RE: [Declude.JunkMail] whitelisting

2002-11-21 Thread Colbeck, Andrew
I share your pain! We've been live with Declude and HOLD actions for about a week, and I've been beavering away at building our whitelist for 2 weeks. In a nutshell, I'm building the whitelist because I want to keep my SPAMCOP HOLD action (and a few others). I've established with our team that

[Declude.JunkMail] forum for fighting fake From: fingerprint

2002-11-21 Thread Colbeck, Andrew
One particularly aggravating type of spam is where the from: is faked to be from the recipient or the recipient's own domain. I saw in the archive that this thread has been touched on before, but how about once more around the mulberry bush? I believe Scott mentioned that this behaviour counted

[Declude.JunkMail] Odd log problem commenting an IP block

2002-11-25 Thread Colbeck, Andrew
Title: [Declude.JunkMail] Odd log problem commenting an IP block Anybody else seeing this? I have a text file on which I use IPFilter, that holds my manually created blacklist from my old e-mail system: #Nov-08-2002 AC This is our custom blacklist of IP addresses and subnets BENTALLIPBL

RE: [Declude.JunkMail] OWA and BASE64

2002-11-26 Thread Colbeck, Andrew
Sure thing, John. An OWA message is coming right up, from OWA for Exchange 5.5 SP4. -Original Message- From: John Tolmachoff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 7:30 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] OWA and BASE64 If some one has access

RE: [Declude.JunkMail] forum for fighting fake From: fingerprint

2002-11-28 Thread Colbeck, Andrew
Scott, do you recommend using both BADHEADERS and SPAMHEADERS? I use both, along with the LOOSENSPAMHEADERS directive, and I'm wondering if SPAMHEADERS incorporates BADHEADERS... It seems that when I see SPAMHEADERS, I very often see BADHEADERS. On the other hand, maybe I'm just getting used to

[Declude.JunkMail] Another skirmish in the arms race

2002-11-29 Thread Colbeck, Andrew
Apparently I'm slow to get this, but since November 13th, there has been spam which includes this footer (which I've deliberately mangled with ** to avoid anyone else's text filters): This message passed through ANTI**SPAMCENTER filter. If this is a S**PAM - it's imperative that you let us know.

RE: [Declude.JunkMail] HOWTO(ish): Self-expiring whitelists

2002-11-30 Thread Colbeck, Andrew
Very interesting project, Sanford. Thank you for sharing. To clarify a point though: do you implement a BOUNCE to the domain's postmaster of the offending server? I've mulled creating a similar implementation with a database back end (inspired by Terry Fritts) with a goal of aging out manual

H:RE: Re[2]: [Declude.JunkMail] HOWTO(ish): Self-expiring whitelists

2002-11-30 Thread Colbeck, Andrew
While I'm doing some wishful thinking, another bit of automagic scripting: Periodically go into the spool\spam folder and re-check the lookup tests that it failed. This would automatically release those in and out again SpamCop and ORDB entries. Andrew 8) --- [This E-mail was scanned for

[Declude.JunkMail] Feature request - final action

2002-12-20 Thread Colbeck, Andrew
I have a feature request. With v1.65 of Declude JunkMail, the manual's list of action precedences, my logs and my message headers have all the necessary data for me to construct the post-facto reporting of what happened to a given message. But it also means that I have to build into my

RE: [Declude.JunkMail] Feature request - final action

2002-12-20 Thread Colbeck, Andrew
True, I would have an immediate use for logging the final action; I suspected that others would have a user for a variable, e.g. when multiple actions are performed, such as delivering a message and ALERT or BOUNCE, marking up the original would be useful. Andrew 8) -Original Message-

RE: [Declude.JunkMail] OT a bit..spam databases

2003-01-07 Thread Colbeck, Andrew
I'm rather fond of this web tool for doing multiple simultaneous lookups: http://openrbl.org/ Specifically, it returns hyperlinks and text messages if returned by the bl. It also puts up spam related news and info. Andrew 8) -Original Message- From: Sharyn Schmidt [mailto:[EMAIL

RE: [Declude.JunkMail] free or popular domains

2003-01-07 Thread Colbeck, Andrew
My list would be the same as previously cited, and yes, earthling.net is not a typo. All of these would make it to my list as the top faked from: domains. But of the ones that I've seen make it through to the spamtraps, none. Which is why I haven't implemented a small negative weight for these

[Declude.JunkMail] A line in one of my filter text files didn't fire

2003-01-07 Thread Colbeck, Andrew
Is there a gotcha in filter text files when the message is in HTML format? The following line works if I send myself a message from HotMail, but didn't on an actual piece of spam I just received, whose relevant bit of text I'll reproduce here with an underscore inserted to get around my own

RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire't fire

2003-01-07 Thread Colbeck, Andrew
(sigh) Keyboard virus... I should have had an underscore in *both* of the entries. To recap I'll reproduce here with an underscore inserted to get around my own filter: #Dec-02-2002 AC Very common in Chinese hosted spamvertisement # unsubscribe footers BODY 0 CONTAINS bta_mail.net.cn And the

RE: [Declude.JunkMail] A line in one of my filter text files didn 't fire 't fire't fire 't fire

2003-01-07 Thread Colbeck, Andrew
Except for the underscore I inserted, both snippets are verbatim. No trailing spaces or hidden control characters. The message was not in Base-64. I just checked my Declude log for today and it did fire off on 7 other messages today. I'll include the whole spam message in an attachment here.

RE: [Declude.JunkMail] Spoofed IP's

2003-01-09 Thread Colbeck, Andrew
For what it's worth, no, we never get bogus claims of spam originating from our IP range. This is going out on a limb, but your range of 192.68.75.0/24 looks a lot like 192.168.75.0/24 (which would be IANA reserved private) and that confusion might be the source of your problem. The ooh, hackers

[Declude.JunkMail] Mimeserver and MIME encoding problems?

2003-01-12 Thread Colbeck, Andrew
Hi, Scott. I don't use or send to anyone with MIMESweeper, but I thought I'd chime in here, off the list, and submit a message I received this weekend. What is unusual about it is that the header has all the X- entries before the date entry. I haven't noted this before with Declude, and wish

RE: [Declude.JunkMail] Mimeserver and MIME encoding problems?

2003-01-13 Thread Colbeck, Andrew
Thanks for the explanation, Scott. To get really specific, did Declude fix up the e-mail by adding in the missing Date: header, or did IMail? It sounds like a Good Thing(tm) but I'm looking for the law of unintended consequences. My bet is that you won't modify any content in the header, but

RE: [Declude.JunkMail] Opinion on bulk mailers

2003-01-14 Thread Colbeck, Andrew
We are not an ISP; as a private corporation, we define our usage policy and it is more strict than what you can, so we can block junkmail as well as spam. We try not to be censors, but spam and junkmail cost us real dollars in theft of service and loss of productivity. We have the luxury of

RE: [Declude.JunkMail] Found an email that was not scanned by Declude JunkMail

2003-01-15 Thread Colbeck, Andrew
I've had this happen several times, too, Greg. If you are inclined to search the archives from two or three weeks ago, you will find a reply from Scott regarding a terse error message the Declude log file; the upshot was that if you look in your IMail and Declude logs, you will find this error

RE: [Declude.JunkMail] Is a BASE64 attachment considered body?

2003-01-16 Thread Colbeck, Andrew
Given the huge rise in BASE64 encoded message text I've seen, matching BODY on decoded message text would be welcome indeed. Likewise, I've seen a few (rare) false positives when BODY matched text within an attachment. Not that I'm trying to re-invent Declude Virus, but what I found was that:

RE: [Declude.JunkMail] Declude JunkMail v1.66 (beta) released

2003-01-17 Thread Colbeck, Andrew
Scott, do you have an ETA guesstimate on how long the interval is between the beta and RTM release? Andrew 8) -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude JunkMail

[Declude.JunkMail] Debugging a filter file with the Pro version

2003-01-22 Thread Colbeck, Andrew
Scenario: Current filter file has several hits on a given e-mail message, and as a result with other tests, the HOLD weight is reached. On examining the held message and the Declude log (LogLevel MID), the total weight reached for the filter file is too high to match any single entry. The

[Declude.JunkMail] Filter text: out of the frying pan and into the fire

2003-01-23 Thread Colbeck, Andrew
Title: Filter text: out of the frying pan and into the fire I think the processing order of the filter text has changed between JunkMail v1.65 and v1.66i. Specifically, I saw high scores on an innocent message due to my spam hint rule. What I intended to do was search for obfuscation

RE: [Declude.JunkMail] Filter text: out of the frying pan and into the fire

2003-01-23 Thread Colbeck, Andrew
(ahem) Errr. Never mind. I jumped the gun. My innocent sample(s) was using both www.example.com as well as the escaped version of . and for / in their URLs. In my haste to make things right, I only saw the normal text URLs. The message I saw held fell in to two categories: the newsletter

RE: [Declude.JunkMail] PERCENT test

2003-01-27 Thread Colbeck, Andrew
Markus, the crux of the issue for you is whether or not you allow relaying for your client servers. If you do, then the percent hack is a legitimate method for their server to request the relay from your server. The IMail security regarding the percent hack is not to *prevent* the percent hack,

[Declude.JunkMail] Spews is incompetent (well, overzealous at least)

2003-02-05 Thread Colbeck, Andrew
Check out this article if you haven't already. http://www.theregister.co.uk/content/6/29159.html The link to the Newsgroup message thread for pro vs. con is worth a read, and includes some gems. The short of it is that spews.org often lists a much bigger netblock than they need to, on the

RE: [Declude.JunkMail] Filtering on a header

2003-02-20 Thread Colbeck, Andrew
Here's the weights we use: HEADERS 2 CONTAINS PowerMTA(TM) HEADERS 5 CONTAINS KUNBrun SMTP Receiver HEADERS 5 CONTAINS Synapse - Delphi HEADERS 3 CONTAINS The Bat! HEADERS 5 CONTAINS SmartMax MailMax HEADERS 5 CONTAINS eGroups Message Poster HEADERS 5 CONTAINS X-Mailer: FoxMail HEADERS 9

RE: [Declude.JunkMail] Message body in Headers Problem

2003-03-05 Thread Colbeck, Andrew
Has anyone else been seeing messages where the body is in the headers? I do see this occasionally. For what it's worth, I mostly I see messages without the header separator line in my HotMail account, not my corporate account. Andrew. --- [This E-mail was scanned for viruses by Declude Virus

[Declude.JunkMail] another new encoding trick

2003-03-10 Thread Colbeck, Andrew
Scott, if you're so inclined, I've found another BS test for your code to check, i.e. does the encoding actually match what the header says. I received a piece of spam this morning, and was really surprised, because I *knew* I had added the URL to one of my filter text files, and this e-mail used

RE: [Declude.JunkMail] Filter Help

2003-03-14 Thread Colbeck, Andrew
Title: Message Keith, check the Manual; as you go down the list of actions, you will see them in increasing priority. So nevermind the weight of this filter test, set the weight to 0 and the action to DELETE, because that action has the highest priority. The action for the WEIGHT20 will be

[Declude.JunkMail] So you think you're good with pattern matching, eh?

2003-03-16 Thread Colbeck, Andrew
This bit of spam left the kitchen before it was fully cooked. I leave it to your own judgement as to whether this provides insight into the junk in some of the spam we get, or whether it's disheartening to see what could clearly be meta-junk surrounding the payload. (I've lopped off the header

RE: [Declude.JunkMail] What do I have set wrong?

2003-03-17 Thread Colbeck, Andrew
Sheldon, because you're a service provider and we're a private business, I don't know if this will help you, but this is what we do. We whitelist our IMail server by its internal address, as well as the internal addresses of our internal mail hosts. We do not whitelist by our domain name, for

RE: [Declude.JunkMail] Global.Cfg - IPBYPASS

2003-03-18 Thread Colbeck, Andrew
Scott, wouldn't Jeff also have to use the HOP and HOPHIGH directives? Or does IPBYPASS imply a HOPHIGH of one greater than the current setting when the IPBYPASS is used? Andrew 8) -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 6:53 AM

RE: [Declude.JunkMail] Comments Test

2003-03-20 Thread Colbeck, Andrew
Scott, does the COMMENTS test also catch bogus HTML tags? I've seen rather a lot of spam HTML messages where there are deliberate bogus tags like HUE5MTl to throw text matching off the scent, whereas because they look like tags, the e-mail client display doesn't show them at all. Text matching

RE: [Declude.JunkMail] Interesting test results

2003-03-24 Thread Colbeck, Andrew
I was thinking that it would probably be a relatively simple matter to add such a test in a future version of declude. If an incoming message reached a certain weight, it could be added to a recent spammer list. This list could be checked along with other internal tests _before_ DNS tests are

[Declude.JunkMail] Declude in the news

2003-03-25 Thread Colbeck, Andrew
Get this... Declude.com gets a positive side-mention in this article describing the new version of Symantec's antivirus mail gateway, which includes some spam filtering capabilities. http://www.itworld.com/Net/3241/030324symantecgateway/ Andrew 8) --- [This E-mail was scanned for viruses by

RE: [Declude.JunkMail] What does this mean: internet.e-mail

2003-03-26 Thread Colbeck, Andrew
Title: Message Kami, I think it'san annotation put there by the bulk mailer as a note to themselves about the source of the target list (ooh, I'm starting to sound like *them*). I saw this in the body of the html spam I received today: !-- saved from url="" PROTECTED] --!-- Built by

RE: [Declude.JunkMail] Year 2020

2003-03-27 Thread Colbeck, Andrew
I had a program that checked a time server every day to keep the time accurate. On more than one occasion I saw the date get changed to the year 2020 and the year 4040. I don't use time server programs any more. WXP has a SNTP client built in. Use: net time /setsntp:tick.ucla.edu net stop

re: [Declude.JunkMail] Any ideas about Dartmail.net?

2003-07-02 Thread Colbeck, Andrew
Kami, I found that mail from dartmail.net was all legitimate newsletters, but mail from maildart was spam. I let the RBLs do their usual job, but then I counterweight with: HELO -50 ENDSWITH dartmail.net although I prefer REVDNS, I find this a reliable middleground (WHITELIST being on the other

re: [Declude.JunkMail] Attachments JM

2003-07-02 Thread Colbeck, Andrew
KR SPAM hardly comes with PDF attachments or Word or even less likely KR with Excel. Perhaps one easy way to combat this is to figure out KR the attachment (don't know how) may be we can assign a negative KR weight to emails with such attachments. .. another 2 cents to echo Scott's reply

RE: [Declude.JunkMail] Any ideas about Dartmail.net?

2003-07-03 Thread Colbeck, Andrew
are now getting a lot of spam with emails that use ... @dell.com or @ibm.com Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, July 02, 2003 4:31 PM To: '[EMAIL PROTECTED]' Subject: re: [Declude.JunkMail] Any

[Declude.JunkMail] HELO test for an IP - useful tip

2003-07-11 Thread Colbeck, Andrew
I recently noticed a piece of spam which had made it to my inbox had used my own mail server's IP address as it's HELO. So I did a little digging in my recent IMail sysMMDD.txt logs and found that the mail server was getting at least a 150 of these every day and that none of them (of course) were

RE: [Declude.JunkMail] Best Practices question

2003-07-17 Thread Colbeck, Andrew
Nicely darn, Karl. Please do post your perl script to the list. If you'd rather send it directly to interested parties, please include me in that list. I'm just starting in on perl and VB Script, because (sigh) I have indeed been using find.exe as a crutch. For example, I call this script all

RE: [Declude.JunkMail] Legitimate email syntax?

2003-07-21 Thread Colbeck, Andrew
Another 2 cents. Kami, on your prompting I looked back 4 days and saw that we'd received 34 messages that were in the format [EMAIL PROTECTED]; most of those domain names were perfectly legitimate... and faked. I found that each one of the messages had heavily triggered other tests and were all

RE: [Declude.JunkMail] Yahoo Groups.

2003-07-22 Thread Colbeck, Andrew
No thanks. This is less than ideal, but I like Yahoo Groups even less. I am also not in favour of a Wiki board, because I mistrust the nature of it, that is, the ability for anyone to modify any post. Declude JunkMail is a small fish in a big ocean, but remember that the spammers won't like us.

RE: [Declude.JunkMail] Email with attachments kills the connection

2003-07-22 Thread Colbeck, Andrew
Title: Message I would look for the easy stuff first. This sounds exactly like the speed and duplex setting are mismatched somewhere between the mail server and the inside of the ATT hardware. Andrew. -Original Message-From: i360 [mailto:[EMAIL PROTECTED] Sent: Tuesday,

RE: [Declude.JunkMail] re: RBL's

2003-07-23 Thread Colbeck, Andrew
Another caveat: unconfirmed.dsbl.org is not a superset of list.dsbl.org or multihop.dsbl.org but often contains duplicates of them. So although I generally trust unconfirmed.dsbl.org to have accurate fresh listings, I have to give it a low weight. I would give it a higher weight if I could, but

RE: [Declude.JunkMail] OT: SP4 and MS03-026

2003-07-24 Thread Colbeck, Andrew
Title: Message My experience has been that NT4-era service packs will overwrite hotfixes. W2K and W2K3 (and Office XP, too) service packs will leave patches intact, i.e. they will not overwritecomponents newer than themselves. Doing a repair/re-install from the Recovery CD or from the

RE: [Declude.JunkMail] Declude using 50% cpu

2003-07-24 Thread Colbeck, Andrew
Title: Message Mark, it may be interesting for you to note that we don't set the number of instances of Decludedirectly. Instead, the "max processes" limit in your IMail SMTP advanced settings is what governs the total number ofIMail and declude.exe instances. Also, an important

RE: [Declude.JunkMail] Declude using 50% cpu

2003-07-24 Thread Colbeck, Andrew
e-From: Colbeck, Andrew [mailto:[EMAIL PROTECTED]Sent: Thursday, July 24, 2003 3:56 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Declude using 50% cpu Mark, it may be interesting for you to note that we don't set the number of instances of Decludedirectl

RE: [Declude.JunkMail] Declude using 50% cpu

2003-07-24 Thread Colbeck, Andrew
Title: Message Mark, you might check if your C:\IMail\Spool\Overflow contains may Q*.SMD files, which will tell you whether you have a mail processing backlog. A busy server is one thing, and a burdened server is another. You can read: http://www.declude.com/dq.htm for the how and why

RE: [Declude.JunkMail] Declude using 50% cpu

2003-07-24 Thread Colbeck, Andrew
Title: Message FYI, I have a single mail relay with no mail boxes. RunsIMail like a champin a stripped down Windows XPin a SCSI based Compaqserver PII 333 MHz and 160 MB of RAM (plenty), but with the text filtering we do, we get a consistentoverflow every day during peak hours. We've

RE: [Declude.JunkMail] Declude using 50% cpu

2003-07-25 Thread Colbeck, Andrew
Rifat, since you have the Pro version of JunkMail, how much text filtering do you do? Kami and I both do quite a bit... I just counted, and in various separate text filter files, i have 3500 BODY tests. Andrew. -Original Message- From: Rifat Levis [mailto:[EMAIL PROTECTED] Sent:

RE: [Declude.JunkMail] Declude using 50% cpu

2003-07-25 Thread Colbeck, Andrew
u usage consistantly. -Original Message-From: Colbeck, Andrew [mailto:[EMAIL PROTECTED]Sent: Thursday, July 24, 2003 3:56 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Declude using 50% cpu Mark, it may be interesting for you to note that we

RE: [Declude.JunkMail] Question Marks ignored

2003-07-29 Thread Colbeck, Andrew
SPUnfortunately, that can be difficult to determine. You would need to view SPthe raw source of the E-mail, which many mail clients don't support (you SPwould need to be able to see the MIME headers). MGI am using a great 3rd-party Outlook add-on called PocketKnife Peek

RE: [Declude.JunkMail] re: Ideas

2003-08-05 Thread Colbeck, Andrew
This ISP or what ever they are send us a lot of spam I would not usually block this many IP addresses but? What do you all think? Ultimate Offers LLC. NET-69-60-0-0-24 (NET-69-60-0-0-2) 69.60.0.0 - 69.60.0.2 How did they get such a large block of IP

RE: [Declude.JunkMail] RBL Question

2003-08-08 Thread Colbeck, Andrew
-Original Message- From: Keith Johnson [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] RBL Question I saw the below message on the forum: -BEGIN QUOTE--- For a long time the SBL has been available either

RE: [Declude.JunkMail] RBL Question

2003-08-12 Thread Colbeck, Andrew
PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] RBL Question Doesn't this announcement mean that as of Aug 11, SPAMHAUS will have to be checked directly and will NO LONGER provide info to osirusoft? That appeared to be the gist of the announcement. From: Colbeck, Andrew Keith, you

RE: [Declude.JunkMail] IPBYPASS not working

2003-08-14 Thread Colbeck, Andrew
Thomas, I just implemented VirusWall, but in a different configuration than you have. I think you should start by turning off the Disable insertion of InterScan Received: header when processing messages. This is on the Advanced Options of the GUI, or in the intscan.ini in the [EMail-Scan]

RE: [Declude.JunkMail] Interesting spam...

2003-08-14 Thread Colbeck, Andrew
Thanks, Kami. I've started a new section in one of my JunkMail Pro text filter files called Phishing for similar attempts to garner e-mail addresses and credit cards numbers. Andrew 8) -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 2:11

[Declude.JunkMail] What's a q*.gmd spool file?

2003-08-14 Thread Colbeck, Andrew
Some spam made it through our Imail+JunkMail gateway last night, and I was wondering how it did it, because there were NO headers added by JunkMail Pro. According to my sys0806.txt logfile, the message was received by IMail, then it was later delivered to my internal mail server. I found a few

RE: [Declude.JunkMail] SPAM Volume

2003-08-14 Thread Colbeck, Andrew
FS Is it just me or has anyone else noticed a large increase in the volume FS of SPAM over the last two days? Nope, not particularly high. Actually, it's back to normal, because we saw a lull last week. My poor little server suffers from a backlog during our peak hours; to manage the contention

RE: [Declude.JunkMail] Test No Messages

2003-08-14 Thread Colbeck, Andrew
I'm all for it, Chuck. IMHO: Egress filtering by you should be standard. If a packet is trying to leave your router, but has a source that isn't from the inside of your network(s), drop it. I don't think that blocking those Microsoft ports below 1024 will affect much traffic. Is it really

[Declude.JunkMail] dial up users at qwest

2003-08-14 Thread Colbeck, Andrew
What a mess! Aside from buying AutoWhite, does anyone have a suggestion for letting mail in from valid dial up users at Qwest, while still keeping out the spammers? SPAMDOMAINS may be appropriate here, to reward a person from qwest who actually says they're from qwest... e.g. Received: from

RE: [Declude.JunkMail] New variation of PayPal Account retrieval

2003-08-17 Thread Colbeck, Andrew
I wouldn't be at all surprised if it turns out that these phishing expeditions for e-mail readers, replies, and credit card details are the same spammers behind the SoBig malware. Check out: http://www.lurhq.com/sobig-e.html I came across this very detailed write-up when checking out some oddly

[Declude.JunkMail] some SoBig.F notes

2003-08-20 Thread Colbeck, Andrew
A little heads-up about SoBig.F ... 2,000 of my inbound e-mail messages today has been this virus, from a variety of sources. The messages are the virus itself, neutered versions of the message, and bounces/warnings from dummy antivirus software on mailservers out there that still warn the

RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

2003-08-21 Thread Colbeck, Andrew
Message sniffer is not so bad as I tested it but have a big problem with News letter it has a bif False positive rate with them. On the home page for MessageSniffer you'll find a Help (QA) section which is worth your time to read if it's worth your time to implement. Submit false positives to:

RE: [Declude.JunkMail] Multi Server Configs

2003-08-21 Thread Colbeck, Andrew
Wow, I thought my increase in messages from 5,800 messages inbound to 10,000 was a lot. BTW, my old mail server (PII @ 333 MHz, data on a SCSI2 mirror) with the same volume would regularly run mid-morning (my peak volume) with a 30 to 100 messages in the overflow folder. The new server (PIII @

RE: [Declude.JunkMail] Delete based on specified content

2003-08-21 Thread Colbeck, Andrew
Well, you shouldn't... here is a cleaned up version of the JunkMail Pro filter file I started using last night. My global.cfg has: BADNOTIFY filter D:\IMail\Declude\BadNotify.txt x 0 0 and BADNOTIFY HOLD If you want BADNOTIFY to show up in your Total weight = lines in your decMMDD.log file,

RE: [Declude.JunkMail] OT: Declude notification and SoBig assault.

2003-08-22 Thread Colbeck, Andrew
(I was going to point you to the MailArchive website rather than re-post, but I couldn't find my own message there.) You're probably getting 4 kinds of nuisance messages: 1) The SoBig.F virus messages 2) Broken versions of the message with all the text but no virus 3) Bounce notifications

RE: [Declude.JunkMail] OSRELAY question.

2003-08-27 Thread Colbeck, Andrew
Until a few days ago, I was using SORBSALL, but on checking out their home page, I found that it had grown quite a lot since I started using it. Since JunkMail will only incur the lookup once, I suggest that if you're using SORBS that you break it up into all the little tests to query the same

RE: [Declude.JunkMail] SORBS

2003-08-28 Thread Colbeck, Andrew
: [Declude.JunkMail] SORBS How are the false positive rates ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, August 28, 2003 12:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] OSRELAY question. Until a few days ago

[Declude.JunkMail] Another obfuscation technique

2003-08-28 Thread Colbeck, Andrew
Similar to one noted earlier (by Bill?), slightly updated: `OPFd ``nhra``` ```laey`` ire`` `nm`s ``eanh``` cei``

RE: [Declude.JunkMail] Possible test suggestion

2003-08-29 Thread Colbeck, Andrew
Chuck, that suggestion could be useful for me, but I can two bits... I've noticed that some legitimate bulk mailers, like spammers, are completely brain dead when it comes to removing e-mail addresses that have bounced. For example, I saw a spammer consistently using an address that hadn't

RE: [Declude.JunkMail] Detecting gibberish

2003-09-09 Thread Colbeck, Andrew
Chipping in my two cents (Hi, I'm back from vacation!) I'm waiting for something like BODYTEXT instead of BODY so that I can stop getting false positives from short sequences showing up in attachment encoding. I had to stop trying to filter: grx grx2 t1t MLM d0rm /ad /ads because they came up

RE: [Declude.JunkMail] New test request

2003-09-10 Thread Colbeck, Andrew
Sorry, I've no great insight on the positive uses of this test, but I can point out another exception. E-mail enabled pagers and RIM Blackberries often have their phone number as the e-mail address @TheProviderDomain.com instead of or in addition to the subscriber's name. Andrew. --- [This

RE: [Declude.JunkMail] New test request

2003-09-10 Thread Colbeck, Andrew
Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a

RE: [Declude.JunkMail] New test request

2003-09-10 Thread Colbeck, Andrew
JT Pagers have 10 numbers, so I would actually start at either 11 or 15. JT An old CompuServe address will most likely not be failing other tests to JT where this one would put it over. How many numbers do those addresses have JT in them? Nine digits, e.g [EMAIL PROTECTED] (that was mine for 5

RE: [Declude.JunkMail] New test request

2003-09-10 Thread Colbeck, Andrew
MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0 MB SUBJECT2CONTAINSqb (snip) This looks good, Matthew. The weight is low enough to be cautious, and I suspect the only false positives you will get are on subject lines with that raw =?ISO-8859-1?B?UmU6U2lsZG stuff.

RE: [Declude.JunkMail] Strange Subject

2003-09-11 Thread Colbeck, Andrew
SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I

[Declude.JunkMail] Yet another new test request

2003-09-11 Thread Colbeck, Andrew
How about some thoughts on selectively running tests, based on the HOP count? Specifically, one of my strong reasons to buy Declude+IMail (yes, that's the way I view it!) for my gateway was because of the HOPHIGH feature for running ip4r tests against more than just the IP of the host that sent

[Declude.JunkMail] Cautionary note on BASE64

2003-09-11 Thread Colbeck, Andrew
For those who are using the BASE64 test and finding that you have to counterweight for Exchange Servers that uselessly encode plain ASCII messages, note that there is a new patch level: HEADERS -10 CONTAINS Microsoft Exchange V6.0.6375.0 in addition to John Tolmachoff's research: HEADERS -10

RE: [Declude.JunkMail] Strange Subject

2003-09-11 Thread Colbeck, Andrew
at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew [EMAIL PROTECTED] wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log

[Declude.JunkMail] What is going on with OpenRBL.org

2003-09-16 Thread Colbeck, Andrew
Title: Message For those who like to use http://openrbl.org but found it unavailable for longer than any usual system maintenance, your guess that it was due to a DDOS is right. Meanwhile, Declude's own http://www.dnsstuff.com/ andhttp://moensted.dk/spam/ can get you the lookup information.

[Declude.JunkMail] Bah, puny spammer!

2003-09-17 Thread Colbeck, Andrew
Here's this morning's biggest loser: we HOLD on 20, and this spammer achieved a whopping: DSBL:6 SPAMCOP:10 BADHEADERS:6 HELOBOGUS:6 REVDNS:4 ROUTING:8 IPNOTINMX:2 NOLEGITCONTENT:2 COUNTRY:10 COMMENTS:153 SNIFFER:7 FIVETENSRC:5 EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BH-CNKR:10

[Declude.JunkMail] Interesting headers, but this message was still easily caught

2003-09-17 Thread Colbeck, Andrew
Title: Message Received: from 66.38.133.97 [200.252.69.131] by mail.bentall.com (SMTPD32-8.02) id A3E5113000F4; Wed, 17 Sep 2003 10:03:33 -0700Received: from [73.250.175.174] by 66.38.133.97 with SMTP for snip; Wed, 17 Sep 2003 06:00:29 +Message-ID: [EMAIL PROTECTED]From: "Sheldon

RE: [Declude.JunkMail] Bah, puny spammer!

2003-09-17 Thread Colbeck, Andrew
DSBL:6 SPAMCOP:10 BADHEADERS:6 HELOBOGUS:6 REVDNS:4 ROUTING:8 IPNOTINMX:2 NOLEGITCONTENT:2 COUNTRY:10 COMMENTS:153 SNIFFER:7 FIVETENSRC:5 EASYNET-DNSBL:7 EASYNET-DYNA:6 EASYNET-PROXIES:5 BH-CNKR:10 SORBS-HTTP:7 PSBL:5 CBL:5 GIBBERISHBODY:3 VERISCAM:7 BENTALLIPBL:7 BENTALLSPAMHINT:22

[Declude.JunkMail] Any takers on identifying valid comcast.net outbound mail hosts?

2003-09-17 Thread Colbeck, Andrew
I'm seeing some false positives for mail from .comcast.net hosts that are falling into various ip4r lists. It's very sporadic. It seems like quite a few are being tested as mail relay hosts, but aren't. Other providers provide a sensible naming convention to make it straightforward to identify

RE: [Declude.JunkMail] Foreign language Spam Mail

2003-09-18 Thread Colbeck, Andrew
Who has had any luck in trapping spam written in a foreign language. I seem to be getting what appears to be spam from what appear to be written in Russian and I have no clue has to how to stop the messages. Could you send the full headers of one of the E-mails? The actual foreign language

RE: [Declude.JunkMail] Foreign language Spam Mail

2003-09-18 Thread Colbeck, Andrew
in Moscow: 1-0-5-5-1-8-6 -Original Message- From: Colbeck, Andrew Sent: Thursday, September 18, 2003 10:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Foreign language Spam Mail Who has had any luck in trapping spam written in a foreign language. I seem to be getting what

RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress

2003-09-19 Thread Colbeck, Andrew
Title: Message According to external DNS, you only have one mail host. For starters, you can whitelist your own IP. And if that server is the only machine of yours that is going to identify itself as wcnet.net, HELO20 ENDSWITH wcnet.net should do nicely until someone called

RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress

2003-09-19 Thread Colbeck, Andrew
Title: Message I should add: If you want to go the extra mile and say: MAILFROM 20 ENDSWITH wcnet.net Then you'll find that works great against spammers who fake their mailfrom address so it looks your own name (or say, [EMAIL PROTECTED] while trying to send to you!), but: You'll also

RE: [Declude.JunkMail] Understanding Return Codes

2003-09-24 Thread Colbeck, Andrew
Title: Message (sigh) Again I'm the voice of dissent... I find that CBL merits no higher than a weight of5out of my HOLD weight of 20. I find that it includes a lot of ISP mail servers thatget used by spammers. They do seem to work at removing them, but meanwhile, it's throwing the baby out

RE: [Declude.JunkMail] What's wrong with SpamCop?

2003-09-24 Thread Colbeck, Andrew
Well, it's important to remember that SpamCop is user-driven. The man behind it, Julian Haight, and his Spam Cop deputies focus on parsing the messages well, holding off the DoS attacks, juggling the expiry and the weight of the IP subnet based on reports, and getting the right abuse addresses

RE: [Declude.JunkMail] Understanding Return Codes

2003-09-24 Thread Colbeck, Andrew
Title: Message Two major Canadian ISPs, and ComCast.net are common enough. True, true, it is far more common for dial-up type accounts to spam through proxies, open relays, or directly to their recipients, but it does happen, and too often. It used to becommon, but ISPs have generally wised

RE: [Declude.JunkMail] Understanding Return Codes

2003-09-24 Thread Colbeck, Andrew
Title: Message Browsing for low total weights through the 638 messageswhich triggered CBL so fartodayI'm not seeing anyobvious errors, mostly very high total weights. Two that I've definitely seen before were mail servers for comcast.net and bizmailsrvs.net (Verizon - no angel), which

RE: [Declude.JunkMail] Log to syslog option

2003-09-30 Thread Colbeck, Andrew
For what it's worth, I use TextPad from the eponymous .com website, which behaves the same way as has been remarked for UltraEdit. TextPad seems to be a more rounded tool, whereas UltraEdit seems to lean towards widgets for programmers. Andrew 8) -Original Message- From: Bud Durland

RE: [Declude.JunkMail] new methods of subjects?

2003-09-30 Thread Colbeck, Andrew
Paul, I've seen a few today. From literally all over the world, spamvertising a website in China with a disposable name. aa gg kk ll nn I found that the various following tests were good enough to catch all of the ones we received, and are typical of the tests that were triggered. You

[Declude.JunkMail] Another antispam service worn down

2003-09-30 Thread Colbeck, Andrew
http://fabel.dk/relay/test/ Now returns a farewell page. It looks like only the tester is gone, and that the ip4r lookup still works, e.g. nslookup 2.0.0.127.spamsources.fabel.dk Non-authoritative answer: Name:2.0.0.127.spamsources.fabel.dk Address: 127.0.0.2 I don't use FABELSOURCES so

  1   2   3   4   5   6   7   >