Re: [Declude.JunkMail] Joe Job Filters

[Scott Fisher]

Thanks for the responses.   Since my e-mail account is one of the two being joe-jobbed, I've got lots of samples to look at... I'll document how I attacked the problem for the mailing archive:   The spammer sends out thee subject base64 encoded (Subject: =?iso-8859-1?B?). It also will forge the from line with various displayed names and my e-mail address ("Cute Cultivator" [EMAIL PROTECTED]) So I can use this forged from address as a joe-job filter.   I'm being pretty conservative so that legit NDRs don't get blocked... There still some annoying Joe-Job NDR's that come back. The Earthlink and Spamarrest filters are the most annoying. I almost want to reply to them so they get the original spam. The over-quote messages don't seem to block well either.   The filters:   sfisher-joe-job.txt (Weight 50 in global.cfg) TESTSFAILED END NOTCONTAINS MAILFROM-NULL-SENDER ALLRECIPS END NOTCONTAINS sfisher@ MINWEIGHTTOFAIL 2 BODY  END CONTAINS Scott Fisher BODY  1 CONTAINS Subject: =?iso-8859-1?B? BODY  1 CONTAINS a" <[EMAIL PROTECTED]> BODY  1 CONTAINS b" <[EMAIL PROTECTED]> and so on. Mailfrom-Null-sender.txt: MAILFROM 1 IS  <> MAILFROM 1 STARTSWITH MAILER-DAEMON@ MAILFROM 1 STARTSWITH MAIL@ MAILFROM 1 STARTSWITH spamblocker-challenge@ MAILFROM 1 CONTAINS SMTP_Gateways@ MAILFROM 1 CONTAINS SMTP@   And then a punishment combo with the joe-job filters and sniffer and some URL test: (weight 100 in global.cfg) MINWEIGHTTOFAIL 2 TESTSFAILED 1 CONTAINS SFISHER-JOE-JOB TESTSFAILED 1 CONTAINS DCRUMMETT-JOE-JOB TESTSFAILED 1 CONTAINS SFISHER-JOE-JOB TESTSFAILED 1 CONTAINS DCRUMMETT-JOE-JOB TESTSFAILED 1 CONTAINS SNIFFER-TRAVEL TESTSFAILED 1 CONTAINS SNIFFER-INSURANCE TESTSFAILED 1 CONTAINS SNIFFER-AV-PUSH TESTSFAILED 1 CONTAINS SNIFFER-WAREZ TESTSFAILED 1 CONTAINS SNIFFER-SPAMWARE TESTSFAILED 1 CONTAINS SNIFFER-SNAKEOIL TESTSFAILED 1 CONTAINS SNIFFER-SCAMS TESTSFAILED 1 CONTAINS SNIFFER-PORN TESTSFAILED 1 CONTAINS SNIFFER-MALWARE TESTSFAILED 1 CONTAINS SNIFFER-ADVERTISING TESTSFAILED 1 CONTAINS SNIFFER-SCHEMES TESTSFAILED 1 CONTAINS SNIFFER-CREDIT TESTSFAILED 1 CONTAINS SNIFFER-GAMBLING #TESTSFAILED 1 CONTAINS SNIFFER-EXPER-IP    (not doing this one in case legit bounces... just playing it safe) TESTSFAILED 1 CONTAINS SNIFFER-OBFUSCATION TESTSFAILED 1 CONTAINS SNIFFER-EXPERIMENTAL TESTSFAILED 1 CONTAINS SNIFFER-GENERAL TESTSFAILED 1 CONTAINS BODY-URL-CURRENT TESTSFAILED 1 CONTAINS BODY-URL-PREVIOUS TESTSFAILED 1 CONTAINS BODY-SCSURBL   ----- Original Message ----- From: Scott Fisher To: [EMAIL PROTECTED] Sent: Friday, November 05, 2004 4:40 PM Subject: [Declude.JunkMail] Joe Job Filters Does anyone have a filter that works well on stopping Joe Job bounces (preferably while not stopping legit bounces...)?