He said he is running mesage sniffer? He should add INVURIBL to check the URI Black lists.
Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox > Sent: Friday, September 02, 2005 10:35 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] Suggestions on catching a spam message? > > > Best recommendation? Add message sniffer from sortmonster.com. It is the > single best test on our system. > > Darin. > > > ----- Original Message ----- > From: "Dave Beckstrom" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Friday, September 02, 2005 12:59 PM > Subject: [Declude.JunkMail] Suggestions on catching a spam message? > > > > Hi Everyone, > > I just purchased declude two days ago. I'm running Declude with message > sniffer on a smartermail server. So far, it is working very well. > > The approach that I have been trying to take is to, wherever > possible, avoid > creating a custom filter entry to trap a specific email. Below is an > example of a spam email which slipped through this morning. I > sanitized the > mail headers so any reference to myserver or mydomain or > myaddress is where > I replaced our details in the headers. > > As you can see from the headers, there was very little wrong with > this email > that would enable us to score it high enough for it to be considered spam. > > I tag the subject at a score of 14. > > At the bottom of this message is the actual body of the html email. > Obviously I could add a filter entry to look for "agnheqe3.com" and to > delete or hold the message. The problem with that approach, in > my opinion, > is it never ends. If they have 1000 different domains that means a 1000 > filter entries. I hate filtering to block a specific email and I would > rather block based upon a pattern common to all spam. > > I am wondering if you have had any success on trapping emails like the one > below? What would you add or change to have caught this message? > The only > thing I saw, that is common to spam, which I think I could filter > on is the > "/track?" in the URL. I've seen a lot of spam that triggers > various ASP or > PHP or other programs in the IMG SRC tag which enables a spammer to verify > that the email was opened and read. > > What do you think? How can I tighten up my filtering to catch an > email such > as the one below? > > Do you guys forward spam to spamcop or other places to help with the RBLs? > > Thanks! > > Dave > > > > Return-Path: <[EMAIL PROTECTED]> > Fri Sep 02 > 07:34:48 2005 > Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com > with SMTP; > Fri, 2 Sep 2005 07:34:48 -0500 > MIME-Version: 1.0 > X-Accept-Language: en > X-Priority: Normal > From: Energy Drink <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Nationwide Energy Drink Survey > Date: Fri, 2 Sep 2005 04:08:28 EST > Message-ID: <q8tz5,[EMAIL PROTECTED]> > Content-Type: text/html; charset="ISO-8859-1" > Content-Transfer-Encoding: 7bit > X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client > [8008000e]. > X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. > X-RBL-Warning: Filter_Country: Message failed Filter_Country test > (line 223, > weight 0) > X-Note: ======================================== > X-Note: Spam Score: [6] > X-Note: Scan Time: 07:35:08 on 02 Sep 2005 > X-Note: Spool File: 37143703.EML > X-Note: Server Name: sip.agnheqe3.com > X-Note: SMTP Sender: > [EMAIL PROTECTED] > X-Note: Reverse DNS & IP: sip.agnheqe3.com [206.131.238.29] > X-Note: Recipient(s): <fwd>[EMAIL PROTECTED] > X-Note: Country Chain: UNITED STATES->destination > X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], > Filter_Country [0] > X-Note: ======================================== > > > > > <html> > <body><br> > <a > href="http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m=622 > 5115&l=0"> > <img > src="http://agnheqe3.com/t?m=6225115&l=3" border=0></a><br><br> > <img > src="http://agnheqe3.com/t?m=6225115&l=2" border=0></a><br><br> > <a > href="http://agnheqe3.com/t?m=6225115&l=4"> > <img > src="http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m=6225115&l=1" > border=0></a><br> > <br><br><font color='#ffffff' face='arial,helvetica' > size='1'><5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115></font></body></html> > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.