RE: [Declude.JunkMail] Obfuscated Addresses
Be careful about this... Be sure that if you create a black rule for this kind of thing that you capture the href=" part as well or else you will have quite a few false positives - generally from subscribed lists published by larger bulk houses. URL Encoded web links (partially encoded or fully encoded) are common in the extended portions of image and other links in these kinds of messages - probably as tracking measures. This was our experience anyhow... Hope this helps, _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Dan Patnode ]Sent: Sunday, April 06, 2003 1:54 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Obfuscated Addresses ] ] ]For those you who track obfuscation techniques: ] ]Besides ]http://% ] ]be sure to add a test for ]http://w%77w. ] ]it case the actual address starts with http://www. ] ] ]Dan ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BASE64 Parsing... :)
Am I seeing this correctly... The new beta actually reads BASE64? Yes. That is what was supposed to happen back a couple betas ago, but it didn't actually get enabled until now. I am seeing our URL found in body filter getting triggered in BASE64 emails. If so ... Thanks Scott.. Now all my wishes have come true! :) -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Obfuscated Addresses
Hi; That is true but our experience shows a filter with weight is quite effective for these types of entries in the body. We have the following in our body... We started these weights at 5 and now we hold on any occurrence of these in the body. BODY 20 CONTAINS %2()e%63%6f%6d BODY 10 CONTAINS %2()ecom BODY 20 CONTAINS %2()ecom BODY 50 CONTAINS %2()Ecom.%70h?subject= BODY 20 CONTAINS %2()einfo BODY 20 CONTAINS %2()enet BODY 20 CONTAINS %2()eorg BODY 20 CONTAINS %2()eus BODY 20 CONTAINS =2E()com=2F BODY 20 CONTAINS =40()hotmail=2 BODY 20 CONTAINS =40()hotpop=2 BODY 20 CONTAINS =40()netzero=2 BODY 20 CONTAINS =40()yahoo=2 BODY 20 CONTAINS http()%3()A%2F%2F BODY 20 CONTAINS http://()$ BODY 20 CONTAINS http://()%69 BODY 20 CONTAINS http://()%77%77%77 BODY 20 CONTAINS http://()%77%77w. BODY 20 CONTAINS http://()6 BODY 20 CONTAINS http://()6 BODY 10 CONTAINS http://()< BODY 2 CONTAINS http://()www()=2 BODY 20 CONTAINS http=()3A BODY 20 CONTAINS http=()3A=2F=2F We also give weight to redirect links... Such as: BODY 5 CONTAINS http://()click. BODY 20 CONTAINS http://()clicktrack. BODY 2 CONTAINS http://()counter. BODY 20 CONTAINS http:/()/internet.e-mail BODY 20 CONTAINS http://()mycounter. Without () - We hold on weight 20 and delete on weight 80 with very good results. These entries and many more like it has not resulted in any problems... Regards, Kami P.s. If you want to see the list let me know & I can gladly send you the link to the ftp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist Sent: Sunday, April 06, 2003 10:12 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Obfuscated Addresses Be careful about this... Be sure that if you create a black rule for this kind of thing that you capture the href=" part as well or else you will have quite a few false positives - generally from subscribed lists published by larger bulk houses. URL Encoded web links (partially encoded or fully encoded) are common in the extended portions of image and other links in these kinds of messages - probably as tracking measures. This was our experience anyhow... Hope this helps, _M ]-Original Message- ]From: [EMAIL PROTECTED] ][mailto:[EMAIL PROTECTED] Behalf Of Dan Patnode ]Sent: Sunday, April 06, 2003 1:54 AM ]To: [EMAIL PROTECTED] ]Subject: [Declude.JunkMail] Obfuscated Addresses ] ] ]For those you who track obfuscation techniques: ] ]Besides ]http://% ] ]be sure to add a test for ]http://w%77w. ] ]it case the actual address starts with http://www. ] ] ]Dan ] ]--- ][This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] override MaxQueProc
> you would still end up with no more than 10 SMTP processes > most of the time (since the SMTP process would normally finish in a bit > less time than Declude JunkMail). I actually don't care about the number of SMTP processes all that much. The point of what I am trying to accomplish is limit the number of Declude processes to 10 (for example), without running the risk of having long delays due to emails entering Imail's queue. Currently, if I sent MaxQueProc to 10, I run that risk. But if I could set Declude to a max of 10 processes and Imail to a max of 30, the chance of having those long queue delays occuring is minimized. Bill -Original Message- From: "R. Scott Perry" Sent: Sun, 06 Apr 2003 21:18:43 -0400 Subject: Re: [Declude.JunkMail] override MaxQueProc >I ran a test this afternoon, lowering MaxQueProc to 2, but it didn't >behave quite as I had expected. First, all of the emails were scanned by >Declude, which is good. And emails were being delayed via overflow folder >as expected. BUT, some emails were left behind in Imail's spool folder >after being processed by Declude. > >What I think may have caused this is: >1) Declude received it >2) Possibly delayed via the overflow folder >3) Declude processed it >4) Declude handed it off to smtp32.exe >5) smtp32.exe saw too many smtp32.exe processes running and did not >process it; instead it stuck it in the Imail spool folder. > >Does this sound like what could have occurred? That does indeed sound like what happened. >If so, then I do still see benefit in having a config variable to allow >Declude to use a different value for MaxQueProc. I'm still not sure that it would make a noticeable difference. For example, if there was a maximum of 10 Declude processes and a maximum of 30 SMTP processes, you would still end up with no more than 10 SMTP processes most of the time (since the SMTP process would normally finish in a bit less time than Declude JunkMail). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Tests not always working
This weekend several spam messages have gotten through to my mailbox. When I test the sending IPs I find they are listed in numerous blacklists and should have been caught by declude. I have seen this periodically and believed that other servers like spamcop or whatever where down momentarily or did not respond, but now I am seeing numerous messages getting through the headers do not show they failed tests that these messages should have. Anyone have any thoughts on what may be happening? CJS --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Tests not always working
> This weekend several spam messages have gotten through to my mailbox. When I > test the sending IPs I find they are listed in numerous blacklists and should have > been caught by Declude. I have seen this periodically and believed that other > servers like SpamCop or whatever where down momentarily or did not respond, but > now I am seeing numerous messages getting through the headers do not show > they failed tests that these messages should have. What do the logs say on the messages that got through? Can you post a log snippet? John Tolmachoff MCSE, CSSA Owner, Network Engineer/Consultant eServices For You City of Industry, CA www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Next step ?
> Im new to this amazing product and I am quite impressed, even with the lite > version. Welcome to the Wonderful World of Disney. No wait, I mean Declude. ;-)> > The problem is, I don't know where to start tweaking. So I am looking at > some tweaking stories, hopefully from people with a similar situation. I > have looked at the archive but im looking for something more solid. The best thing about Declude software is that it is very adaptable. The most time consuming part about Declude is that it is very adaptable. The most important thing to remember is to take small steps and then stand back and watch. What works for me may not work for you. We all have different clientele and different configurations. The one option you have is to work with someone directly with experience to oversee and help you with hands on if you are pressed for time. Check out SpamReview software. It will help in reviewing held mail. I would suggest deciding what kind of actions you want to take. Example, pass to weight 10, modify subject to weight 15, hold or send to a sub box at 20 and delete at 25. I also recommend using WEIGHTRANGE instead of WEIGHT for more exact results. I have set up actions like this: WEIGHTRANGE10-14 WEIGHTRANGE15-19 WEIGHTRANGE20-24 WEIGHTRANGE25-29 WEIGHTRANGE30-34 WEIGHTRANGE35-39 WEIGHTRANGE40-44 WEIGHTRANGE45-49 WEIGHT50 Then, all I have to do is change the action on each test as I make adjustments. In the next few days, I am going to be announcing a free service to make documentation more easily available. John Tolmachoff MCSE, CSSA Owner, Network Engineer/Consultant eServices For You City of Industry, CA www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
