Hi Dave:
Welcome!
You'll find that tweaking weights and flters is an ongoing proposition. You
have BADHEADERS weighted at more than half your tag weight, so that is a
good start. I do not add any weight for SPFUNKNOWN, and I have found the
country filter to be of little use.
One suggestion: The message apparently passed Sniffer, so the first thing is
to forward it to spam @ sortmonster.com They will have a look and add it to
their database. They are very, very good, and I find it is the best single
test I have running.
-Dave Doherty
Skywaves, Inc.
----- Original Message -----
From: "Dave Beckstrom" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Friday, September 02, 2005 12:59 PM
Subject: [Declude.JunkMail] Suggestions on catching a spam message?
Hi Everyone,
I just purchased declude two days ago. I'm running Declude with message
sniffer on a smartermail server. So far, it is working very well.
The approach that I have been trying to take is to, wherever possible,
avoid
creating a custom filter entry to trap a specific email. Below is an
example of a spam email which slipped through this morning. I sanitized
the
mail headers so any reference to myserver or mydomain or myaddress is
where
I replaced our details in the headers.
As you can see from the headers, there was very little wrong with this
email
that would enable us to score it high enough for it to be considered spam.
I tag the subject at a score of 14.
At the bottom of this message is the actual body of the html email.
Obviously I could add a filter entry to look for "agnheqe3.com" and to
delete or hold the message. The problem with that approach, in my
opinion,
is it never ends. If they have 1000 different domains that means a 1000
filter entries. I hate filtering to block a specific email and I would
rather block based upon a pattern common to all spam.
I am wondering if you have had any success on trapping emails like the one
below? What would you add or change to have caught this message? The
only
thing I saw, that is common to spam, which I think I could filter on is
the
"/track?" in the URL. I've seen a lot of spam that triggers various ASP
or
PHP or other programs in the IMG SRC tag which enables a spammer to verify
that the email was opened and read.
What do you think? How can I tighten up my filtering to catch an email
such
as the one below?
Do you guys forward spam to spamcop or other places to help with the RBLs?
Thanks!
Dave
Return-Path: <[EMAIL PROTECTED]> Fri Sep
02
07:34:48 2005
Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com
with SMTP;
Fri, 2 Sep 2005 07:34:48 -0500
MIME-Version: 1.0
X-Accept-Language: en
X-Priority: Normal
From: Energy Drink <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Nationwide Energy Drink Survey
Date: Fri, 2 Sep 2005 04:08:28 EST
Message-ID: <q8tz5,[EMAIL PROTECTED]>
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8008000e].
X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line
223,
weight 0)
X-Note: ========================================
X-Note: Spam Score: [6]
X-Note: Scan Time: 07:35:08 on 02 Sep 2005
X-Note: Spool File: 37143703.EML
X-Note: Server Name: sip.agnheqe3.com
X-Note: SMTP Sender:
[EMAIL PROTECTED]
X-Note: Reverse DNS & IP: sip.agnheqe3.com [206.131.238.29]
X-Note: Recipient(s): <fwd>[EMAIL PROTECTED]
X-Note: Country Chain: UNITED STATES->destination
X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country
[0]
X-Note: ========================================
<html>
<body><br>
<a
href="http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m=6225115&l=0";>
<img
src="http://agnheqe3.com/t?m=6225115&l=3"; border=0></a><br><br>
<img
src="http://agnheqe3.com/t?m=6225115&l=2"; border=0></a><br><br>
<a
href="http://agnheqe3.com/t?m=6225115&l=4";>
<img
src="http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m=6225115&l=1";
border=0></a><br>
<br><br><font color='#ffffff' face='arial,helvetica'
size='1'><5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115></font></body></html>
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
