RE: [sniffer] [Fwd: Diann Helms]
> would you share your filters? > I assume Declude filters. Yes. Attached is the original message from Scott Fisher regarding the geocities-filter file. (I call it GEOCITIESLINKS) I've replaced each weight (100 and 75 points) with 0. So this test will add no weight to the final result. In addition you have to set up SORBS-DUHL as a standard IP4R-Test. Then you need an additional text filter file (I call it COMBO-DUHL-GEOCITIES) ~~ TESTFAILED END NOTCONTAINS GEOCITIESLINKS TESTFAILED 80 CONTAINS SORBS-DUHL ~~ The first line will stop the combo-filter if there was no geocities-links in the message body The second line will add 80 points if the message cames in from a DUHL-ip. Markus --- Begin Message --- Title: Message Here's my geocities filter. It's a little more specific so I can weight foreign geocities more than US geocities. STOPATFIRSTHIT BODY 100 CONTAINS ar.geocities.comBODY 100 CONTAINS geocities.com.arBODY 100 CONTAINS ar.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.com.ar BODY 100 CONTAINS asia.geocities.comBODY 100 CONTAINS asia.geocities.yahoo.com BODY 100 CONTAINS au.geocities.comBODY 100 CONTAINS geocities.com.auBODY 100 CONTAINS au.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.com.au BODY 100 CONTAINS br.geocities.comBODY 100 CONTAINS geocities.com.brBODY 100 CONTAINS br.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.com.br BODY 100 CONTAINS ca.geocities.comBODY 100 CONTAINS geocities.caBODY 100 CONTAINS ca.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.ca BODY 100 CONTAINS cf.geocities.comBODY 100 CONTAINS cf.geocities.yahoo.com BODY 100 CONTAINS cn.geocities.comBODY 100 CONTAINS geocities.cnBODY 100 CONTAINS cn.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.cn BODY 100 CONTAINS de.geocities.comBODY 100 CONTAINS geocities.deBODY 100 CONTAINS de.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.de BODY 100 CONTAINS es.geocities.comBODY 100 CONTAINS geocities.esBODY 100 CONTAINS es.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.es BODY 100 CONTAINS espanol.geocities.comBODY 100 CONTAINS espanol.geocities.yahoo.com BODY 100 CONTAINS hk.geocities.comBODY 100 CONTAINS geocities.com.hkBODY 100 CONTAINS geocities.hkBODY 100 CONTAINS hk.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.com.hkBODY 100 CONTAINS geocities.yahoo.hk BODY 100 CONTAINS in.geocities.comBODY 100 CONTAINS geocities.co.inBODY 100 CONTAINS in.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.co.in BODY 100 CONTAINS it.geocities.comBODY 100 CONTAINS geocities.itBODY 100 CONTAINS it.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.it BODY 100 CONTAINS kr.geocities.comBODY 100 CONTAINS geocities.co.krBODY 100 CONTAINS kr.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.co.kr BODY 100 CONTAINS mx.geocities.comBODY 100 CONTAINS geocities.com.mxBODY 100 CONTAINS mx.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.com.mx BODY 100 CONTAINS sg.geocities.comBODY 100 CONTAINS geocities.com.sgBODY 100 CONTAINS sg.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.com.sg BODY 100 CONTAINS uk.geocities.comBODY 100 CONTAINS geocities.co.ukBODY 100 CONTAINS uk.geocities.yahoo.comBODY 100 CONTAINS geocities.yahoo.co.uk BODY 75 CONTAINS geocities.comBODY 75 CONTAINS geocities.yahoo.com - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:09 AM Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY 3 CONTAINS au.geocities.com Sniffer, which I weight at 7, picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:32 AM Subject: [Declude.JunkMail] Stock Spam Anyone have a good filter strategy on the increasing amount of stock spam??? Thanks, Mike --- End Message ---
Re[2]: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 11:02:11 AM, Bonno wrote: BB> Hi Pete, BB> [] >> If you wish, it is possible to create a local black rule for any >> geocities link. On many ISP systems this would cause false positives, >> but on more private systems it may be a reasonable solution. >> BB> I think I could use such a black rulw without getting to may FPs, but in BB> which catagoeries would that rule then go? I score the several Sniffer BB> results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 BB> would put it several points below my hold weight. An extra hit would be BB> needed to get it held. Normally when we make custom black rules we code them to a special rule group (generally with a group symbol 5 by convention). Since 5 is a lower number than all other rule groups (except for white rules = 0) any message matching a local black rule will be distinct. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
would you share your filters? I assume Declude filters. Cordially, Heimir Eidskrem i360, Inc. 2825 Wilcrest, Suite 675 Houston, TX 77042 Ph: 713-981-4900 Fax: 832-242-6632 [EMAIL PROTECTED] www.i360.net www.i360hosting.com www.realister.com Houston's Leading Internet Consulting Company Markus Gufler wrote: Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Wednesday, February 15, 2006 2:53 PM To: sniffer@sortmonster.com Subject: [sniffer] [Fwd: Diann Helms] Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. >From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: <[EMAIL PROTECTED]> From: "Shane Redmond" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA->destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
Hi Pete, [] > If you wish, it is possible to create a local black rule for any > geocities link. On many ISP systems this would cause false positives, > but on more private systems it may be a reasonable solution. > I think I could use such a black rulw without getting to may FPs, but in which catagoeries would that rule then go? I score the several Sniffer results differently in my Declude setup. A hit on just Sniffer 60, 61 or 63 would put it several points below my hold weight. An extra hit would be needed to get it held. > If you want such a black rule added to your rulebase please send a > request off-list to [EMAIL PROTECTED] As the above information might be of interest to others I'll ask here first. Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Fwd: Diann Helms]
Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem > Sent: Wednesday, February 15, 2006 2:53 PM > To: sniffer@sortmonster.com > Subject: [sniffer] [Fwd: Diann Helms] > > Anyway to stop this spam. > We are getting hundreds of them. > I have personally gotten 23. > > >From - Wed Feb 15 07:51:25 2006 > X-Account-Key: account3 > X-UIDL: 384485764 > X-Mozilla-Status: 0001 > X-Mozilla-Status2: > Received: from DM [206.53.51.56] by deepspace.i360.net > (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 > Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 > Feb 2006 06:37:38 -0600 > Message-Id: <[EMAIL PROTECTED]> > From: "Shane Redmond" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Diann Helms > X-Mailer: Opera7.20/Win32 M2 build 2981 > Date: Wed, 15 Feb 2006 06:37:38 -0600 > X-RBL-Warning: NOLEGITCONTENT: No content unique to > legitimate E-mail detected. > X-RBL-Warning: IPNOTINMX: > X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA > 206.53.51.56 with no reverse DNS entry. > X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. > X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER > test (line 36, weight 0) > X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] > X-Declude-Spoolname: D208b017db78a.smd > X-Note: This E-mail was scanned by Declude JunkMail > (www.declude.com) for spam. > X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, > CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] > X-Country-Chain: CANADA->destination > X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). > X-RCPT-TO: <[EMAIL PROTECTED]> > Status: U > X-UIDL: 384485764 > X-IMail-ThreadID: 208b017db78a > > > Braxton, > > http://uk.geocities.com/proboycott45571 > > Shane Redmond > > > > > This E-Mail came from the Message Sniffer mailing list. For > information and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] [Fwd: Diann Helms]
On Wednesday, February 15, 2006, 8:53:27 AM, Heimir wrote: HE> Anyway to stop this spam. HE> We are getting hundreds of them. HE> I have personally gotten 23. It's a challenging one... there is almost no data, and the geocities link is constantly different. I've written another abstract to cover this structure. I'll continued to do that as new structures arise, provided I can do so without creating false positives. If you wish, it is possible to create a local black rule for any geocities link. On many ISP systems this would cause false positives, but on more private systems it may be a reasonable solution. If you want such a black rule added to your rulebase please send a request off-list to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] [Fwd: Diann Helms]
Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: <[EMAIL PROTECTED]> From: "Shane Redmond" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA->destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
