Re: [Declude.JunkMail] New Test possibility
With Declue removing the data between the in HTML messages to get the correct wording. Deasdsdasdadlude = Declude. Would a test that counts and/or totals the number of characters between a single asd or all the aaa's in a message be a viable ne test. That is a good idea (and one we're already working on). We already calculate the percentage of hidden characters (HTML code) to the total number of characters, but aren't doing anything with it yet (except logging it at the debug level). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Test Idea
This was kind of suggested when the SURBL came out. Do you use the SURBL code. I don't know if anyone is interested but I've got a batch file that goes through last month's logs (it works on log level high) and pulls out all matches for a Body URL filter. It can help trim the deadwood. I've attached it renamed as a .txt file. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/11/04 01:12PM Would it be possible for declude to do DNS lookups on the urls in the body of the email message and then run the IP address against an ipfile or a filter file using remoteip? This would defeat the registering of tons of domains that alot of times point back to the same web server. It is easy to find the netblocks that the large discount web hosting companies use so using the remoteip 0 cidr could be used better in the weighting system. For example: Servpath out of San Francisco has these netblocks, alot of legit (i hate using that term here) email marketing spam comes from these netblocks (so much that I block them out right because my users arent allowed to use their email for non business purposes) but for the sake of this example weight could be added to a message if a URL in the body translated to an IP in these ranges. remoteip 10 cidr 64.151.64.0/19 remoteip 10 cidr 69.59.128.0/18 It seems to me that it could be pretty effective, have it run with the DNS tests and before the filters so it could be used in testsfailed end lines My list of URLs is getting huge and I am sure alot of them are obsolete now. What do you think? Doable? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. @echo off rem rem Credit for portions of this code go to [EMAIL PROTECTED] rem rem These settings must be done (SETTINGS section below) before the script is used: rem v_path: path to this folder rem v_logpath: path to the logs rem v_maxweight: filter max weight (blank or 0 if no max weight should be used) rem and filter entry weight (defaults to 0 if blank) rem v_skipweight: filter skip weight (blank or 0 if filter never should be skipped) rem v_filter: name of the Declude Filter as it appears in the log set v_maxweight=80 set v_skipweight=240 set v_path=d:\imail\declude\fpfilters set v_logpath=d:\logs\junkmail set v_filter=BODYURL-KEYWORDS rem --- Check settings and change current folder (or exit if path is incorrect): --- set v_result=ok if %v_maxweight%== set v_maxweight=0 if %v_skipweight%== set v_skipweight=0 if not exist %v_path%\nul (set v_result=path error) (goto :s_end) if not exist %v_logpath%\nul (set v_result=log path error) (goto :s_end) cd /d %v_path% Rem --- Get the date for the Log for /f tokens=* %%a in ('date /t') do set v_time=%%a for /f tokens=* %%b in ('time /t') do set v_time=%v_time% %%b Rem --- Get the previous month for /f tokens=1-2 delims=/ %%a in ('date /t') do set v_Current_month=%%b if %V_current_month%==01 set v_Previous_month=12 if %V_current_month%==02 set v_Previous_month=01 if %V_current_month%==03 set v_Previous_month=02 if %V_current_month%==04 set v_Previous_month=03 if %V_current_month%==05 set v_Previous_month=04 if %V_current_month%==06 set v_Previous_month=05 if %V_current_month%==07 set v_Previous_month=06 if %V_current_month%==08 set v_Previous_month=07 if %V_current_month%==09 set v_Previous_month=08 if %V_current_month%==10 set v_Previous_month=09 if %V_current_month%==11 set v_Previous_month=10 if %V_current_month%==12 set v_Previous_month=11 Rem --- Extract loglines containing Triggered Contains Filter (filter name) if exist bodyurl.loglines.txt erase bodyurl.loglines.txt Rem Rem Previous Month's logs in the folder code Rem findstr /i Triggered.CONTAINS.Filter.%v_filter% %v_logpath%\dec%v_Previous_month%*.log bodyurl.loglines.txt Rem Rem All logs in the folder code Rem Rem findstr /i Triggered.CONTAINS.Filter.%v_filter% %v_logpath%\dec*.log bodyurl.loglines.txt Rem --- Extract domain names from filter file if exist bodyurl.domains.txt erase bodyurl.domains.txt for /f tokens=9 %%i in ('findstr /i /r /V FILTER-BYPASS bodyurl.loglines.txt') do echo %%i bodyurl.domains.txt rem --- Sort the domain file if exist bodyurl.sorted.txt erase bodyurl.sorted.txt sort bodyurl.domains.txt /o bodyurl.sorted.txt rem --- Dedup sorted file if exist bodyurl.dedup.txt erase bodyurl.dedup.txt setlocal set infile=bodyurl.sorted.txt set outfile=bodyurl.dedup.txt type nul %outfile% for /f tokens=1* delims=: %%a in ( 'type %infile% ^| sort ^| findstr /n /v /c:CoLoRlEsS gReEn IdEaS' ) do call :dedup %%a %%b endlocal goto :Makefilter :dedup set curr_rec=%2 if [%curr_rec%]==[] set curr_rec=$$$blankline$$$ set
Re: [Declude.JunkMail] New Test Idea
I downloaded the surbl code but have not implemented it yet cause of all the monkey business associated with it, I am working on getting it going thanks for that batch file! Rick Davidson National Systems Manager North American Title Group - - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 3:03 PM Subject: Re: [Declude.JunkMail] New Test Idea This was kind of suggested when the SURBL came out. Do you use the SURBL code. I don't know if anyone is interested but I've got a batch file that goes through last month's logs (it works on log level high) and pulls out all matches for a Body URL filter. It can help trim the deadwood. I've attached it renamed as a .txt file. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 06/11/04 01:12PM Would it be possible for declude to do DNS lookups on the urls in the body of the email message and then run the IP address against an ipfile or a filter file using remoteip? This would defeat the registering of tons of domains that alot of times point back to the same web server. It is easy to find the netblocks that the large discount web hosting companies use so using the remoteip 0 cidr could be used better in the weighting system. For example: Servpath out of San Francisco has these netblocks, alot of legit (i hate using that term here) email marketing spam comes from these netblocks (so much that I block them out right because my users arent allowed to use their email for non business purposes) but for the sake of this example weight could be added to a message if a URL in the body translated to an IP in these ranges. remoteip 10 cidr 64.151.64.0/19 remoteip 10 cidr 69.59.128.0/18 It seems to me that it could be pretty effective, have it run with the DNS tests and before the filters so it could be used in testsfailed end lines My list of URLs is getting huge and I am sure alot of them are obsolete now. What do you think? Doable? Rick Davidson National Systems Manager North American Title Group - --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
on 4/21/04 2:35 PM, ISPHuset Nordic wrote: And how do you can the spam if it's a legitime user? We delete it. Spam is spam no matter who sends it. Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
on 4/20/04 3:16 PM, Matt wrote: NOTCONTAINS would be incredibly helpful for lots of filters, though of course all forms of NOT filters would be good addition, but NOTCONTAINS is the most flexible and therefore capable, especially to defeat a counterbalancing filter so that it doesn't credit too much. I agree 100%! I'm sure you probably have a reason for this, but you might consider whitelisting your own address space and using Hijack for spam prevention. If you were on IMail 8, WHITELIST AUTH and PREWHITELIST ON wouldn't be bad ideas either if you required AUTH. We're an ISP and we believe we can't whitelist our addresses and we definitely can't require authentication. I believe that Entourage on a Mac will fail CMDSPACE, No, you misread one of of my original messages when CMDSPACE was released and have continued to state that Entourage on a Mac will fail CMDSPACE when that is not true. least sometimes fail this new HELOIP test, Yes, Microsoft's Entourage (Mac) and Apple's Mail both fail the new HELOISIP test. If I get some time I may install some other Mac OS X e-mail clients to see if they fail the same test. That might let me know if the problem is an e-mail client problem or a Unix (BSD under the Mac interface) problem. By the way, have you fixed the problem with your external size program? Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Hello Sysadmin, it would be nice, if you could use a real name. We're an ISP and we believe we can't whitelist our addresses and we definitely can't require authentication. Why not? We do the same job, and I thought the same. But if all would think so, we will never get of the spammers. So (about 1,5 years ago) I decided to _require_ Auth, and we informed our customers about it. Some of them asked, most not. Tell them, they will get 10% less Spam, if you will require Auth, and they will love it :)) Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
We're an ISP and we believe we can't whitelist our addresses and we definitely can't require authentication. If you haven't your own network (ISP backbone) or users connecting from a defined range of IP's you SHOULD switch to SMTP-AUTH and you CAN prepare some usefull how-to pages, then inform your customers and give them some weeks to adapt the settings. With a little bit log-parsing you can also identify users that haven't enabled jet SMTP-AUTH and send them an additional alert. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
on 4/21/04 11:17 AM, John Tolmachoff (Lists) wrote: Why are you so much different than other ISPs that you can not force authentication? Try to imagine having to contact thousands of subscribers and walk them through changing their settings. Even if we only took a minute to help each subscriber (and I can guarantee you a minute isn't even close to the time it would take to help our subscribers) were looking at 5+ 24 hour days doing nothing but that. If you really think about it, if you are not forcing authentication, you are ripe to allowing spamming and run-away viruses. Why? Could you please explain that logic to me as I don't understand it. We don't seem to be listed on any spam databases, see http://www.dnsstuff.com/tools/ip4r.ch?ip=12.4.184.4 . Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Why are you so much different than other ISPs that you can not force authentication? Try to imagine having to contact thousands of subscribers and walk them through changing their settings. Even if we only took a minute to help each subscriber (and I can guarantee you a minute isn't even close to the time it would take to help our subscribers) were looking at 5+ 24 hour days doing nothing but that. I, as well as every one else, understands that. What you need to do is formulate a plan to implement over say a month. Start with broadcast announcements and such. Then, start migrating your users in blocks. Yes, it would be a lot of work. But the results are worth it. If you really think about it, if you are not forcing authentication, you are ripe to allowing spamming and run-away viruses. Why? Could you please explain that logic to me as I don't understand it. I assume you are relaying for addresses in Imail SMTP. (If you are relaying for users or domains, you have no idea about relay settings.) That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. This includes users that may have viruses on their computers, and are now acting as robots. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
John, Dial-up ISP's, especially smaller ones, are very unlikely to be targeted by spammers due to the dynamic nature of the IP space. There one minute, gone the next...and the bandwidth sucks. Almost all viruses don't use mail servers to spread, so SMTP AUTH won't stop them either, but blocking port 25 would along with a host of other techniques which are less restrictive on legitimate use such as monitoring/automatic shuttoff of accounts. I looked up Greg's IP space in SenderBase and there are absolutely no signs of dial-up IP's leaking spam or viruses, and only his MX servers have any SpamCop hits, and these might be primarily related to his gateway accepting all locally addressed mail which then might get bounced by his primary IMail server for being unaddressable (I'm guessing here based on his lone abuse newsgroup listing). Even I have this problem currently due to software limitations, and it's going to cost me a good deal of money and time to create a work around so that I can do envelope rejection on the gateways. Overall I would say he's about as clean as they come and there's no cause for alarm. Matt John Tolmachoff (Lists) wrote: Why are you so much different than other ISPs that you can not force authentication? Try to imagine having to contact thousands of subscribers and walk them through changing their settings. Even if we only took a minute to help each subscriber (and I can guarantee you a minute isn't even close to the time it would take to help our subscribers) were looking at 5+ 24 hour days doing nothing but that. I, as well as every one else, understands that. What you need to do is formulate a plan to implement over say a month. Start with broadcast announcements and such. Then, start migrating your users in blocks. Yes, it would be a lot of work. But the results are worth it. If you really think about it, if you are not forcing authentication, you are ripe to allowing spamming and run-away viruses. Why? Could you please explain that logic to me as I don't understand it. I assume you are relaying for addresses in Imail SMTP. (If you are relaying for users or domains, you have no idea about relay settings.) That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. This includes users that may have viruses on their computers, and are now acting as robots. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] New test
That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. How is that statement correct? We scan all outgoing messages for spam and viruses and delete them if a message contains one or both. I made a general warning cautionary warning statement. From the research that Matt did and the fact that you are actively scanning all outgoing messages, you are taking the needed steps to minimize the possible problem. If your IPs are all or mostly used by dialup users, that in itself, as Matt pointed out, greatly reduces the possible problem Again, it was meant as a general warning. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: 21. april 2004 20:20 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test on 4/21/04 1:40 PM, John Tolmachoff (Lists) wrote: I assume you are relaying for addresses in Imail SMTP. Correct. That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. How is that statement correct? We scan all outgoing messages for spam and viruses and delete them if a message contains one or both. And how do you can the spam if it's a legitime user? As long as you don't requiere authentication with a user name and password I can send an email through your server as long as I have the correct address. We had the same problem for about 2 years ago Solved it by using the mailall function in Imail giving them a mail that they had to do changes so and so to use our mailserver to send through. Out of 140 000 mailaccounts we had around 150 contacting us by phone the first 2 - 3 days after that it was going as usual. Don't make the problem bigger than it is. Benny --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
System Administrator wrote: on 4/19/04 5:30 PM, David Dresler wrote: For the most part, its a great new test and is working well. However, i've noticed that Entourage seems to be getting caught. Yes, I can confirm this (I'm using Entourage). I've also noticed that some other e-mail clients are having the same problem (Apple's Mail for one). I'm going to try to have a new release, with refined logic, ready later this week. Other priorities make it impossible to promise anything, but I'll give it the old college try. -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Greg, NOTCONTAINS would be incredibly helpful for lots of filters, though of course all forms of NOT filters would be good addition, but NOTCONTAINS is the most flexible and therefore capable, especially to defeat a counterbalancing filter so that it doesn't credit too much. I've been holding back on asking about this again (along with other NOT's), but since you mentioned it... As far as your issue is concerned, I'm sure you probably have a reason for this, but you might consider whitelisting your own address space and using Hijack for spam prevention. If you were on IMail 8, WHITELIST AUTH and PREWHITELIST ON wouldn't be bad ideas either if you required AUTH. For anyone doing filtering on things like HELO, REVDNS, CMDSPACE and SPAMHEADERS, it helps to exclude hosted/outgoing traffic from such filters. I believe that Entourage on a Mac will fail CMDSPACE, at least sometimes fail this new HELOIP test, and it's possible that they will also fail SPAMHEADERS if you don't turn off scoring hits on a missing Message-ID (Outlook 2003 fails this on a direct connection at least, and it seems that Entourage has many of the same behaviors). Just a general FYI since some around here might not have happened upon these issues. Matt System Administrator wrote: on 4/19/04 5:30 PM, David Dresler wrote: For the most part, its a great new test and is working well. However, i've noticed that Entourage seems to be getting caught. Yes, I can confirm this (I'm using Entourage). I've also noticed that some other e-mail clients are having the same problem (Apple's Mail for one). I sure wish (here I go again) that we could have a NOTCONTAINS filter action. If we had that command we (an ISP) could use this test and the CMDSPACE test with filters like LOCALHELOISIP - SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINSHELOISIP REMOTEIP -10 CONTAINS (an ACS subnet) REMOTEIP -10 CONTAINS (another ACS subnet) LOCALCMDSPACE - SKIPIFWEIGHT 100 TESTSFAILED END NOTCONTAINSCMDSPACE REMOTEIP -10 CONTAINS (an ACS subnet) REMOTEIP -10 CONTAINS (another ACS subnet) to neutralize the failed HELOISIP and CMDSPACE tests for my local users (due to the e-mail client they are using). Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] New test
... when many of the tests could be wrapped by SpamAssassin custom rules ... The only thing I fear, is that as soon as SA will have such a rule spammers will immediatly rewrite their SW (or bether said email worms) and don't use anymore IP-like HELO strings. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Matt wrote: I have a few suggestions that you might want to consider. The first one would be to skip processing of the message and just have Declude pass off the HELO as an argument to your script. This can be done with %HELO%. This will speed processing and ensure that the HELO comes in the proper context. Declude can be configured for IPBYPASS settings which are used to skip over gateway mail servers and forwarding servers so that you have the HELO of the computer that is actually sending the E-mail. That's a great idea! Not sure why I didn't think of that in the initial implementation Combining both of your tests into one program instead of two would also be useful. You can use any code over 10 for this. Declude also will only call the script once if the command is the same, and it will determine which test would be failed based on the result code that is returned. For a non-zero test, I thought any non-zero result evaluates the same. I have considered configuring it to take a parameter to determine if the X test should be used. The last thing that I'm not very clear about is the logic of the detection. Fairly straight forward: for HELOISIP, convert dashes (-) to dots ., strip out anything that's not a number or a dot, see if there's 4 octets of numbers = 255. I'm not sure why Serge's example failed, I'll test later today. It is possible that there would be a FP from a host name like host11.rack2.location3.bldg4.example.com. His example (alias-1.c10-ave-mta1.cnet.com) should have become 1.10.1, and not failed the test -- only 3 numbers. The HELOISIPX test only does the last step -- no tinkering with the content first. I have a custom filter called DYNAMIC listed in the beta section of my site Unfortunately, I don't have JM pro, so... It's extremely unlikely that you would miss detecting a zombie using the reverse DNS entry as the HELO if you ignored hits below 20 because there aren't many ISP class A's in use below that level (I think just IBM), an you have 4 chances to hit a number above 20. You're right, although ATT is in there as well, and they have a few internet customers, I think. The pattern that you identified is of course a very nice addition to spam fighting. Thanks! We all try to do our part; thanks for the kind words and good suggestions! -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
These headers didn't trigger the HELOISIP test. It looks to me like they should have. Any Ideas? Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44] by areatech.com (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500 Received: from iowiekwaoakkwjehckckw.com (iowiekwaoakkwjehckckw.com [20.214.235.110]) by adsl-63-202-107-44.dsl.lsan03.pacbell.net (Postfix) with ESMTP id 24CB5D66BE for [EMAIL PROTECTED]; Mon, 19 Apr 2004 11:36:16 -0400 Date: Mon, 19 Apr 2004 11:36:16 -0400 From: Counsellors T. Dissenters [EMAIL PROTECTED] X-Mailer: The Bat! (v2.00.0) Personal Reply-To: [EMAIL PROTECTED] X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: Newlandj [EMAIL PROTECTED] Subject: A|D|V 1adies tthat wannt to encounter 5trangers MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-milter (http://amavis.org/) X-RBL-Warning: MAILFROM: Domain iowiekwaoakkwjehckckw.com has no MX or A records [0301]. [2-26-d000] X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 10. [2-37-12800] X-RBL-Warning: WEIGHT10: Weight of 32 reaches or exceeds the limit of 10. [2-38-13000] X-RBL-Warning: WEIGHT20: Weight of 32 reaches or exceeds the limit of 28. [2-41-14800] X-Declude-Sender: [EMAIL PROTECTED] [63.202.107.44] X-Spam-Tests-Failed: SORBS-DUHL, MAILFROM, SPAMCHK, WEIGHT10, WEIGHT20 [32] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Jason wrote: These headers didn't trigger the HELOISIP test. It looks to me like they should have. Any Ideas? Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44] by areatech.com (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500 Because of the 'lsan03', the numeric characters in the host name boil down to 63.202.107.44.03. I'm thinking about how best to make this type of entry fail, without jacking up the risk of a false positive. -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
You should be fine as long as you don't do matches on numbers below 20, or at least that is my experience. I'm thinking that you created this exception in order to head off that problem. Minimally it's worth a try. Matt Bud Durland wrote: Jason wrote: These headers didn't trigger the HELOISIP test. It looks to me like they should have. Any Ideas? Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44] by areatech.com (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500 Because of the 'lsan03', the numeric characters in the host name boil down to 63.202.107.44.03. I'm thinking about how best to make this type of entry fail, without jacking up the risk of a false positive. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Will Heloisp run on NT ...I do not see any activity in task manager or in the declude logslog level MID At 01:57 PM 4/19/2004 -0400, you wrote: You should be fine as long as you don't do matches on numbers below 20, or at least that is my experience. I'm thinking that you created this exception in order to head off that problem. Minimally it's worth a try. Matt Bud Durland wrote: Jason wrote: These headers didn't trigger the HELOISIP test. It looks to me like they should have. Any Ideas? Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44] by areatech.com (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500 Because of the 'lsan03', the numeric characters in the host name boil down to 63.202.107.44.03. I'm thinking about how best to make this type of entry fail, without jacking up the risk of a false positive. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Don't know about NT4, but we are running it on Win2k using log level low and it is working well. I don't see it come up in the task manager either, but it is running. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Brooks Sent: Monday, April 19, 2004 1:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Will Heloisp run on NT ...I do not see any activity in task manager or in the declude logslog level MID At 01:57 PM 4/19/2004 -0400, you wrote: You should be fine as long as you don't do matches on numbers below 20, or at least that is my experience. I'm thinking that you created this exception in order to head off that problem. Minimally it's worth a try. Matt Bud Durland wrote: Jason wrote: These headers didn't trigger the HELOISIP test. It looks to me like they should have. Any Ideas? Received: from adsl-63-202-107-44.dsl.lsan03.pacbell.net [63.202.107.44] by areatech.com (SMTPD32-7.14) id A37557AB0118; Mon, 19 Apr 2004 10:42:45 -0500 Because of the 'lsan03', the numeric characters in the host name boil down to 63.202.107.44.03. I'm thinking about how best to make this type of entry fail, without jacking up the risk of a false positive. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Glenn Brooks wrote: Will Heloisp run on NT ...I do not see any activity in task manager or in the declude logslog level MID It should run on NT just fine, although I couldn't test it on that platform. No surprise that it's not on the task manager -- it does it's thing very quickly an probably doesn't stick around long enough to show up. -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Below is an example of headers taken from a false positive using this new test. For the most part, its a great new test and is working well. However, i've noticed that Entourage seems to be getting caught. This is the second customer of mine that i've noticed getting caught by this and both are using Entourage. Is anyone else seeing this? Thanks for any ideas Received: from [10.0.0.11] [208.37.231.210] by ilfmedia.com with ESMTP (SMTPD32-7.07) id A0A0C7F0140; Mon, 19 Apr 2004 14:12:00 -0700 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Mon, 19 Apr 2004 14:16:46 -0700 Subject: Phone message From: Rick Delker [EMAIL PROTECTED] To: Richard Katz [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mime-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-RBL-Warning: INTRUDERS: This E-mail came from 208.37.231.210, a potential spam source listed in INTRUDERS. [2-14-7000] X-Declude-Sender: [EMAIL PROTECTED] [208.37.231.210] X-Declude-Spoolname: D40a00c7f0140a17c.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: INTRUDERS, HELOISIP [4] X-Note: This E-mail was sent from w210.z208037231.nyc-ny.dsl.cnc.net ([208.37.231.210]). X-Note: Total Weight for this email is [4] David Dresler Choicenet Internet Network Administrations 509.252.3939 -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.230 / Virus Database: 262.8.3 - Release Date: 4/15/2004 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
David (and Bud), An exception could probably be made for proper usage of the IP being used as the HELO (when enclosed in brackets). Also, a while back in an effort to reduce the processing power required for my @LINKED and IPLINKED filters, I removed all of the IP space that was reserved which amounted to about half of the Class A's. Both of these things might be good exclusions since the real-world use of this by zombie spammers won't be impacted by either change. Matt David Dresler wrote: Below is an example of headers taken from a false positive using this new test. For the most part, its a great new test and is working well. However, i've noticed that Entourage seems to be getting caught. This is the second customer of mine that i've noticed getting caught by this and both are using Entourage. Is anyone else seeing this? Thanks for any ideas Received: from [10.0.0.11] [208.37.231.210] by ilfmedia.com with ESMTP (SMTPD32-7.07) id A0A0C7F0140; Mon, 19 Apr 2004 14:12:00 -0700 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Mon, 19 Apr 2004 14:16:46 -0700 Subject: Phone message From: Rick Delker [EMAIL PROTECTED] To: Richard Katz [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mime-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-RBL-Warning: INTRUDERS: This E-mail came from 208.37.231.210, a potential spam source listed in INTRUDERS. [2-14-7000] X-Declude-Sender: [EMAIL PROTECTED] [208.37.231.210] X-Declude-Spoolname: D40a00c7f0140a17c.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: INTRUDERS, HELOISIP [4] X-Note: This E-mail was sent from w210.z208037231.nyc-ny.dsl.cnc.net ([208.37.231.210]). X-Note: Total Weight for this email is [4] David Dresler Choicenet Internet Network Administrations 509.252.3939 -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.230 / Virus Database: 262.8.3 - Release Date: 4/15/2004 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Hm - isn't that already covered in the HELOBOGUS test? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland Sent: Sunday, April 18, 2004 07:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Andy Schmidt wrote: Hm - isn't that already covered in the HELOBOGUS test? Not really: Received: from morden-res-206-45-166-10.mts.net [206.45.166.10] morden-res-206-45-166-10.mts.net is a valid host name that will not trip HELOBOGUS, but will trip HELOISIP. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Bud, Is this the proper format for the config file? : HELOISIPexternalweight C:\imail\declude\heloisip\heloisip.exe 10 0 Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland Sent: Sunday, April 18, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Thanks Bill. All I can say is WOW. This test seems to be working very very well. It is snagging tons of stuff. Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, April 18, 2004 8:13 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud's documentation says should be setup as a nonzero test, for example: HELOISIP external nonzero C:\imail\declude\heloisip\heloisip.exe 10 0 rather then a weight test. Bill - Original Message - From: Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 18, 2004 5:59 PM Subject: RE: [Declude.JunkMail] New test Bud, Is this the proper format for the config file? : HELOISIP external weight C:\imail\declude\heloisip\heloisip.exe 10 0 Thanks! Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bud Durland Sent: Sunday, April 18, 2004 6:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [66.140.194.140] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
I get an unknow filter type in the log files... HELOISP filter C:\imail\declude\heloisipx.exe 10 0 this apth would point to the exe file is this not correct? At 02:00 AM 4/19/2004 +, you wrote: any chance to get the source code ? Thanks - Original Message - From: Bud Durland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 12:21 AM Subject: Re: [Declude.JunkMail] New test Andy Schmidt wrote: Hm - isn't that already covered in the HELOBOGUS test? Not really: Received: from morden-res-206-45-166-10.mts.net [206.45.166.10] morden-res-206-45-166-10.mts.net is a valid host name that will not trip HELOBOGUS, but will trip HELOISIP. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
any chance to get the source code ? Thanks - Original Message - From: Bud Durland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 12:21 AM Subject: Re: [Declude.JunkMail] New test Andy Schmidt wrote: Hm - isn't that already covered in the HELOBOGUS test? Not really: Received: from morden-res-206-45-166-10.mts.net [206.45.166.10] morden-res-206-45-166-10.mts.net is a valid host name that will not trip HELOBOGUS, but will trip HELOISIP. -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Glenn Brooks wrote: I get an unknow filter type in the log files... HELOISP filter C:\imail\declude\heloisipx.exe 10 0 this apth would point to the exe file is this not correct? It is not a filter; it is an external non-zero test. Your GLOBAL.CG file entry would look like something like this: HELOISIPXexternalnonzero C:\IMail\Declude\HELOISIP\HELOISIPX.EXE50 This line adds 5 points to the overall weight of hte message if it fails. Hope that helps -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Jason wrote: Thanks Bill. All I can say is WOW. This test seems to be working very very well. It is snagging tons of stuff. The question is, is it generating false positives? I hope not; the FP ratio here is very, very low, but I realize everyone's traffic pattern is different. While testing, I had it set of 0 weight, and a HOLD action. That let me review what it caught and determine the appropriate weight value. YMMV -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
I'm trying to figure out WHY spammers would bother to include dial-up reverse DNS as HELO string? And if so, why not just check the reverse DNS? And, how much does this test overlap with existing dynamic host/dial up blacklists? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Andy, This is almost completely a zombie spammer thing. Just like they need to create a valid Mail From, they also need to create a HELO, and hopefully one that is valid, though of course not many ISP's will enter both A records and reverse DNS entries for this type of address. The predominance with zombie spammers is to use one of three things: - The reverse DNS entry of the hijacked computer - The domain name of the recipient - the IP address There are unfortunately some pieces of software that will generate the HELO dynamically, and a fair number of Windows computers with similar computer naming conventions which might be relaying E-mail from Web sites and other software. These same computers are also highly likely to also fail HELOBOGUS when they false positive. Matt Andy Schmidt wrote: I'm trying to figure out WHY spammers would bother to include dial-up reverse DNS as HELO string? And if so, why not just check the reverse DNS? And, how much does this test overlap with existing dynamic host/dial up blacklists? Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Here is one FP Where's the IP ? Received: from alias-1.c10-ave-mta1.cnet.com [206.16.1.130] by mail.cefib.com with ESMTP - Original Message - From: Bud Durland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 2:43 AM Subject: Re: [Declude.JunkMail] New test Jason wrote: Thanks Bill. All I can say is WOW. This test seems to be working very very well. It is snagging tons of stuff. The question is, is it generating false positives? I hope not; the FP ratio here is very, very low, but I realize everyone's traffic pattern is different. While testing, I had it set of 0 weight, and a HOLD action. That let me review what it caught and determine the appropriate weight value. YMMV -- Bud Durland, CNE [EMAIL PROTECTED] fax: 518-561-0017 For sale: Parachute. Like new, used once. Small stain. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Bud, I have a few suggestions that you might want to consider. The first one would be to skip processing of the message and just have Declude pass off the HELO as an argument to your script. This can be done with %HELO%. This will speed processing and ensure that the HELO comes in the proper context. Declude can be configured for IPBYPASS settings which are used to skip over gateway mail servers and forwarding servers so that you have the HELO of the computer that is actually sending the E-mail. Combining both of your tests into one program instead of two would also be useful. You can use any code over 10 for this. Declude also will only call the script once if the command is the same, and it will determine which test would be failed based on the result code that is returned. The last thing that I'm not very clear about is the logic of the detection. I have a custom filter called DYNAMIC listed in the beta section of my site (http://www.mailpure.com/software/decludefilters/beta/) that does something similar for reverse DNS entries. I found from testing and according to the capabilities of the environment that using values below 20, i.e. -20- or .20., would produce false positives similar to the one that Serge just pointed out. It's extremely unlikely that you would miss detecting a zombie using the reverse DNS entry as the HELO if you ignored hits below 20 because there aren't many ISP class A's in use below that level (I think just IBM), an you have 4 chances to hit a number above 20. The pattern that you identified is of course a very nice addition to spam fighting. Thanks! Matt Bud Durland wrote: Bud Durland wrote: I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. The new test is available for download from http://bud.thedurlands.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message... Just a little note here: while this test is surely valuable and its development much appreciated, I think creating a slew of external Declude helpers is suboptimal--for desktop heap overhead, if nothing else--when many of the tests could be wrapped by SpamAssassin custom rules and run all at once using SPAMC32. Remember that SpamAssassin has full Perl regular expression support and allows for auxiliary rules to be contributed via any number of external files (each rule with its own weight, at that). If the community concentrated on contributing SA rulesets, test development time could be sliced down to nearly zero. Now, I know that for some of you, this might seem vaguely treasonous--if you think of Declude and SA as rivals. We don't run SA without Declude, though, so I see it as more of a parent-child relationship. Anyway, it's just an idea. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Anybody already using a handy way to record the HELO in the decMMDD.log file? I'd like to save the step of going to my sysMMDD.txt file if I could. I've run Bud's test for a few hours and had quite a few hits. The only false positive wasn't a false positive at all, but a correctly identified case of the mailhost with a revdns that reflected the host IP, with a matching HELO. And it did not hit on HELOISIPX. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Sandy, Good points. However, some may prefer just to add a test or two rather than add SA. Plus specialized tests may run more quickly via specific parsing than a general regexp engine. Or some may just prefer not to implement cygwin on their machines (I seem to remember it being necessaary to implement SA). In any case, I think this is a situation where there are many ways to implement, and for each different environment different solutions may be preferred. Darin. - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Bud Durland [EMAIL PROTECTED] Sent: Monday, April 19, 2004 12:15 AM Subject: Re: [Declude.JunkMail] New test I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message... Just a little note here: while this test is surely valuable and its development much appreciated, I think creating a slew of external Declude helpers is suboptimal--for desktop heap overhead, if nothing else--when many of the tests could be wrapped by SpamAssassin custom rules and run all at once using SPAMC32. Remember that SpamAssassin has full Perl regular expression support and allows for auxiliary rules to be contributed via any number of external files (each rule with its own weight, at that). If the community concentrated on contributing SA rulesets, test development time could be sliced down to nearly zero. Now, I know that for some of you, this might seem vaguely treasonous--if you think of Declude and SA as rivals. We don't run SA without Declude, though, so I see it as more of a parent-child relationship. Anyway, it's just an idea. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
Markus; Thanks for the detailed feedback and kind words. I haven't had time to the study our numbers (and I believe our statistical universe is much smaller than yours), but generally speaking I'm pleased with the results we're seeing here. For those who are interested, I'll be posting this test for download from my web site (http://bud.thedurlands.com) this weekend Don't look for it earlier than Sunday, but I promise it will be there. There will be two executables. The current one remains unchanged. The additional test, called HELOISIPX only fails if the HELO is a pure IP address: Received: from 12.107.134.252 [69.6.65.63] by mrpcap.com with ESMTP I created this because I see quite a few messages that use an IP for the HELO, (and often it is MY mail server's IP). I have never, ever, not once seen such a message that wasn't spam, so on my system that test will be weighted quite heavily. Markus Gufler wrote: Two days ago Bud has announced HELOISIP as new external test. After trying this test now for 36 hours I can report the following results for 04/15/2004 Processed messages: 9832 Hold as Spam: 4728 (48% of all messages) Detected by HELOISIP: 1340 (28% of hold spam / 14% of all messages) FP's from SURBL: 55 All of this 55 legit messages has had a final weight below 60% of our hold weight and so hasn't caused any real FP. 91% of all spam messages catched by HELOISIP has already reached a weight 200% of our hold weight. So having a possibility to skip this external test if a certain weight is already reached should significantly save resources. Good test! Markus -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test = EHLOFILTER
I created this because I see quite a few messages that use an IP for the HELO, (and often it is MY mail server's IP). I have never, ever, not once seen such a message that wasn't spam, so on my system that test will be weighted quite heavily. No other MTA should connect to your MTA using your MTA's IP as HELO string. I don't know if there is any reason to connect with any other IP-address as HELO-string. Several people has set up a filter file containing HELO 0 CONTAINS [your.servers.ip.address] Now add this filter file to your global.cfg file and assign a very high weight. My EHLOFILTER catches 4% of all processed messages without any false positive (looking back the last 50 days) Most spam (~99%) failing this test has already reached a final weight 200% of our hold weight. But anything going over 200% helps to decrease our operators review work. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test = EHLOFILTER
Markus Gufler wrote: No other MTA should connect to your MTA using your MTA's IP as HELO string. I don't know if there is any reason to connect with any other IP-address as HELO-string. My thinking exactly Several people has set up a filter file containing HELO 0 CONTAINS [your.servers.ip.address] Now add this filter file to your global.cfg file and assign a very high weight. If I had Declude JM Pro, I probably would. I only have Standard, so no filters.. -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
I would like to test. Looks like a good test. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Dave DohertySent: Wednesday, April 14, 2004 7:14 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] New test I'd like to test it also. -Dave - Original Message - From: Bud Durland To: Declude List Sent: Wednesday, April 14, 2004 8:58 AM Subject: [Declude.JunkMail] New test I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. These fail the test: Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by mrpcap.com Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by mrpcap.comOnly the bolded part of the line (HELO name) is tested. Basically, dashes become 'dots', and anything other than numbers and dots are stripped out. If what remains looks like a valid 4-octet IP address, the test fails.These entries would NOT fail -- stray number make the location of the IP ambiguous Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by mrpcap.com For testing, I set it up with 0 weight and a HOLD action. So far, it has not flagged anything that was not spam.If anyone is interested in trying it out, let me know. I'll probably be putting it up for download from my web site later this week.-- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com ---
Re: [Declude.JunkMail] New test
I'm interested. Thanks. Original Message From: Bud Durland Subject: [Declude.JunkMail] New test Date: Wed, 14 Apr 2004 06:05:40 -0700 I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. These fail the test: Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by mrpcap.com Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by mrpcap.com Only the bolded part of the line (HELO name) is tested. Basically, dashes become 'dots', and anything other than numbers and dots are stripped out. If what remains looks like a valid 4-octet IP address, the test fails. These entries would NOT fail -- stray number make the location of the IP ambiguous Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by mrpcap.com For testing, I set it up with 0 weight and a HOLD action. So far, it has not flagged anything that was not spam. If anyone is interested in trying it out, let me know. I'll probably be putting it up for download from my web site later this week. Email checked by UKsubnet anti-virus service To prevent email abuse block spam contact [EMAIL PROTECTED] Tel: +44(0)8712360301 Web: www.uksubnet.net Fax: +44(0)8712360300 Powered by UKsubnet Internet Service Provider Business to Business Internet (ISP) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
interested thanks, andy - Original Message - From: Bud Durland To: Declude List Sent: Wednesday, April 14, 2004 8:58 AM Subject: [Declude.JunkMail] New test I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. These fail the test: Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by mrpcap.com Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by mrpcap.comOnly the bolded part of the line (HELO name) is tested. Basically, dashes become 'dots', and anything other than numbers and dots are stripped out. If what remains looks like a valid 4-octet IP address, the test fails.These entries would NOT fail -- stray number make the location of the IP ambiguous Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by mrpcap.com For testing, I set it up with 0 weight and a HOLD action. So far, it has not flagged anything that was not spam.If anyone is interested in trying it out, let me know. I'll probably be putting it up for download from my web site later this week.-- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com ---
Re: [Declude.JunkMail] New test
interested At 09:17 AM 4/14/2004 -0400, you wrote: interested thanks, andy - Original Message - From: Bud Durland To: Declude List Sent: Wednesday, April 14, 2004 8:58 AM Subject: [Declude.JunkMail] New test I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. These fail the test: Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by mrpcap.com Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by mrpcap.com Only the bolded part of the line (HELO name) is tested. Basically, dashes become 'dots', and anything other than numbers and dots are stripped out. If what remains looks like a valid 4-octet IP address, the test fails. These entries would NOT fail -- stray number make the location of the IP ambiguous Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by mrpcap.com For testing, I set it up with 0 weight and a HOLD action. So far, it has not flagged anything that was not spam. If anyone is interested in trying it out, let me know. I'll probably be putting it up for download from my web site later this week. -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- Glenn Brooks WebWize, Inc. 713-688-4382 http://www.webwize.com
Re: [Declude.JunkMail] New test
I'd like to test it also. -Dave - Original Message - From: Bud Durland To: Declude List Sent: Wednesday, April 14, 2004 8:58 AM Subject: [Declude.JunkMail] New test I am testing a small external test program. A message fails the test if there is an discernable IP address in the HELO entry of the message. These fail the test: Received: from host-68-212-107-146.msy.bellsouth.net [68.212.107.146] by mrpcap.com Received: from ip-62-129-160-91.evhr.net [62.129.160.91] by mrpcap.com Received: from acs-24-154-41-142.zoominternet.net [24.154.41.142] by mrpcap.comOnly the bolded part of the line (HELO name) is tested. Basically, dashes become 'dots', and anything other than numbers and dots are stripped out. If what remains looks like a valid 4-octet IP address, the test fails.These entries would NOT fail -- stray number make the location of the IP ambiguous Received: from wbar3.lax1-4-8-227-083.dsl-verizon.net [4.8.227.83] by mrpcap.com Received: from c-24-125-42-12.va.client2.attbi.com [24.125.42.12] by mrpcap.com For testing, I set it up with 0 weight and a HOLD action. So far, it has not flagged anything that was not spam.If anyone is interested in trying it out, let me know. I'll probably be putting it up for download from my web site later this week.-- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com ---
RE: [Declude.JunkMail] New test request
How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John, We already look for sender-addresses containing more then 4 (SenderWithCodeMaybe) or more then 8 digits (SenderWithCode). So we count around 75% of spam-senders and 25% of FPs. As Scott sayd there are a lot of tipical Freemailer-Addresses like [EMAIL PROTECTED] creating FPs with such a test. But there are also auto-generated mailings having a sender address like [EMAIL PROTECTED] On a tipical day we can see around 10% of all incomming messages having between 4 and 7 digits. Other ~8% of incomming messages has more then 8 digits. It's not the best but a definitively usefull test in a weighting system. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Hi; I have been following this discussion and it seems like for weight test it would be good. Some observations that could complement this: 1: Mailing list email addresses are long. I have not seen autogenerated addresses that are less than 10 or so characters. E.g. [EMAIL PROTECTED] [64.241.105.8] [EMAIL PROTECTED] But on the other hand spam like emails are typically about 10 or so characters. I think it is worth looking into John's suggestion with a consideration of the UserID length. E.g. from last night logs: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I think we can use the length of the UserID to our advantage in implementing this test. 2: I wish we could run tests on UserID and domain separately. It seems like it would be much easier if the domain could be separated from the UserID since for example one could test for two dashes (--) in the domain. We are getting more more spam like hot--stuff.com Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Thursday, September 11, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New test request How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John, We already look for sender-addresses containing more then 4 (SenderWithCodeMaybe) or more then 8 digits (SenderWithCode). So we count around 75% of spam-senders and 25% of FPs. As Scott sayd there are a lot of tipical Freemailer-Addresses like [EMAIL PROTECTED] creating FPs with such a test. But there are also auto-generated mailings having a sender address like [EMAIL PROTECTED] On a tipical day we can see around 10% of all incomming messages having between 4 and 7 digits. Other ~8% of incomming messages has more then 8 digits. It's not the best but a definitively usefull test in a weighting system. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Any thoughts, good or bad? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, September 09, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New test request How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Any thoughts, good or bad? It's one that we do hope to add. It's not foolproof (such as [EMAIL PROTECTED]), but would be useful in helping catch spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
That would work great at detecting old Compuserve accounts :) I'm not convinced that this would be a very clear marker for spam though (depends on what the automated real stuff does), but you could probably set up a filter to test the theory First create a filter file test and score it as a negative 2: SENDERNUM filter C:\IMail\Declude\SenderNum.txt x -2 0 Then fill the file with an entry for numbers 10-99, scoring each one as a single point: MAILFROM 1 CONTAINS 10 MAILFROM 1 CONTAINS 11 MAILFROM 1 CONTAINS 12 ... This would score the number of digits in succession as follows, note that it will score higher if the address has numbers surrounded by letters, and lower if it is only numbers: 1 num = N/A 2 num = -1 3 num = 0 4 num = 1 5 num = 2 6 num = 3 7 num = 4 8 num = 5 9 num = 6 10 num = 7 ... Obviously there are two primary problems with this approach. First, it can have up to 86 points if the string of numbers is long enough (too bad you can't cap the total score of the filter). Secondly, it benefits senders by one point with just 3 successive numbers in their address. I'm thinking that some autoreply/auto-ticket systems might trip this filter though if they use the address instead of something in the subject line to track a communication. This might be same type of reason that some spammers use this...they might be cleaning their list with the bounces that get through HELO??? Who knows, maybe it's worth a try if you are really that interested in exploring whether or not the real thing would work??? Real-people E-mail shouldn't be failing too many other tests, and the automated stuff suffers greatly. Maybe having 3 numbers only in an E-mail address is something that rarely happens with spam??? Matt John Tolmachoff (Lists) wrote: Any thoughts, good or bad? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, September 09, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New test request How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com
RE: [Declude.JunkMail] New test request
Sorry, I've no great insight on the positive uses of this test, but I can point out another exception. E-mail enabled pagers and RIM Blackberries often have their phone number as the e-mail address @TheProviderDomain.com instead of or in addition to the subscriber's name. Andrew. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Title: Message maybe a bad idea - We send out e-mail that has a Variable Return Address, so that we can handle bounces well. In our case, that address is a combo of letters and numbers (lots of numbers sometimes). And, we work hard to make sure our mail is all requested! Other legit mailers use something similar. It does suggest the mail comes from a mailing list, but doesn't help to separate legit from spam. Rob www.iGive.com not convinced that this would be a very clear marker for spam though (depends on what the automated real stuff does), but you could probably set up a filter to test the theoryFirst create a filter file test and score it as a negative 2:
RE: [Declude.JunkMail] New test request
OK, my suggested weights are too high. Remember, the point of this test is to be used in the weighting system only. Pagers have 10 numbers, so I would actually start at either 11 or 15. An old CompuServe address will most likely not be failing other tests to where this one would put it over. How many numbers do those addresses have in them? I am thinking say if 11 numbers, add weight of 5. If 20 numbers, then add 15 more. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, September 10, 2003 12:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] New test request Sorry, I've no great insight on the positive uses of this test, but I can point out another exception. E-mail enabled pagers and RIM Blackberries often have their phone number as the e-mail address @TheProviderDomain.com instead of or in addition to the subscriber's name. Andrew. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a little to make sure that our actual recpients won't get their newsletter interfered with because it was posted to a public forum. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: [Declude.JunkMail] New test request
Dan Patnode wrote: Good point, The goal then should be to differentiate numbers used as codes from numbers used to confuse. The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters. Perhaps if the test counted numbers with letters on both sides? Dan If you are looking for gibberish, look to the subject line and not the sender. I actually have a decent test for this in the subject line (don't use it in the body). The only false positives would come from very strange acronyms and auto-generated code such as tracking/receipt numbers. This scores higher the more gibberish you catch. It's been safe so far for me. GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt x10 SUBJECT2CONTAINSqb SUBJECT2CONTAINSqc SUBJECT2CONTAINSqd SUBJECT2CONTAINSqe SUBJECT2CONTAINSqf SUBJECT2CONTAINSqg SUBJECT2CONTAINSqh SUBJECT2CONTAINSqi SUBJECT2CONTAINSqj SUBJECT2CONTAINSqk SUBJECT2CONTAINSqm SUBJECT2CONTAINSqn SUBJECT2CONTAINSqo SUBJECT2CONTAINSqp SUBJECT2CONTAINSqr SUBJECT2CONTAINSqs SUBJECT2CONTAINSqt SUBJECT2CONTAINSqv SUBJECT2CONTAINSqx SUBJECT2CONTAINSqy SUBJECT2CONTAINSqz SUBJECT2CONTAINSvq SUBJECT2CONTAINSwq SUBJECT2CONTAINStq SUBJECT2CONTAINSjq SUBJECT2CONTAINSxd SUBJECT2CONTAINSxj SUBJECT2CONTAINSxk SUBJECT2CONTAINSxr SUBJECT2CONTAINSxz SUBJECT2CONTAINSzb SUBJECT2CONTAINSzc SUBJECT2CONTAINSzf SUBJECT2CONTAINSzj SUBJECT2CONTAINSzk SUBJECT2CONTAINSzl SUBJECT2CONTAINSzm SUBJECT2CONTAINSzx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
JT Pagers have 10 numbers, so I would actually start at either 11 or 15. JT An old CompuServe address will most likely not be failing other tests to JT where this one would put it over. How many numbers do those addresses have JT in them? Nine digits, e.g [EMAIL PROTECTED] (that was mine for 5 years before they really had an Internet gateway...) Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
I wouldn't consider that to be spam. Amazon? Travelocity? Yahoo Groups? Most of these are opt-in sources (by way of membership or purchase), and doing the bounce test that they are doing is in fact responsible use of commercial E-mail. If you are going to monitor for failed receivers, that means that your server isn't moving and you become a static target for the lists and heuristic filters. It's too bad that everyone doesn't do this. I'd much rather have a filter that detects no displayable text, or only searches decoded-non-HTML body text. Testing for that stuff would be a negative weight on my system...that's the F-P type of stuff that I'm trying to solve. Matt Colbeck, Andrew wrote: Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a little to make sure that our actual recpients won't get their newsletter interfered with because it was posted to a public forum. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
RE: [Declude.JunkMail] New test request
MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0 MB SUBJECT2CONTAINSqb (snip) This looks good, Matthew. The weight is low enough to be cautious, and I suspect the only false positives you will get are on subject lines with that raw =?ISO-8859-1?B?UmU6U2lsZG stuff. (For those new to the party, Scott confirmed earlier that with declude.exe v1.75 (and a JunkMail Pro licence) these (8-bit encoded?) subject lines are not decoded to US-ASCII before applying a SUBJECT text match. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
In your examples, I only see 4 that would be FP under this, the ones from microsoft.com, unitiedmedia.com, yahoo groups, and Travelocity.com. newsletters.microsoft.com is already in a whitefilter. Yahoo groups are already in a whitefilter for known problems. Travelocity is a legit company, and therefore could go in a whitefilter. comicsmail.unitedmedia.com is something that can go into a whitefilter. The point is, someone can always come up with examples of how it can be used and how it would cause problems. Maybe it means at 15 add 5 and at 25 add another 10. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, September 10, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] New test request Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a little to make sure that our actual recpients won't get their newsletter interfered with because it was posted to a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
Thanks Andrew...I like my apples :) Some stuff could be put back in that I took out while testing the filter for the body before I found out that it caught attachments. I was careful to take out things like ql because of MSSQL, and I searched a dictionary file for matches on the other strings and deleted as was necessary, but other deletions were for more obscure reasons. My only concern was tagging an auto-generated serial/tracking number from an online receipt, but those should be generally numbers from looking over what I have saved from my purchases. I've gone kind of filter crazy in the last week. Anytime I see a message that should of been rejected, I look it over for patterns to match :) It's really too bad that this same filter doesn't work on the body text exclusively...that would tag a lot of the stuff that gets through. Matt Colbeck, Andrew wrote: MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0 MB SUBJECT2CONTAINSqb (snip) This looks good, Matthew. The weight is low enough to be cautious, and I suspect the only false positives you will get are on subject lines with that raw =?ISO-8859-1?B?UmU6U2lsZG stuff. (For those new to the party, Scott confirmed earlier that with declude.exe v1.75 (and a JunkMail Pro licence) these (8-bit encoded?) subject lines are not decoded to US-ASCII before applying a SUBJECT text match. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
Wow, what a sweet idea Matthew! Applying rules of English (like Q is always followed by U) to look for gibberish. :) Yea, so long as BODY searches attachments, any small code will sooner or later show up in an attachment. I've even had problems trying hard tests for complete words where an L was replaced with an I and it showed up in attachment PDF code. Dan On Wednesday, September 10, 2003 13:36, Matthew Bramble [EMAIL PROTECTED] wrote: Dan Patnode wrote: Good point, The goal then should be to differentiate numbers used as codes from numbers used to confuse. The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters. Perhaps if the test counted numbers with letters on both sides? Dan If you are looking for gibberish, look to the subject line and not the sender. I actually have a decent test for this in the subject line (don't use it in the body). The only false positives would come from very strange acronyms and auto-generated code such as tracking/receipt numbers. This scores higher the more gibberish you catch. It's been safe so far for me. GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt x10 SUBJECT2CONTAINSqb SUBJECT2CONTAINSqc SUBJECT2CONTAINSqd SUBJECT2CONTAINSqe SUBJECT2CONTAINSqf SUBJECT2CONTAINSqg SUBJECT2CONTAINSqh SUBJECT2CONTAINSqi SUBJECT2CONTAINSqj SUBJECT2CONTAINSqk SUBJECT2CONTAINSqm SUBJECT2CONTAINSqn SUBJECT2CONTAINSqo SUBJECT2CONTAINSqp SUBJECT2CONTAINSqr SUBJECT2CONTAINSqs SUBJECT2CONTAINSqt SUBJECT2CONTAINSqv SUBJECT2CONTAINSqx SUBJECT2CONTAINSqy SUBJECT2CONTAINSqz SUBJECT2CONTAINSvq SUBJECT2CONTAINSwq SUBJECT2CONTAINStq SUBJECT2CONTAINSjq SUBJECT2CONTAINSxd SUBJECT2CONTAINSxj SUBJECT2CONTAINSxk SUBJECT2CONTAINSxr SUBJECT2CONTAINSxz SUBJECT2CONTAINSzb SUBJECT2CONTAINSzc SUBJECT2CONTAINSzf SUBJECT2CONTAINSzj SUBJECT2CONTAINSzk SUBJECT2CONTAINSzl SUBJECT2CONTAINSzm SUBJECT2CONTAINSzx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Test?
I was wondering if you could add a new test to Declude JunkMail? This test could be called similar addresses. If someone sends a message to multiple addresses and the to, cc or bcc of all the addresses contain helpdesk@ then I'd think it's a pretty good bet that it's a spam message. It is something that we have been considering, but haven't made a decision on yet. Note that the Bcc:'s won't be visible to Declude, so only the To: or Cc: header could be used. Looking at our spamtraps, it looks like only a small portion (perhaps 5% to 10%) of the spam is sent with the multiple addresses in the To:/Cc: headers. Making it less useful is that often they are similar-but-not-exact names -- such as john123@, john128@, johnny@, ... which would either minimize the usefulness of the feature, or require somewhat sophisticated testing to determine if the addresses were similar (which could result in too many false positives if not done well). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
RE: [Declude.JunkMail] New Test?
One problem, I recieve very legitimate email to [EMAIL PROTECTED], that is sent to abuse@ for all domains thought to be involved for spammers and other issues. There are cases where someone is just trying to get ahold of several parties using standard addresses like abuse, hostmaster, postmaster, etc. Chuck Frolick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Helpdesk Sent: Thursday, April 25, 2002 8:22 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New Test? Scott, I was wondering if you could add a new test to Declude JunkMail? This test could be called similar addresses. If someone sends a message to multiple addresses and the to, cc or bcc of all the addresses contain helpdesk@ then I'd think it's a pretty good bet that it's a spam message. For example I just received a spam message to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Any thoughts? Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] New Test?
on 4/25/02 11:40 AM, R. Scott Perry wrote: Looking at our spamtraps, it looks like only a small portion (perhaps 5% to 10%) of the spam is sent with the multiple addresses in the To:/Cc: headers. Making it less useful is that often they are similar-but-not-exact names -- such as john123@, john128@, johnny@, ... which would either minimize the usefulness of the feature, or require somewhat sophisticated testing to determine if the addresses were similar (which could result in too many false positives if not done well). I think you shouldn't worry about the similar-but-not-exact names case, only the exact names case. If all the addresses are the same name (and there is 3 or more) then I think it would have to be a spam message (unless someone can think of a case where that wouldn't be true). Thanks, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] New Test?
I think you shouldn't worry about the similar-but-not-exact names case, only the exact names case. If all the addresses are the same name (and there is 3 or more) then I think it would have to be a spam message (unless someone can think of a case where that wouldn't be true). In a manual review of 20 E-mails from our spamtrap, only 1 had multiple instances of the same or similar E-mail accounts. It looks like about 1/3 of the spams with multiple same-or-similar addresses are ones where there are multiple copies of the same account name; the other 2/3rds are similar. So we're talking about maybe 1-2% of spam that could get caught. Still, aside from the abuse@/postmaster@ issue (which could easily be dealt with), it would likely have an extremely low false positive rate. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .