FYI... I spot-checked some of the domains involved in what we were seeing. Many were two or three years old, so the new domain test would not work on them.
On the report, there are log parsers that will do that for you, including Grep and Sawmill. We don’t use those, but import our logs into SQL Server for processing and reporting. Darin. From: Dave Beckstrom Sent: Wednesday, April 17, 2013 1:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I put in a request to Darrell at Invariant to see if he could update URIExtract to produce a report of IPs on top of the domain report that it currently produces. What I've been doing is if I receive one spam from say 69.22.136.43 and another spam from 69.22.136.48 then I firewall 69.22.136.0/24 I'd like to see a report of IPs extracted from emails and a count of how many emails were found from a given IP -- reports taken from the INVURIBL log files, that is. I've not heard back from Darrell. I don't have any other tool at my disposal for extracting those IPs. What we really need, is something that would do a whois query and for any domain registered within say the last 24 hours then declude could hold or delete the email. The majority of spam seems to be from spammers who registered a domain using fake credit card and by the time the registrar figures out they didn't get paid then the spammer is on to the next domain. -------------------------------------------------------------------------------- From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 12:23 PM To: Declude.JunkMail@declude.com Subject: [SPAM]- Score (19)Re: [Declude.JunkMail] No one at Declude? Not many IPs in that range in use yet according to SenderBase, but those that are are very bad. We’ve been seeing a lot of spam traffic where SenderBase didn’t have any measurements on the IP yet that we were seeing, but had a number of others in the same subnet... all bad. Darin. From: Katie La Salle-Lowery Sent: Wednesday, April 17, 2013 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Here are the headers of an example I received. Received: from pop.mountainmusicmeltdown.com [207.223.191.101] by mail.centric.net with ESMTP (SMTPD-11.01) id 1950001a04b74c7d; Wed, 17 Apr 2013 08:57:09 -0600 From: "credit line increase" <barbara_watk...@mountainmusicmeltdown.com> To: <ka...@centric.net> Subject: Magnificent News! TransUnion Gave You a Credit Increase Date: Wed, 17 Apr 2013 10:50:56 -0400 Message-ID: <34770215301099823782438a696834a88ab99428fd8da700...@pop.mountainmusicmeltdown.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-MessageSniffer-Identifier: C:\IMail\spool\proc\work\D1950001a04b74c7d.smd X-GBUdb-Analysis: 0, 207.223.191.101, Ugly c=0.279065 p=1 Source Truncate X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-Declude-Sender: barbara_watk...@mountainmusicmeltdown.com [207.223.191.101] X-Declude-Spoolname: D1950001a04b74c7d.smd X-Declude-RefID: X-Declude-Note: Scanned by Centric Internet Services using Declude 4.12.01 for spam. "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [8] at 08:57:23 on 17 Apr 2013 X-Declude-Fail: SORBS-DUL [5], SORBS [4], SPFPASS [-1], SUBCHARS-55 [1] X-Country-Chain: X-RCPT-TO: <ka...@centric.net> Status: X-UIDL: 651220478 X-IMail-ThreadID: 1950001a04b74c7d Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 10:52 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 12:37, Katie La Salle-Lowery wrote: Our Declude + Message Sniffer appears to be processing, and it is deleting much spam, but we are experiencing much more spam delivery than a couple weeks ago and I’m getting user complaints. It's possible that your weighting is off due to some parts of Declude not working anymore. If you're experiencing leakage that SNF is not tagging please let us know and we will work aggressively to resolve the problem. http://www.armresearch.com/support/articles/procedures/spamSubmissions.jsp If SNF is tagging the messages that are getting through then be sure to adjust your configuration to weight SNF results more highly. Hope this helps, _M -- Pete McNeil, PresidentMicroNeil Research Corporationwww.microneil.com703.779.4909 x7010twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
<<image001.jpg>>
