Hi Darin, I don't have stats but in manual checks it seems to be about 50% of my spam.
stepvalve.net Creation date: 16 Apr 2013 16:13:00 Expiration date: 16 Apr 2014 08:13:00 kunstkennis.com Updated Date: 17-apr-2013 Creation Date: 16-apr-2013 shoputc.com Creation date: 16 Apr 2013 19:24:13 Expiration date: 16 Apr 2014 19:24:00 What ticks me off is a lot of it is registered with ENOM which is where I buy my domains. ________________________________ From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 1:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? HI Dave, Maybe we are looking at different cross-sections of the spam problem, but on our systems we see a lot from spammy domains that are not brand new. Darin. From: Dave Beckstrom <mailto:db...@atving.com> Sent: Wednesday, April 17, 2013 2:22 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Darin, The new domain test would work on a majority of spam. Here is one from the "saffron extract" spams that are being sent. Just got this one this morning. Received: from mail3.llorynlouise.com [173.237.33.77] by [Querying whois.enom.com] [whois.enom.com] Updated Date: 17-apr-2013 Creation Date: 16-apr-2013 ________________________________ From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 1:14 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? FYI... I spot-checked some of the domains involved in what we were seeing. Many were two or three years old, so the new domain test would not work on them. On the report, there are log parsers that will do that for you, including Grep and Sawmill. We don't use those, but import our logs into SQL Server for processing and reporting. Darin. From: Dave Beckstrom <mailto:db...@atving.com> Sent: Wednesday, April 17, 2013 1:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I put in a request to Darrell at Invariant to see if he could update URIExtract to produce a report of IPs on top of the domain report that it currently produces. What I've been doing is if I receive one spam from say 69.22.136.43 and another spam from 69.22.136.48 then I firewall 69.22.136.0/24 I'd like to see a report of IPs extracted from emails and a count of how many emails were found from a given IP -- reports taken from the INVURIBL log files, that is. I've not heard back from Darrell. I don't have any other tool at my disposal for extracting those IPs. What we really need, is something that would do a whois query and for any domain registered within say the last 24 hours then declude could hold or delete the email. The majority of spam seems to be from spammers who registered a domain using fake credit card and by the time the registrar figures out they didn't get paid then the spammer is on to the next domain. ________________________________ From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, April 17, 2013 12:23 PM To: Declude.JunkMail@declude.com Subject: [SPAM]- Score (19)Re: [Declude.JunkMail] No one at Declude? Not many IPs in that range in use yet according to SenderBase, but those that are are very bad. We've been seeing a lot of spam traffic where SenderBase didn't have any measurements on the IP yet that we were seeing, but had a number of others in the same subnet... all bad. Darin. From: Katie La Salle-Lowery <mailto:ka...@centric.net> Sent: Wednesday, April 17, 2013 1:06 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Here are the headers of an example I received. Received: from pop.mountainmusicmeltdown.com [207.223.191.101] by mail.centric.net with ESMTP (SMTPD-11.01) id 1950001a04b74c7d; Wed, 17 Apr 2013 08:57:09 -0600 From: "credit line increase" <barbara_watk...@mountainmusicmeltdown.com> To: <ka...@centric.net> Subject: Magnificent News! TransUnion Gave You a Credit Increase Date: Wed, 17 Apr 2013 10:50:56 -0400 Message-ID: <34770215301099823782438a696834a88ab99428fd8da700613@pop.mountainmusicmeltdo wn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-MessageSniffer-Identifier: C:\IMail\spool\proc\work\D1950001a04b74c7d.smd X-GBUdb-Analysis: 0, 207.223.191.101, Ugly c=0.279065 p=1 Source Truncate X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-Declude-Sender: barbara_watk...@mountainmusicmeltdown.com [207.223.191.101] X-Declude-Spoolname: D1950001a04b74c7d.smd X-Declude-RefID: X-Declude-Note: Scanned by Centric Internet Services using Declude 4.12.01 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [8] at 08:57:23 on 17 Apr 2013 X-Declude-Fail: SORBS-DUL [5], SORBS [4], SPFPASS [-1], SUBCHARS-55 [1] X-Country-Chain: X-RCPT-TO: <ka...@centric.net> Status: X-UIDL: 651220478 X-IMail-ThreadID: 1950001a04b74c7d centric logo - signature sized <http://www.centric.net/> Katie LaSalle-Lowery ka...@centric.net 1120 S. Russell; Ste B Missoula, MT 59801 ph (406)549-3337 fax (406)541-9338 From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 10:52 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 12:37, Katie La Salle-Lowery wrote: Our Declude + Message Sniffer appears to be processing, and it is deleting much spam, but we are experiencing much more spam delivery than a couple weeks ago and I'm getting user complaints. It's possible that your weighting is off due to some parts of Declude not working anymore. If you're experiencing leakage that SNF is not tagging please let us know and we will work aggressively to resolve the problem. http://www.armresearch.com/support/articles/procedures/spamSubmissions.jsp If SNF is tagging the messages that are getting through then be sure to adjust your configuration to weight SNF results more highly. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.