RE: [Declude.JunkMail] spam w/ all images
Hi Bill, If the email contains only images and no text the images are linked to external sources (http://www.domain.com/image.g_i_f ) SPAMCHK gives a certain weight if there are external images. We've tried to filter mails containing ONLY images (after removing all HTML there should not remain any character) We've found 1 or 2 of 1. Most of the only-image-spams has a short text at the end if y_ou do not w_ant... The question is how to distinguish this spam from emails like: Hi Bill, her you can see the pictures from our family last week on xyz national park ... [pic1] [pic2] ... Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill B. Sent: Sunday, March 09, 2003 6:51 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] spam w/ all images Scott, How about adding a test for if the text/html segment of an email contains all IMG tags, with no actual text? Seems like that sort of spam is getting more prevelent lately. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spammers are Wise Guys Too!
!--I'm the man--Buy this new car !--you can't catch me-- !--Who's the man--for a very low price!!--that's right I am-- You get the idea, it goes on and on from there. A typical reader would never see this, however, we would. Since we look deep into mail we would definitely see this. I guess we need to trigger on comments or something. SPAMCHK takes already care of this. It give's some weight if there are repeated html-comments with the same content. After this there are 2 levels of keyword checks: The first one removes any html-comments and multiple spaces. This should cover the example above and something like hot p_ics from n_ude g_irls The second level removes any html-tags which should allow to filter for something like fonthidfontden phr/fontase/font We plan also to add a third level which removes any special characters like . : _ / ... to filter keywords like l_.o.o.s.e w_eight I reccomend to anyone who filter keywords to add also a negative weight for tipical keywords used in this list (declude). Else he risks to not more recieve all messages. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Request
Is it possible to add in a feature that checks for messages that contain a header without a proper ending CRLF CRLF this I believe would be useful since we are seeing some spam with a null body and a large header. I'll check to see if we can add a test for this. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spam w/ all images
I haven't tried SPAMCHK yet, but I've heard you guys talking about it on the list. Maybe I'll give it a try. Thanks -Original Message- From: Markus Gufler Sent: Mon, 10 Mar 2003 09:40:55 +0100 Subject: RE: [Declude.JunkMail] spam w/ all images Hi Bill, If the email contains only images and no text the images are linked to external sources (http://www.domain.com/image.g_i_f ) SPAMCHK gives a certain weight if there are external images. We've tried to filter mails containing ONLY images (after removing all HTML there should not remain any character) We've found 1 or 2 of 1. Most of the only-image-spams has a short text at the end if y_ou do not w_ant... The question is how to distinguish this spam from emails like: Hi Bill, her you can see the pictures from our family last week on xyz national park ... [pic1] [pic2] ... Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill B. Sent: Sunday, March 09, 2003 6:51 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] spam w/ all images Scott, How about adding a test for if the text/html segment of an email contains all IMG tags, with no actual text? Seems like that sort of spam is getting more prevelent lately. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Trial Expired?
Hi, All, How can I tell if my trial of Declude JunkMail has expired? Thanks, Dan Geiser [EMAIL PROTECTED] This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Trial Expired?
How can I tell if my trial of Declude JunkMail has expired? If you type \IMail\Declude -diag from a command prompt, it should have a line Declude JunkMail Status: that shows the expiration date. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Removing mails by the subject
What about mails that don't have specific subjects, but characters such a %$(%(234_`1 ? We get a lot of these but they don't break w20 which tosses the email. Can Pro toss these? Dan Markus Gufler wrote: Hi Darryl We catch this spam message with 276% of our hold value. There are a lot of not content based tests that fail this message. This should be enough to block it. Our free tool SPAMCHK makes a lot of content based tests. I do not reccomend to filter this spam by the subject line he hit me. Doing this ater some months you will have a long filter list containing numerous no longer used subject lines. This message contains a lot of keywords that you can filter for. Additionaly there are links to external images, and a script call. As you can se only our SPAMCHK gives 170% of our hold value: 09.03.2003 02:26:44, file C:\IMail\spool\D983f0cc700986457.SMD, Result 0H 50L 120K 0R, total 170 From:lisa [EMAIL PROTECTED] To:[EMAIL PROTECTED] Subject:he hit me 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD 0,11 Read 4544 bytes from file C:\IMail\spool\D983f0cc700986457.SMD 0,11 Message is base64 encoded! 0,11 mail text contains links to external images (http://cmb.flyhosting4free.com/max/images/ltg.jpg) 0,11 mail text contains a script call (http://cmb.flyhosting4free.com/ltg/?aid=357594) 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck out c_hick p_ics f_riend t_een s_lut y_our p_enis Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Koster Sent: Sunday, March 09, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Removing mails by the subject They fail a bunch of tests on my system. I am still in the set up phases though and am looking into dif. possible fixes for this type of thing. Its nice to know that I can filter for certain words. Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Smart Business Lists Sent: Sunday, March 09, 2003 1:29 PM To: Darryl Koster Subject: Re: [Declude.JunkMail] Removing mails by the subject Darryl, Sunday, March 9, 2003 you wrote: DK I get tons that say DK He Hit Me that are porn etc. I've seen a bunch of those recently but they've failed the following tests on my system: OSSOFT, SPAMCOP, WIREHUB-DNSBL, DORKZTL, SBL, SORBS-HTTP, CN-KR, NOABUSE, NOPOSTMASTER, BADHEADERS, REVDNS, SNIFFER Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Removing mails by the subject
Hi Dan, Yes, as I know the pro version is able to filter keywords in the subject-line. We've added a lot of keywords and phrases to our subjectline filter in SPAMCHK, but I think filtering for single special characters or also for a certain number of special characters will create more fp's then help to identify spam. What are legitime special characters and what not? For example we've checked if the appearance of ! can be used as a good test. No way. I dont know what's in your inbox but I can find more special characters in my inbox then in the list of Spamreview. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject What about mails that don't have specific subjects, but characters such a %$(%(234_`1 ? We get a lot of these but they don't break w20 which tosses the email. Can Pro toss these? Dan Markus Gufler wrote: Hi Darryl We catch this spam message with 276% of our hold value. There are a lot of not content based tests that fail this message. This should be enough to block it. Our free tool SPAMCHK makes a lot of content based tests. I do not reccomend to filter this spam by the subject line he hit me. Doing this ater some months you will have a long filter list containing numerous no longer used subject lines. This message contains a lot of keywords that you can filter for. Additionaly there are links to external images, and a script call. As you can se only our SPAMCHK gives 170% of our hold value: 09.03.2003 02:26:44, file C:\IMail\spool\D983f0cc700986457.SMD, Result 0H 50L 120K 0R, total 170 From:lisa [EMAIL PROTECTED] To:[EMAIL PROTECTED] Subject:he hit me 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD 0,11 Read 4544 bytes from file C:\IMail\spool\D983f0cc700986457.SMD 0,11 Message is base64 encoded! 0,11 mail text contains links to external images (http://cmb.flyhosting4free.com/max/images/ltg.jpg) 0,11 mail text contains a script call (http://cmb.flyhosting4free.com/ltg/?aid=357594) 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck out c_hick p_ics f_riend t_een s_lut y_our p_enis Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Koster Sent: Sunday, March 09, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Removing mails by the subject They fail a bunch of tests on my system. I am still in the set up phases though and am looking into dif. possible fixes for this type of thing. Its nice to know that I can filter for certain words. Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Smart Business Lists Sent: Sunday, March 09, 2003 1:29 PM To: Darryl Koster Subject: Re: [Declude.JunkMail] Removing mails by the subject Darryl, Sunday, March 9, 2003 you wrote: DK I get tons that say DK He Hit Me that are porn etc. I've seen a bunch of those recently but they've failed the following tests on my system: OSSOFT, SPAMCOP, WIREHUB-DNSBL, DORKZTL, SBL, SORBS-HTTP, CN-KR, NOABUSE, NOPOSTMASTER, BADHEADERS, REVDNS, SNIFFER Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
RE: [Declude.JunkMail] Removing mails by the subject
Those are actually encrypted subject lines. Example: When you send an Outlook Test mail, the subject line is Microsoft Outlook Test Message. However, when Declude sees it, it looks like =?utf-8?B?TWljcm9zb2Z0IE91dGxvb2sgVGVzdCBNZXNzYWdl?= John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 7:57 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject What about mails that don't have specific subjects, but characters such a %$(%(234_`1 ? We get a lot of these but they don't break w20 which tosses the email. Can Pro toss these? Dan Markus Gufler wrote: Hi Darryl We catch this spam message with 276% of our hold value. There are a lot of not content based tests that fail this message. This should be enough to block it. Our free tool SPAMCHK makes a lot of content based tests. I do not reccomend to filter this spam by the subject line he hit me. Doing this ater some months you will have a long filter list containing numerous no longer used subject lines. This message contains a lot of keywords that you can filter for. Additionaly there are links to external images, and a script call. As you can se only our SPAMCHK gives 170% of our hold value: 09.03.2003 02:26:44, file C:\IMail\spool\D983f0cc700986457.SMD, Result 0H 50L 120K 0R, total 170 From:lisa [EMAIL PROTECTED] To:[EMAIL PROTECTED] Subject:he hit me 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD 0,11 Read 4544 bytes from file C:\IMail\spool\D983f0cc700986457.SMD 0,11 Message is base64 encoded! 0,11 mail text contains links to external images (http://cmb.flyhosting4free.com/max/images/ltg.jpg) 0,11 mail text contains a script call (http://cmb.flyhosting4free.com/ltg/?aid=357594) 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck out c_hick p_ics f_riend t_een s_lut y_our p_enis Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Koster Sent: Sunday, March 09, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Removing mails by the subject They fail a bunch of tests on my system. I am still in the set up phases though and am looking into dif. possible fixes for this type of thing. Its nice to know that I can filter for certain words. Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Smart Business Lists Sent: Sunday, March 09, 2003 1:29 PM To: Darryl Koster Subject: Re: [Declude.JunkMail] Removing mails by the subject Darryl, Sunday, March 9, 2003 you wrote: DK I get tons that say DK He Hit Me that are porn etc. I've seen a bunch of those recently but they've failed the following tests on my system: OSSOFT, SPAMCOP, WIREHUB-DNSBL, DORKZTL, SBL, SORBS-HTTP, CN-KR, NOABUSE, NOPOSTMASTER, BADHEADERS, REVDNS, SNIFFER Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Removing mails by the subject
Here is an example subject: (±¤°í)¹éÀü¹é½ÂÁÖ°¡Â÷Æ®½ÇÀüÀÓ»óÁý¹«·á Dan Markus Gufler wrote: Hi Dan, Yes, as I know the pro version is able to filter keywords in the subject-line. We've added a lot of keywords and phrases to our subjectline filter in SPAMCHK, but I think filtering for single special characters or also for a certain number of special characters will create more fp's then help to identify spam. What are legitime special characters and what not? For example we've checked if the appearance of ! can be used as a good test. No way. I dont know what's in your inbox but I can find more special characters in my inbox then in the list of Spamreview. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject What about mails that don't have specific subjects, but characters such a %$(%(234_`1 ? We get a lot of these but they don't break w20 which tosses the email. Can Pro toss these? Dan Markus Gufler wrote: Hi Darryl We catch this spam message with 276% of our hold value. There are a lot of not content based tests that fail this message. This should be enough to block it. Our free tool SPAMCHK makes a lot of content based tests. I do not reccomend to filter this spam by the subject line he hit me. Doing this ater some months you will have a long filter list containing numerous no longer used subject lines. This message contains a lot of keywords that you can filter for. Additionaly there are links to external images, and a script call. As you can se only our SPAMCHK gives 170% of our hold value: 09.03.2003 02:26:44, file C:\IMail\spool\D983f0cc700986457.SMD, Result 0H 50L 120K 0R, total 170 From:lisa [EMAIL PROTECTED] To:[EMAIL PROTECTED] Subject:he hit me 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD 0,11 Read 4544 bytes from file C:\IMail\spool\D983f0cc700986457.SMD 0,11 Message is base64 encoded! 0,11 mail text contains links to external images (http://cmb.flyhosting4free.com/max/images/ltg.jpg) 0,11 mail text contains a script call (http://cmb.flyhosting4free.com/ltg/?aid=357594) 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck out c_hick p_ics f_riend t_een s_lut y_our p_enis Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Koster Sent: Sunday, March 09, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Removing mails by the subject They fail a bunch of tests on my system. I am still in the set up phases though and am looking into dif. possible fixes for this type of thing. Its nice to know that I can filter for certain words. Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Smart Business Lists Sent: Sunday, March 09, 2003 1:29 PM To: Darryl Koster Subject: Re: [Declude.JunkMail] Removing mails by the subject Darryl, Sunday, March 9, 2003 you wrote: DK I get tons that say DK He Hit Me that are porn etc. I've seen a bunch of those recently but they've failed the following tests on my system: OSSOFT, SPAMCOP, WIREHUB-DNSBL, DORKZTL, SBL, SORBS-HTTP, CN-KR, NOABUSE, NOPOSTMASTER, BADHEADERS, REVDNS, SNIFFER Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned
RE: [Declude.JunkMail] Removing mails by the subject
That kind of looks like foreign characters with the correct language set not installed. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 8:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject Here is an example subject: (±¤°í)¹éÀü¹é½ÂÁÖ°¡Â÷Æ®½ÇÀüÀÓ»óÁý¹«·á Dan Markus Gufler wrote: Hi Dan, Yes, as I know the pro version is able to filter keywords in the subject-line. We've added a lot of keywords and phrases to our subjectline filter in SPAMCHK, but I think filtering for single special characters or also for a certain number of special characters will create more fp's then help to identify spam. What are legitime special characters and what not? For example we've checked if the appearance of ! can be used as a good test. No way. I dont know what's in your inbox but I can find more special characters in my inbox then in the list of Spamreview. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject What about mails that don't have specific subjects, but characters such a %$(%(234_`1 ? We get a lot of these but they don't break w20 which tosses the email. Can Pro toss these? Dan Markus Gufler wrote: Hi Darryl We catch this spam message with 276% of our hold value. There are a lot of not content based tests that fail this message. This should be enough to block it. Our free tool SPAMCHK makes a lot of content based tests. I do not reccomend to filter this spam by the subject line he hit me. Doing this ater some months you will have a long filter list containing numerous no longer used subject lines. This message contains a lot of keywords that you can filter for. Additionaly there are links to external images, and a script call. As you can se only our SPAMCHK gives 170% of our hold value: 09.03.2003 02:26:44, file C:\IMail\spool\D983f0cc700986457.SMD, Result 0H 50L 120K 0R, total 170 From:lisa [EMAIL PROTECTED] To:[EMAIL PROTECTED] Subject:he hit me 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD 0,11 Read 4544 bytes from file C:\IMail\spool\D983f0cc700986457.SMD 0,11 Message is base64 encoded! 0,11 mail text contains links to external images (http://cmb.flyhosting4free.com/max/images/ltg.jpg) 0,11 mail text contains a script call (http://cmb.flyhosting4free.com/ltg/?aid=357594) 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck out c_hick p_ics f_riend t_een s_lut y_our p_enis Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Koster Sent: Sunday, March 09, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Removing mails by the subject They fail a bunch of tests on my system. I am still in the set up phases though and am looking into dif. possible fixes for this type of thing. Its nice to know that I can filter for certain words. Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Smart Business Lists Sent: Sunday, March 09, 2003 1:29 PM To: Darryl Koster Subject: Re: [Declude.JunkMail] Removing mails by the subject Darryl, Sunday, March 9, 2003 you wrote: DK I get tons that say DK He Hit Me that are porn etc. I've seen a bunch of those recently but they've failed the following tests on my system: OSSOFT, SPAMCOP, WIREHUB-DNSBL, DORKZTL, SBL, SORBS-HTTP, CN-KR, NOABUSE, NOPOSTMASTER, BADHEADERS, REVDNS, SNIFFER Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus
RE: [Declude.JunkMail] Removing mails by the subject
Oh, I understand. This seems to be spam with asiatic characters and char-sets. As we don't understand what they are writing and eventually what we are filtering for until now we haven't added any keywords for this type of messages. We have seen that asiatic spammers indicate the following char-sets: GB2312 CHINESEBIG5 iso-2022-jp Anyone know other's? Filtering for them in the mailheader seems to be the best defense against asiatic spam along with the following DNS-based tests: BHOLE-CHINA ip4rchina.blackholes.us 127.0.0.2 6 0 BHOLE-CN-KR ip4rcn-kr.blackholes.us 127.0.0.2 6 0 BHOLE-HONGKONG ip4rhongkong.blackholes.us 127.0.0.2 4 0 BHOLE-JAPAN ip4rjapan.blackholes.us 27.0.0.2 2 0 BHOLE-KOREA ip4rkorea.blackholes.us 127.0.0.2 6 0 BHOLE-MALAYSIA ip4rmalaysia.blackholes.us 127.0.0.2 6 0 BHOLE-SINGAPORE ip4rsingapore.blackholes.us 127.0.0.2 6 0 BHOLE-TAIWANip4rtaiwan.blackholes.u 127.0.0.2 6 0 KOREASPAM ip4rkorea.services.net * 2 0 BHOLE-THAILAND ip4rthailand.blackholes.us 127.0.0.2 2 0 Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 5:58 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject Here is an example subject: (±¤°í)¹éÀü¹é½ÂÁÖ°¡Â÷Æ®½ÇÀüÀÓ»óÁý¹«·á Dan Markus Gufler wrote: Hi Dan, Yes, as I know the pro version is able to filter keywords in the subject-line. We've added a lot of keywords and phrases to our subjectline filter in SPAMCHK, but I think filtering for single special characters or also for a certain number of special characters will create more fp's then help to identify spam. What are legitime special characters and what not? For example we've checked if the appearance of ! can be used as a good test. No way. I dont know what's in your inbox but I can find more special characters in my inbox then in the list of Spamreview. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star Sent: Monday, March 10, 2003 4:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Removing mails by the subject What about mails that don't have specific subjects, but characters such a %$(%(234_`1 ? We get a lot of these but they don't break w20 which tosses the email. Can Pro toss these? Dan Markus Gufler wrote: Hi Darryl We catch this spam message with 276% of our hold value. There are a lot of not content based tests that fail this message. This should be enough to block it. Our free tool SPAMCHK makes a lot of content based tests. I do not reccomend to filter this spam by the subject line he hit me. Doing this ater some months you will have a long filter list containing numerous no longer used subject lines. This message contains a lot of keywords that you can filter for. Additionaly there are links to external images, and a script call. As you can se only our SPAMCHK gives 170% of our hold value: 09.03.2003 02:26:44, file C:\IMail\spool\D983f0cc700986457.SMD, Result 0H 50L 120K 0R, total 170 From:lisa [EMAIL PROTECTED] To:[EMAIL PROTECTED] Subject:he hit me 0,11 Filename is C:\IMail\spool\D983f0cc700986457.SMD 0,11 Read 4544 bytes from file C:\IMail\spool\D983f0cc700986457.SMD 0,11 Message is base64 encoded! 0,11 mail text contains links to external images (http://cmb.flyhosting4free.com/max/images/ltg.jpg) 0,11 mail text contains a script call (http://cmb.flyhosting4free.com/ltg/?aid=357594) 0,11 Checkwords found: h_ardcore p_enis s_lut c_heck out c_hick p_ics f_riend t_een s_lut y_our p_enis Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Koster Sent: Sunday, March 09, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Removing mails by the subject They fail a bunch of tests on my system. I am still in the set up phases though and am looking into dif. possible fixes for this type of thing. Its nice to know that I can filter for certain words. Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Smart Business Lists Sent: Sunday, March 09, 2003 1:29 PM To: Darryl Koster Subject: Re: [Declude.JunkMail] Removing mails by the subject Darryl, Sunday, March 9, 2003 you wrote: DK I get tons that say DK He Hit Me that are porn etc. I've seen a bunch of
RE: [Declude.JunkMail] another new encoding trick
The header of the message says that the body encoding is base64, but it was **actually** just plain ascii text. Bastards! But if it's possible to send such a message and it's correct visualized on the client side how the client can distinguish between real base64 and faked encoding? What about an official plain-text encoding but base64 content? In your mail it seems like there are missing the 2 lines beginning with --=_NextPart_... just before the Content-Transfer-Encoding=base64 : For example: --=_NextPart_0228031437 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: base64 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] another new encoding trick
The header of the message says that the body encoding is base64, but it was **actually** just plain ascii text. Are you *sure* the body was really just plain text? Note that some ways of viewing the contents of the E-mail (such as a View Source option in a mail client) may not show the base64-encoded data, but will actually show the plain text (human readable) version. If the body really was plain text, then it should have triggered the filter. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spam w/ all images
I have had good luck stopping a few spammers by looking at the image paths, alot of these clowns serve their images from comprimised (or open by default) servers. This is especially prevalent among the pornsters. For example the same graphic based spam may have been sent from several sources with different image urls. http://10.10.10.1/mort/img/refin-01.jpg http://192.168.1.1/mort/img/refin-01.jpg Filter for /mort/img/refin-01.jpg and they are gone Keep a separate file for these types of tests becuase these are usually temporary, management will be much easier Have a great day! Rick Davidson Buckeye Internet Inc. www.buckeyeweb.com 440-953-1900 ext 222 - - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 09, 2003 12:50 AM Subject: [Declude.JunkMail] spam w/ all images Scott, How about adding a test for if the text/html segment of an email contains all IMG tags, with no actual text? Seems like that sort of spam is getting more prevelent lately. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spam w/ all images
Rick, Would you mind posting a copy of this file? Thanks much! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Davidson Sent: Monday, March 10, 2003 12:18 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] spam w/ all images I have had good luck stopping a few spammers by looking at the image paths, alot of these clowns serve their images from comprimised (or open by default) servers. This is especially prevalent among the pornsters. For example the same graphic based spam may have been sent from several sources with different image urls. http://10.10.10.1/mort/img/refin-01.jpg http://192.168.1.1/mort/img/refin-01.jpg Filter for /mort/img/refin-01.jpg and they are gone Keep a separate file for these types of tests becuase these are usually temporary, management will be much easier Have a great day! Rick Davidson Buckeye Internet Inc. www.buckeyeweb.com 440-953-1900 ext 222 - - Original Message - From: Bill B. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, March 09, 2003 12:50 AM Subject: [Declude.JunkMail] spam w/ all images Scott, How about adding a test for if the text/html segment of an email contains all IMG tags, with no actual text? Seems like that sort of spam is getting more prevelent lately. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Trial Expired?
Thanks, Scott! Apparently our trial expired last night at Midnight. No wonder everyone's complaning about the spam today! So now the question is, what version of Declude JunkMail should we buy? Of the features that JunkMail Pro has and JunkMail Standard does not have the only one I used was COPYTO. One question...if we buy JunkMail standard now and decide in a few months we would like to broaden our horizons to JunkMail Pro, can we just pay the difference to get upgraded to the new software? Or do we have to decide on JunkMail Pro now? Any other suggestions on how to decide which to buy? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 10, 2003 10:43 AM Subject: Re: [Declude.JunkMail] Trial Expired? How can I tell if my trial of Declude JunkMail has expired? If you type \IMail\Declude -diag from a command prompt, it should have a line Declude JunkMail Status: that shows the expiration date. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Trial Expired?
We have a very tight budget and so purchased the standard version. It's frustrating not to be able to write external filters, but we get pretty good results anyway just by relying on the basic filter set. We only have about 300 users. HTH. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) Email: [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Geiser Sent: Monday, March 10, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Trial Expired? Thanks, Scott! Apparently our trial expired last night at Midnight. No wonder everyone's complaning about the spam today! So now the question is, what version of Declude JunkMail should we buy? Of the features that JunkMail Pro has and JunkMail Standard does not have the only one I used was COPYTO. One question...if we buy JunkMail standard now and decide in a few months we would like to broaden our horizons to JunkMail Pro, can we just pay the difference to get upgraded to the new software? Or do we have to decide on JunkMail Pro now? Any other suggestions on how to decide which to buy? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 10, 2003 10:43 AM Subject: Re: [Declude.JunkMail] Trial Expired? How can I tell if my trial of Declude JunkMail has expired? If you type \IMail\Declude -diag from a command prompt, it should have a line Declude JunkMail Status: that shows the expiration date. -Scott --- --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Trial Expired?
Hi; I highly recommend the Pro version if you can afford it. The custom filters are a great feature and one that adds a lot of functionality and flexibility to your system. Highly recommend the Pro Version. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Monday, March 10, 2003 5:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Trial Expired? Thanks, Scott! Apparently our trial expired last night at Midnight. No wonder everyone's complaning about the spam today! So now the question is, what version of Declude JunkMail should we buy? Of the features that JunkMail Pro has and JunkMail Standard does not have the only one I used was COPYTO. One question...if we buy JunkMail standard now and decide in a few months we would like to broaden our horizons to JunkMail Pro, can we just pay the difference to get upgraded to the new software? Or do we have to decide on JunkMail Pro now? Any other suggestions on how to decide which to buy? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 10, 2003 10:43 AM Subject: Re: [Declude.JunkMail] Trial Expired? How can I tell if my trial of Declude JunkMail has expired? If you type \IMail\Declude -diag from a command prompt, it should have a line Declude JunkMail Status: that shows the expiration date. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Trial Expired?
One question...if we buy JunkMail standard now and decide in a few months we would like to broaden our horizons to JunkMail Pro, can we just pay the difference to get upgraded to the new software? Or do we have to decide on JunkMail Pro now? If you choose to buy the Standard version now, you can upgrade at any time later for just the difference in price between the two versions. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamChk.ini
Hello, Would anyone be willing to provide a copy of there SpamChk.ini file to help a SpamChk newbie out? You can email me off list if needed... Thanks for your help.. Adam --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.