Markus, For the record I have about 5 different spam domains tests. Dan
----- Original Message ----- From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 12:41 PM Subject: RE: [Declude.JunkMail] Citibank - phishing- still live > Chuck, and others, > > Maybe you should consider splitting your spamdomain file to multiple files > with different weights > > While messages from yahoo, msn and Co. could have many FP's as users are > connecting from everwhere you shouldn't see any message from other tipical > spamdomains (like citibank) not matching the spamdomain-rule. > > Someone (Scott Fisher?) has a great list of spamdomains categorized in > SD-STRONG > SD-LOW > SD-PISH > ... > > SD-PISH on my server has a spam-accuracy of 100% (no false positives) in > over 360.000 processed messages. > Here's the list of domains for SD-PISH: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > @paypal.com .paypal. > @ebay.com .ebay. > .ebay.com .emailebay.com > citibank.com .ssmb.com > commercebank.com .psmtp.com > fleet.com .bkb.com > @usbank.com .usbank.com > wellsfargo.com .norwest.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Markus > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick > > Sent: Tuesday, October 05, 2004 6:07 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [Declude.JunkMail] Citibank - phishing- still live > > > > > > > > Unfortunately spamdomains is a test that has a lot of false > > positives and there is not real solid list of spamdomains. > > Because of that we have to weight spamdomains low, so I could > > never say that users would not see such an email because of > > spam domains alone. On the other hand I can give a very high > > weight to urls contained in the body of an email and will > > have almost no false positives. Just my thoughts on the matter. > > > > Chuck Schick > > Warp 8, Inc. > > (303)-421-5140 > > www.warp8.com > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser > > Sent: Tuesday, October 05, 2004 9:14 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > > > > Whether I classify them as spam or not, I don't post every > > spam that I receive to this list. > > > > My point is that if you are blocking phish based on > > individual URLs I think you are not doing it in the most > > efficient way. Simply adding... > > > > @ameritrade.com .ameritrade.com > > @citi.com .citibank.com > > @citibank.com .citibank.com > > @ebay.com .ebay.com > > @fleet.com .fleet.com > > .gs.com > > @paypal.com .paypal.com > > @suntrust.com .suntrust.com > > @visa.com .visa.com > > @wellsfargo.com .wellsfargo.com > > > > to the text file which maps to my Spamdomains test keeps all > > of the phish away from my users since none of these messages > > every originate from the proper domains. > > > > Dan > > > > ----- Original Message ----- > > From: "Bill Landry" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, October 05, 2004 10:58 AM > > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > > > > > Where else would you suggest they be posted, after all, phishing > > > e-mail > > are > > > spam in my book. However, with that said, more and more > > virus vendors > > > are starting to add phishing e-mail recognition to their virus > > > definitions. Both uvscan (NAI/McAfee) and the latest release > > > candidates for ClamAV support phishing e-mail detection. > > > > > > Bill > > > ----- Original Message ----- > > > From: "Dan Geiser" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Tuesday, October 05, 2004 4:22 AM > > > Subject: Re: [Declude.JunkMail] Citibank - phishing- still live > > > > > > > > > Can I ask why you guys post these to the Declude JunkMail > > discussion > > > list? It doesn't seem to have anything to do with the > > subject matter > > > of this list. > > > > > > ----- Original Message ----- > > > From: Kami Razvan <mailto:[EMAIL PROTECTED]> > > > To: [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > Sent: Tuesday, October 05, 2004 6:56 AM > > > Subject: [Declude.JunkMail] Citibank - phishing- still live > > > > > > Hi; > > > the following is another phishing attempt- the site still live. > > > > > > http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> > > > > > > Regards, > > > Kami > > > > > > > > > ==== Email > > > > > > Subject: [37~]Dear customer your details have been compromised > > > MIME-Version: 1.0 (produced by annunciatemarginalia 8.2) > > > Content-Type: multipart/alternative; > > boundary="--938071008627732911" > > > X-RBL-Warning: IPNOTINMX: > > > X-RBL-Warning: NOLEGITCONTENT: No content unique to > > legitimate E-mail > > > detected. > > > X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. > > > X-RBL-Warning: NJABL-DYNA: "Dynamic/Residential IP range > > listed by NJABL > > > dynablock - http://njabl.org/dynablock.html > > > <http://njabl.org/dynablock.html> " > > > X-RBL-Warning: NJABL-DUL: This E-mail came from 12.107.246.11, a > > > potential spam source listed in NJABL-DUL. > > > X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED] > > > <mailto:[EMAIL PROTECTED]> " > > > X-RBL-Warning: SORBS-DUL: "Dynamic IP Address See: > > > http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11 > > > <http://www.dnsbl.sorbs.net/lookup.shtml?12.107.246.11> " > > > X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line > > 198, weight > > > 13) > > > X-Declude-Sender: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > [12.107.246.11] > > > X-Declude-Spoolname: D26691b0502409fba.SMD > > > X-Note: > > > ================================================================== > > > X-Note: Spam Score: 37 [BLOCKED ON 20+ & DELETED ON 40+] > > > X-Note: Scan Time: 00:43:47 on 05 Oct 2004 > > > X-Note: Spool File: D26691b0502409fba.SMD > > > X-Note: Server Name: dialup-12-107-246-11.dtccom.net > > > X-Note: SMTP Sender: [EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > X-Note: Reverse DNS & IP: dialup-12-107-246-11.dtccom.net > > > [12.107.246.11] > > > X-Note: Country Chain: UNITED STATES->destination > > > > > > > > > ----938071008627732911 > > > Content-Type: text/plain; > > > charset="iso-2059-6" > > > Content-Transfer-Encoding: quoted-printable > > > Content-Description: nicholson salmonberry biblical > > > > > > Dear Customer: > > > > > > Recently there have been a large number of cyber attacks > > pointing our > > > data= > > > base servers. In order to safeguard your account, we > > require you to sign > > > o= > > > n immediately. > > > > > > This personal check is requested of you as a precautionary > > measure and > > > to = > > > ensure yourselves that everything is normal with your balance and > > > personal= > > > information. > > > > > > This process is mandatory, and if you did not sign on > > within the nearest > > > t= > > > ime your account may be subject to temporary suspension. > > > > > > Please make sure you have your Citibank(R) debit card > > number and your > > > User= > > > ID and Password at hand. > > > > > > Please use our secure counter server to indicate that you > > have signed > > > on, = > > > please click the link bellow: > > > > > > http://211.158.34.250/citifi/ <http://211.158.34.250/citifi/> > > > > > > !! Note that we have no particular indications that your > > details have > > > been= > > > compromised in any way. > > > > > > Thank you for your prompt attention to this matter and thank you for > > > using= > > > Citibank(R) > > > > > > Regards, > > > > > > Citibank(R) Card Department > > > > > > (C)2004 Citibank. Citibank, N.A., Citibank, F.S.B., > > > Citibank (West), FSB. Member FDIC.Citibank and Arc > > > Design is a registered service mark of Citicorp. > > > > > > ----938071008627732911-- > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > -------------------------------------------------------------- > > --------- > > > Sign up for virus-free and spam-free e-mail with Nexus > > Technology Group > > > http://www.nexustechgroup.com/mailscan > > > > > > > > > > > > -------------------------------------------------------------- > > --------- > > Sign up for virus-free and spam-free e-mail with Nexus > > Technology Group > > http://www.nexustechgroup.com/mailscan > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > ----------------------------------------------------------------------- > Sign up for virus-free and spam-free e-mail with Nexus Technology Group > http://www.nexustechgroup.com/mailscan > > > ----------------------------------------------------------------------- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
