] New test request
 
 Here's some examples of mailing lists that have lots of numbers (and
 letters) in the MAILFROM.  You may find that you'll have to put in a
 counterweight everytime a user reports that they're missing mail when they
 sign up for a newsletter.
 
 Andrew 8)
 
 p.s. I've deliberately munged the addresses a little to make sure that our
 actual recpients won't get their newsletter interfered with because it was
 posted to a public forum.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test request

[Matthew Bramble]

Thanks Andrew...I like my apples :)

Some stuff could be put back in that I took out while testing the filter 
for the body before I found out that it caught attachments.  I was 
careful to take out things like ql because of MSSQL, and I searched a 
dictionary file for matches on the other strings and deleted as was 
necessary, but other deletions were for more obscure reasons.  My only 
concern was tagging an auto-generated serial/tracking number from an 
online receipt, but those should be generally numbers from looking over 
what I have saved from my purchases.

I've gone kind of filter crazy in the last week.  Anytime I see a 
message that should of been rejected, I look it over for patterns to 
match :)  It's really too bad that this same filter doesn't work on the 
body text exclusively...that would tag a lot of the stuff that gets through.

Matt



Colbeck, Andrew wrote:

MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0

MB SUBJECT2CONTAINSqb
(snip)
This looks good, Matthew.

The weight is low enough to be cautious, and I suspect the only false
positives you will get are on subject lines with that raw
=?ISO-8859-1?B?UmU6U2lsZG stuff.
(For those new to the party, Scott confirmed earlier that with declude.exe
v1.75 (and a JunkMail Pro licence) these (8-bit encoded?) subject lines are
not decoded to US-ASCII before applying a SUBJECT text match.
Andrew 8)
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New test request

[Dan Patnode]

Wow, what a sweet idea Matthew!  Applying rules of English (like Q is always followed 
by U) to look for gibberish.   :)

Yea, so long as BODY searches attachments, any small code will sooner or later show up 
in an attachment.  I've even had problems trying hard tests for complete words where 
an L was replaced with an I and it showed up in attachment PDF code.

Dan



On Wednesday, September 10, 2003 13:36, Matthew Bramble [EMAIL PROTECTED] wrote:
Dan Patnode wrote:

Good point,

The goal then should be to differentiate numbers used as codes
from numbers used to confuse.  The former tend to be contiguous
while the later (in my experience), tend to be mixed in with
letters.  Perhaps if the test counted numbers with letters on both sides?

Dan


If you are looking for gibberish, look to the subject line and not the 
sender.  I actually have a decent test for this in the subject line 
(don't use it in the body).  The only false positives would come from 
very strange acronyms and auto-generated code such as tracking/receipt 
numbers.  This scores higher the more gibberish you catch.  It's been 
safe so far for me.


GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt
x10


SUBJECT2CONTAINSqb
SUBJECT2CONTAINSqc
SUBJECT2CONTAINSqd
SUBJECT2CONTAINSqe
SUBJECT2CONTAINSqf
SUBJECT2CONTAINSqg
SUBJECT2CONTAINSqh
SUBJECT2CONTAINSqi
SUBJECT2CONTAINSqj
SUBJECT2CONTAINSqk
SUBJECT2CONTAINSqm
SUBJECT2CONTAINSqn
SUBJECT2CONTAINSqo
SUBJECT2CONTAINSqp
SUBJECT2CONTAINSqr
SUBJECT2CONTAINSqs
SUBJECT2CONTAINSqt
SUBJECT2CONTAINSqv
SUBJECT2CONTAINSqx
SUBJECT2CONTAINSqy
SUBJECT2CONTAINSqz

SUBJECT2CONTAINSvq
SUBJECT2CONTAINSwq
SUBJECT2CONTAINStq
SUBJECT2CONTAINSjq

SUBJECT2CONTAINSxd
SUBJECT2CONTAINSxj
SUBJECT2CONTAINSxk
SUBJECT2CONTAINSxr
SUBJECT2CONTAINSxz

SUBJECT2CONTAINSzb
SUBJECT2CONTAINSzc
SUBJECT2CONTAINSzf
SUBJECT2CONTAINSzj
SUBJECT2CONTAINSzk
SUBJECT2CONTAINSzl
SUBJECT2CONTAINSzm
SUBJECT2CONTAINSzx



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New Test?

[R. Scott Perry]

I was wondering if you could add a new test to Declude JunkMail? This test
could be called similar addresses.

If someone sends a message to multiple addresses and the to, cc or bcc
of all the addresses contain helpdesk@ then I'd think it's a pretty good
bet that it's a spam message.

It is something that we have been considering, but haven't made a decision 
on yet.

Note that the Bcc:'s won't be visible to Declude, so only the To: or Cc: 
header could be used.  Looking at our spamtraps, it looks like only a small 
portion (perhaps 5% to 10%) of the spam is sent with the multiple addresses 
in the To:/Cc: headers.  Making it less useful is that often they are 
similar-but-not-exact names -- such as john123@, john128@, johnny@, 
... which would either minimize the usefulness of the feature, or require 
somewhat sophisticated testing to determine if the addresses were similar 
(which could result in too many false positives if not done well).
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

RE: [Declude.JunkMail] New Test?

[Charles Frolick]

One problem, I recieve very legitimate email to [EMAIL PROTECTED], that is
sent to abuse@ for all domains thought to be involved for spammers and other
issues.  There are cases where someone is just trying to get ahold of
several parties using standard addresses like abuse, hostmaster, postmaster,
etc.

Chuck Frolick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Helpdesk
Sent: Thursday, April 25, 2002 8:22 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] New Test?


Scott,

I was wondering if you could add a new test to Declude JunkMail? This test
could be called similar addresses.

If someone sends a message to multiple addresses and the to, cc or bcc
of all the addresses contain helpdesk@ then I'd think it's a pretty good
bet that it's a spam message.

For example I just received a spam message to

[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]

Any thoughts?

Later,
Greg

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] New Test?

[Helpdesk]

on 4/25/02 11:40 AM, R. Scott Perry wrote:

 Looking at our spamtraps, it looks like only a small
 portion (perhaps 5% to 10%) of the spam is sent with the multiple addresses
 in the To:/Cc: headers.  Making it less useful is that often they are
 similar-but-not-exact names -- such as john123@, john128@, johnny@,
 ... which would either minimize the usefulness of the feature, or require
 somewhat sophisticated testing to determine if the addresses were similar
 (which could result in too many false positives if not done well).

I think you shouldn't worry about the similar-but-not-exact names case, only
the exact names case. If all the addresses are the same name (and there is 3
or more) then I think it would have to be a spam message (unless someone can
think of a case where that wouldn't be true).

Thanks,

Greg

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .

Re: [Declude.JunkMail] New Test?

[R. Scott Perry]

I think you shouldn't worry about the similar-but-not-exact names case, only
the exact names case. If all the addresses are the same name (and there is 3
or more) then I think it would have to be a spam message (unless someone can
think of a case where that wouldn't be true).

In a manual review of 20 E-mails from our spamtrap, only 1 had multiple 
instances of the same or similar E-mail accounts.  It looks like about 1/3 
of the spams with multiple same-or-similar addresses are ones where there 
are multiple copies of the same account name; the other 2/3rds are 
similar.  So we're talking about maybe 1-2% of spam that could get 
caught.  Still, aside from the abuse@/postmaster@ issue (which could easily 
be dealt with), it would likely have an extremely low false positive rate.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---

This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  You can E-mail
[EMAIL PROTECTED] for assistance.  You can visit our web
site at http://www.declude.com .