[Declude.JunkMail] Two small bugs

[Matthew Bramble]

Scott,

Virus Bug
==
The first bug is more straightforward, however it is related to Declude 
Virus, so please forgive me for not joining that group.  In an E-mail 
that was forwarded from monstor.com, it tripped on a banned extension of 
.com because a cookie reference was attached by Outlook Express as follows:

   --=_NextPart_000_0001_01C3D1D2.DEDBF400
   Content-Type: application/octet-stream;
   name=nojavascriptdcssip=jobsearch.monster.com
   Content-Transfer-Encoding: base64
   Content-Location:
   
http://cookie.monster.com/DCS03_6D4Q/njs.gif?dcsuri=/nojavascriptdcssip=jobsearch.monster.com
   R0lGODlhAQABAIAAAP8A/wAAACH5BAEALAABAAEAAAICRAEAOw==

   --=_NextPart_000_0001_01C3D1D2.DEDBF400--

I'm not sure if there is anything that can be done about this easily, 
but it was legitimate, and the attachment wasn't an executable, just a 
cookie.  This is the first time that I have ever seen such a thing, so 
I'm sure it's rare, and maybe a bug with Outlook where it gets confused 
and attaches cookies coded this way thinking they are COM files???

JunkMail Bug
==
The small bug with JunkMail is as follows.  I've seen the following 
several times across a number of days with at least v1.77i7 and 
v1.77i10.  I'm using the warn action and it always shows up with the 
same recipient (%ALLRECIPS%) repeated at least three or four times.  The 
first example is unique, and the last three examples are from a 
dictionary attack coming from one spammer sent to addresses that never 
existed on the same domain.  The X-MailPure: RECIPIENTS line is related 
to a weightrange test so that it only displays the recipients when it 
fails.  The IPNOTINMX test generally shows up first, but appears below 
that line when this happens along with the associated errors.  Another 
thing related is the fact that I have a colon in the WARN action for 
RECIPIENTS listed with a colon, but it always appears with a space then 
dash in every message.  Here's how that is defined:

- Global.cfg -
HIGH-RECIPSweightrangexx1024
- $Default$.junkmail -
HIGH-RECIPSWARN X-MailPure: RECIPIENTS: %ALLRECIPS%
This is not a big deal to me, but I thought that I would let you know 
about it.  Four examples follow:

   Received: from mail.com [216.234.126.149] by domain.tld
 (SMTPD32-7.15) id A570704020A; Tue, 06 Jan 2004 10:34:08 -0500
   Reply-To: [EMAIL PROTECTED]
   From: BPD [EMAIL PROTECTED]
   Subject: [23] Sales Leads --$1,525 Savings
   Date: Tue, 6 Jan 2004 10:34:23 -0500
   MIME-Version: 1.0
   Content-Type: text/html;
   charset=Windows-1251
   Content-Transfer-Encoding: 7bit
   X-Priority: 1
   X-MSMail-Priority: High
   X-Mailer: Microsoft Outlook Express 6.00.2600.
   X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
   Message-Id: [EMAIL PROTECTED]
   X-MailPure:
   ==
   X-MailPure: NJABL-DYNABLOCK: Failed, listed in dynablock.njabl.org
   (weight 4).
   X-MailPure: NOABUSE: Failed, listed in abuse.rfc-ignorant.org
   (weight 1).
   X-MailPure: SORBS-DUL: Failed, listed in dnsbl.sorbs.net (weight 3).
   X-MailPure: SPAMCOP: Failed, listed in bl.spamcop.net (weight 8).
   X-MailPure: IPNOTINMX: Failed, IP is not listed in MX or A records
   (weight 0).
   X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected
   (weight 0).
   X-MailPure: CONCEALED: Failed, concealed message (weight 1).
   X-MailPure: BADHEADERS: Failed, non-RFC compliant headers [840a]
   (weight 4).
   X-MailPure: WORDFILTER-SUBJECT: Message failed WORDFILTER-SUBJECT
   test (line 63, weight 2).
   X-MailPure: RECIPIENTS - [EMAIL PROTECTED], [EMAIL PROTECTED],
   [EMAIL PROTECTED], [EMAIL PROTECTED]
   X-MailPure: IPNOTINMX: Failed, IP is noX-MailPure: IPNOTINMX:
   Failed, no legitimate content detected (weight 0).
   X-MailPure: [Unknown Var]TESTNAME
   X-MailPure: IPNOTINMX: Failed, IP is noX-MailPure: [Unknown Var]TESTNAME
   X-MailPure: [Unknown Var] sign in the SMTP From address (weight 2).
   X-MailPure:
   ==
   X-MailPure: Spam Score: 23
   X-MailPure: Scan Time: 10:34:15 on 01/06/2004
   X-MailPure: Spool File: Dd5700704020a2dd9.SMD
   X-MailPure: Server Name: mail.com
   X-MailPure: SMTP Sender: [EMAIL PROTECTED]
   X-MailPure: Received From: 3639246484.mi.dial.hexcom.net
   [216.234.126.149]
   X-MailPure:
   ==
   X-MailPure: Spam and virus blocking services provided by MailPure.com
   X-MailPure:
   ==
   X-Declude-Date: 01/06/2004 15:34:23 [0]
   X-RCPT-TO: [EMAIL PROTECTED]
   Status: R
   X-UIDL: 372975289
From [EMAIL PROTECTED] Tue Jan 06 09:35:58 2004
   Received: from ecardica.net [66.246.175.2] by domain.tld
 (SMTPD32-7.15) id A7C4324022A; Tue, 06 Jan 2004 

Re: [Declude.JunkMail] Two small bugs

[R. Scott Perry]

Virus Bug
==
The first bug is more straightforward, however it is related to Declude 
Virus, so please forgive me for not joining that group.  In an E-mail that 
was forwarded from monstor.com, it tripped on a banned extension of .com 
because a cookie reference was attached by Outlook Express as follows:
Actually, this isn't a bug:

   --=_NextPart_000_0001_01C3D1D2.DEDBF400
   Content-Type: application/octet-stream;
   name=nojavascriptdcssip=jobsearch.monster.com
   Content-Transfer-Encoding: base64
   Content-Location:
http://cookie.monster.com/DCS03_6D4Q/njs.gif?dcsuri=/nojavascriptdcssip=jobsearch.monster.com
The cookie isn't the problem; the name of the file is 
nojavascriptdcssip=jobsearch.monster.com.  That's a .com file.

I'm not sure if there is anything that can be done about this easily, but 
it was legitimate, and the attachment wasn't an executable, just a cookie.
The attachment was a .com file.  It may have been a cookie with a funny 
name, but still a .com file.  :)

JunkMail Bug
==
The small bug with JunkMail is as follows.  I've seen the following 
several times across a number of days with at least v1.77i7 and 
v1.77i10.  I'm using the warn action and it always shows up with the same 
recipient (%ALLRECIPS%) repeated at least three or four times.  The first 
example is unique, and the last three examples are from a dictionary 
attack coming from one spammer sent to addresses that never existed on the 
same domain.
There was an issue with one of the v1.77 interim releases that was fixed in 
1.77i12 that may have caused this.  A change was made in the way that 
Declude JunkMail retrieves the list of recipients.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.