Scott,
Virus Bug
==
The first bug is more straightforward, however it is related to Declude
Virus, so please forgive me for not joining that group. In an E-mail
that was forwarded from monstor.com, it tripped on a banned extension of
.com because a cookie reference was attached by Outlook Express as follows:
--=_NextPart_000_0001_01C3D1D2.DEDBF400
Content-Type: application/octet-stream;
name=nojavascriptdcssip=jobsearch.monster.com
Content-Transfer-Encoding: base64
Content-Location:
http://cookie.monster.com/DCS03_6D4Q/njs.gif?dcsuri=/nojavascriptdcssip=jobsearch.monster.com
R0lGODlhAQABAIAAAP8A/wAAACH5BAEALAABAAEAAAICRAEAOw==
--=_NextPart_000_0001_01C3D1D2.DEDBF400--
I'm not sure if there is anything that can be done about this easily,
but it was legitimate, and the attachment wasn't an executable, just a
cookie. This is the first time that I have ever seen such a thing, so
I'm sure it's rare, and maybe a bug with Outlook where it gets confused
and attaches cookies coded this way thinking they are COM files???
JunkMail Bug
==
The small bug with JunkMail is as follows. I've seen the following
several times across a number of days with at least v1.77i7 and
v1.77i10. I'm using the warn action and it always shows up with the
same recipient (%ALLRECIPS%) repeated at least three or four times. The
first example is unique, and the last three examples are from a
dictionary attack coming from one spammer sent to addresses that never
existed on the same domain. The X-MailPure: RECIPIENTS line is related
to a weightrange test so that it only displays the recipients when it
fails. The IPNOTINMX test generally shows up first, but appears below
that line when this happens along with the associated errors. Another
thing related is the fact that I have a colon in the WARN action for
RECIPIENTS listed with a colon, but it always appears with a space then
dash in every message. Here's how that is defined:
- Global.cfg -
HIGH-RECIPSweightrangexx1024
- $Default$.junkmail -
HIGH-RECIPSWARN X-MailPure: RECIPIENTS: %ALLRECIPS%
This is not a big deal to me, but I thought that I would let you know
about it. Four examples follow:
Received: from mail.com [216.234.126.149] by domain.tld
(SMTPD32-7.15) id A570704020A; Tue, 06 Jan 2004 10:34:08 -0500
Reply-To: [EMAIL PROTECTED]
From: BPD [EMAIL PROTECTED]
Subject: [23] Sales Leads --$1,525 Savings
Date: Tue, 6 Jan 2004 10:34:23 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset=Windows-1251
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
Message-Id: [EMAIL PROTECTED]
X-MailPure:
==
X-MailPure: NJABL-DYNABLOCK: Failed, listed in dynablock.njabl.org
(weight 4).
X-MailPure: NOABUSE: Failed, listed in abuse.rfc-ignorant.org
(weight 1).
X-MailPure: SORBS-DUL: Failed, listed in dnsbl.sorbs.net (weight 3).
X-MailPure: SPAMCOP: Failed, listed in bl.spamcop.net (weight 8).
X-MailPure: IPNOTINMX: Failed, IP is not listed in MX or A records
(weight 0).
X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected
(weight 0).
X-MailPure: CONCEALED: Failed, concealed message (weight 1).
X-MailPure: BADHEADERS: Failed, non-RFC compliant headers [840a]
(weight 4).
X-MailPure: WORDFILTER-SUBJECT: Message failed WORDFILTER-SUBJECT
test (line 63, weight 2).
X-MailPure: RECIPIENTS - [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
X-MailPure: IPNOTINMX: Failed, IP is noX-MailPure: IPNOTINMX:
Failed, no legitimate content detected (weight 0).
X-MailPure: [Unknown Var]TESTNAME
X-MailPure: IPNOTINMX: Failed, IP is noX-MailPure: [Unknown Var]TESTNAME
X-MailPure: [Unknown Var] sign in the SMTP From address (weight 2).
X-MailPure:
==
X-MailPure: Spam Score: 23
X-MailPure: Scan Time: 10:34:15 on 01/06/2004
X-MailPure: Spool File: Dd5700704020a2dd9.SMD
X-MailPure: Server Name: mail.com
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: 3639246484.mi.dial.hexcom.net
[216.234.126.149]
X-MailPure:
==
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
==
X-Declude-Date: 01/06/2004 15:34:23 [0]
X-RCPT-TO: [EMAIL PROTECTED]
Status: R
X-UIDL: 372975289
From [EMAIL PROTECTED] Tue Jan 06 09:35:58 2004
Received: from ecardica.net [66.246.175.2] by domain.tld
(SMTPD32-7.15) id A7C4324022A; Tue, 06 Jan 2004