Hi Matt, great work.
Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, November 18, 2006 09:35 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] MXRate-Allow Andy, I both assumed and created a group of different definitions of things for classifying spammers things related to them. I don't claim that this list is universal, nor complete, but when I refer to something with one of these terms, this is generally what I mean. I am a believer in targeting specific types of spam with specific methods. For instance, AFF Spam is not usefully targeted primary with IP4R tests since it mostly comes from legitimate mail servers, however you will often get a zombie-type hit on the IP from the first hop. Likewise I also believe in not lumping everything under very generalized terms to describe them, i.e. "spam" or "spammer". * Zombie Spammer - A spammer that hijacks other's computers where the spam is sent directly from the hijacked computer to one's server. * Zombie - A computer that has been hijacked and is a member of a bot-net. * Bot-net - A group of zombies under one group's control, typically used for spamming and for DDoS attacks, but also sometimes used to relay through legitimate servers using either AUTH hacking or trusted IP space. * Open Relay - A mail server that allows un-authenticated E-mail to be sent through it. * AUTH Relay - A mail server that has accounts where either AUTH has been hacked to send spam, or allows trusted IP space to relay spam. * Relay Spammer - A spammer that uses either Open Relays or AUTH Relays to send spam. * Static Spammer - A group dedicated to spamming that uses their own servers (contracted or owned). * AFF Spam (Advance Fee Fraud) - Consists of scams where the object is to get the recipient to hand over cash in expectation of a return. This typically consists of Nigerian spam, Lottery spam, "buy from your store" spam, and "representatives wanted" spam. * Phishing Spam - Scams designed to trick the recipients into handing over valuable information. These messages are typically sent through sites using content management tools (Wiki's, message boards, blogging software, and PHPNuke-type content management tools). The content is also often hosted on the same. * Bulk Mailers - Companies that are not committed exclusively to spamming, but most of which will leak spam from time to time. Some are better than others at preventing spam, and some have service designs that lend themselves to abuse. * Niche Spam - Small-time spammers that generally target a very specific demographic such as a region or a type of business. They often use either their own official E-mail server or that of their ISP, and they can be hard to catch without manual blacklisting. * Backscatter - Messages that result from automated responses to forged addresses, typically resulting from gateways that don't validate recipient addresses, but also caused by auto-responders, vacation messages, open relays, AUTH relays and AV blocking mechanisms. * Form Spam - Spammers that target contact forms to send their spam to the hard coded recipients, or in some cases attempt to recode the recipients if that value is specified within the form. * Spim - Instant messaging spam. Typically sent by zombies. * Blog Spam - Also affects things like guestbooks, comment mechanisms and message boards. Used either for spamdexing or to directly advertise one's products. Primarily done by zombies. * Spamdexing - The act of spreading links to a site by posting them in blogs, guestbooks and message boards with the goal of improving search ranking of the sites listed. Matt Andy Schmidt wrote: Hi Matt: What is a "static" spammer? I've looked into a few in the past week and they all were obviously were marketing mail companies (such as in this case, mta8br.cmpgnr.com [69.28.223.132]) - and, of course, the mail account that we receiving the spam was never subscribed there. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, November 18, 2006 07:54 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] MXRate-Allow Andy, That result code is neither a whitelist or a blacklist, it is merely an indication that legitimate E-mail has been received in quantity from that IP. Due to the fact that spam levels are approaching 99% of connection traffic these days (not the same as message volume), it is not uncommon to find that places that send a lot of good E-mail also send a lot of spam from time to time. This particular result code is most useful in the context of Alligate, but it has little value when used simply as an IP4R test within Declude. You can however assume with a high degree of confidence that you won't be receiving zombie generated spam from this result code unless it was forwarded or in a very rare occasion, the server itself is hacked. You can also fairly safely assume that this will not be a static spammer. It can however be a bulk-mail provider that leaks some spam, or a real E-mail service that has Advance Fee Fraud users (Hotmail for instance), or service providers that are forwarding E-mail, or possibly forwarding phishing on behalf of hacked servers in their network. Matt Andy Schmidt wrote: Is it me - or should MXRate-Allow be treated as a "spam source" list? I don't know how many times I've looked at Spam that made it through and the IP is on their whitelist, such as "campaigner". Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- Received: from mta8br.cmpgnr.com [69.28.223.132] by hm-software.com (SMTPD-9.10) id A0C01D47C; Sat, 18 Nov 2006 11:11:44 -0500 Return-Path: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> Date: Sat, 18 Nov 2006 11:11:48 -0500 (EST) From: "Purplus Inc." <[EMAIL PROTECTED]> Reply-To: "Purplus Inc." <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Great New Deals >From Purplus Software Errors-To: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_220171_25603728.1163866308151" X-Campaign: 829605.828864.667296.793699032 Bounces-To: [EMAIL PROTECTED] X-RBL-Warning: Suspected SPAM. "Spam Received Recently See: http://www.sorbs.net/lookup.shtml?69.28.223.132" X-Declude-RefID: X-Declude: Version 4.3.14; Code 0xe from mta8br.cmpgnr.com [69.28.223.132] X-Declude: Triggered [4] SENDERDB-ALLOW, SPFPASS, SNIFFER X-Countries: UNITED STATES->destination Return-Path: <[EMAIL PROTECTED]> X-RCPT-TO: <[EMAIL PROTECTED]> Status: X-UIDL: 463610395 X-IMail-ThreadID: 30c001bc00005152 From: Purplus Inc. [mailto:[EMAIL PROTECTED] Sent: Saturday, November 18, 2006 11:12 AM To: [EMAIL PROTECTED] Subject: Great New Deals >From Purplus Software ------------------------- SPAM DELETED ------------------------------------------ You are subscribed as [EMAIL PROTECTED] To unsubscribe please click <http://cmpgnr.com/r.html?c=829605&r=828864&t=793699032&l=6&[EMAIL PROTECTED] as&la=1&o=-40> here. <http://www.campaigner.com/?testdrive_1> <http://cmpgnr.com/app/campaigner/trk/opn.jsp?cid=829605&rid=828864&ctd=7936 99032&lid=87676647&g=0&f=87676648> --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.