RE: [Declude.JunkMail] Logging optimization question

2003-06-08 Thread Markus Gufler
I've seen that on our server a lot of DNS-based tests bring up very few
positive results.
So I've commentet them out at the moment. If I'm able to implement
something to switch automaticaly between a normal- and a
high-load-version of the cfg-file I will disable this tests at first in
the high-load-version:

OSRELAY 0.20%
OSDUL   0.19%
KOREASPAM   0.18%
ORDB0.16%
BHOLE-ARGENTINA 0.10%
KUNDENSERVER0.06%
WIREHUB-DNSBL   0.05%
BHOLE-HONGKONG  0.05%
BHOLE-RUSSIA0.04%


Markus




 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
 Sent: Sunday, June 08, 2003 5:30 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Logging optimization question
 
 
 Scott, since we have been discussing optimization techniques 
 on this list lately, I am wondering if in that effort you can 
 do some logging optimization, as well.  See the attached JM 
 log snippet and you will notice that a single e-mail with 4 
 recipients gets written to the log 4 time, with each seceding 
 From/To entry adding one additional recipient e-mail
 address:
 
 =
 06/07/2003 19:53:57 Qa53d222d0090d085 From: 
 [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 
 213.184.130.86 ID: 94672138
 ---
 06/07/2003 19:53:57 Qa53d222d0090d085 From: 
 [EMAIL PROTECTED] To: [EMAIL PROTECTED] 
 [EMAIL PROTECTED]  IP: 213.184.130.86 ID: 94672138
 ---
 06/07/2003 19:53:57 Qa53d222d0090d085 From: 
 [EMAIL PROTECTED] To: [EMAIL PROTECTED] 
 [EMAIL PROTECTED] [EMAIL PROTECTED]  IP: 
 213.184.130.86 ID: 94672138
 ---
 06/07/2003 19:53:57 Qa53d222d0090d085 From: 
 [EMAIL PROTECTED] To: [EMAIL PROTECTED] 
 [EMAIL PROTECTED] [EMAIL PROTECTED]  IP: 
 213.184.130.86 ID: 94672138 =
 
 This one e-mail effectively added approximately 125 lines to 
 my log file, when the only 35 would have given me all of the 
 info I needed.  What if the e-mail would have had 25 or 50 
 recipients listed--ouch!
 
 Any reason this cannot (or should not) be reduced to just a 
 single e-mail entry with the From/To line showing all 
 recipients?  Maybe the same optimizations could be applied to 
 the Virus logs, as well?
 
 Bill
 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread R. Scott Perry

Another idea for a new test, a close cousin to the SpamDomains test:

Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700
This message came from a road runner IP.  How about a test where we build 
a list of CIDRs for a given ISP, then match it with all the domains those 
IPs use.  In this case, the file entry would be (I know rr doesn't use .net)

24.208.0.0/14rr.com   rr.net

In this case, it would match the IP, look for both RR entries, find 
styggen.com and fail the message.
That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] FROM Sent from - detecting?

2003-06-08 Thread R. Scott Perry

Would it be of any benefit if we could have a test that could indicate if 
the FROM address is different from that of the SEND FROM that Declude detects?

A lot of SPAM comes from emails that the MAILFROM address is different 
from the SEND FROM that Declude identifies.
This does sound like a good test.  Although it would have some false 
positives (like the mailing lists, as you mentioned, as well as people 
whose mail clients may use a From: of [EMAIL PROTECTED] but have  a return 
address of [EMAIL PROTECTED]), but it would probably catch quite a bit 
of spam.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] SMTP authorized versus random email

2003-06-08 Thread Kami Razvan
Title: Message



Hi;

If we require SMTP 
authorization before an email is sent from our server then if I get an email 
that has my email in the FROM address  is not sent by me has to have my 
email placed there randomly or as a means to bypass our filters. Right? 
Wrong?

I guess if there 
was a way to mandate emails with From addresses that exist in the server have to 
pass certain criterion before being considered legitimately from the 
sender. One such test is simply knowing all the users on the server and 
treating those with certain criterion.

Is there anyway 
this can be flagged or a header added for emails that are coming from the local 
user base and if so if they are authenticated or not?

Regards,
Kami


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Bill B.
I'm not sure that I agree with this test.  I use Earthlink DSL at home, and I never 
send out emails using my @earthlink.net address.  I always use my personal or 
business address, neither of which are provided by Earthlink.

I'd bet that a large percentage of DSL, Cable and Dial-up customers do not use the 
email account that their ISP provides, but they use their ISP's outgoing mail server 
because they are forced to due to port 25 filtering.

Bill


-Original Message-
From: R. Scott Perry
Sent: Sun, 08 Jun 2003 09:36:56 -0400
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea



Another idea for a new test, a close cousin to the SpamDomains test:

 Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
 (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700

This message came from a road runner IP.  How about a test where we build 
a list of CIDRs for a given ISP, then match it with all the domains those 
IPs use.  In this case, the file entry would be (I know rr doesn't use .net)

24.208.0.0/14rr.com   rr.net

In this case, it would match the IP, look for both RR entries, find 
styggen.com and fail the message.

That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Dan Patnode
Bill,

Thats a good thing to keep in mind, however it wouldn't compare IP to MAILFROM, it 
would compare only IP to RDNS.  It would only check for forged RNDS, not carring if 
you use @webmail.us.  Here's an example from Road Runner:

24.88.0.13ae88-0-013.sc.rr.com


Someone on this IP sending with their own domain (or even from their own email 
server), will still pass: 

24.88.0.0/16  rr.com


Dan


On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote:
I'm not sure that I agree with this test.  I use Earthlink DSL
at home, and I never send out emails using my @earthlink.net
address.  I always use my personal or business address, neither
of which are provided by Earthlink.

I'd bet that a large percentage of DSL, Cable and Dial-up
customers do not use the email account that their ISP provides,
but they use their ISP's outgoing mail server because they are
forced to due to port 25 filtering.

Bill


-Original Message-
From: R. Scott Perry
Sent: Sun, 08 Jun 2003 09:36:56 -0400
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea



Another idea for a new test, a close cousin to the SpamDomains test:

 Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
 (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700

This message came from a road runner IP.  How about a test where we build 
a list of CIDRs for a given ISP, then match it with all the domains those 
IPs use.  In this case, the file entry would be (I know rr doesn't use .net)

24.208.0.0/14rr.com   rr.net

In this case, it would match the IP, look for both RR entries, find 
styggen.com and fail the message.

That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day
evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] KillListGen Utility

2003-06-08 Thread David Dodell
Does anyone have the KillListGen utility they can mail to me ... the
link at nerosoft is broken, and email sent to them is returned as
invalid user.

Thanks,

David

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Dan Patnode
Thanks for the question Bill,

Looking back at my original posting, I showed RNDS, then said all the domains those 
IPs use.  The intent is to ignore MAILFROM (which Spam Domains already checks) and 
compare only  IP with RDNS.


Scott,

Would that still be effective?


Dan


On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote:
I'm not sure that I agree with this test.  I use Earthlink DSL
at home, and I never send out emails using my @earthlink.net
address.  I always use my personal or business address, neither
of which are provided by Earthlink.

I'd bet that a large percentage of DSL, Cable and Dial-up
customers do not use the email account that their ISP provides,
but they use their ISP's outgoing mail server because they are
forced to due to port 25 filtering.

Bill


-Original Message-
From: R. Scott Perry
Sent: Sun, 08 Jun 2003 09:36:56 -0400
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea



Another idea for a new test, a close cousin to the SpamDomains test:

 Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
 (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700

This message came from a road runner IP.  How about a test where we build 
a list of CIDRs for a given ISP, then match it with all the domains those 
IPs use.  In this case, the file entry would be (I know rr doesn't use .net)

24.208.0.0/14rr.com   rr.net

In this case, it would match the IP, look for both RR entries, find 
styggen.com and fail the message.

That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day
evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Bill B.
Ahh, I get it.  But it would have to compare the REMOTEIP to the HELO string, not to 
the REVDNS.  Because styggen.com in the header below indicates the HELO string sent 
by the remote mail server, rather than the REVDNS value.

 Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com

It would be difficult to maintain an accurate list of ISP CIDRs though.  So what about 
a variation of this idea where the test would force REVDNS and HELO strings to contain 
a partial match.  For example, an entry like this...

.rr.com  .rr.net

...would required a REVDNS that contains .rr.com, to use a HELO string containing 
either .rr.com or .rr.net.  Or perhaps the other way around.

Bill 


-Original Message-
From: Dan Patnode
Sent: 08 Jun 2003 12:47:11 -0700
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea


Thanks for the question Bill,

Looking back at my original posting, I showed RNDS, then said all the domains those 
IPs use.  The intent is to ignore MAILFROM (which Spam Domains already checks) and 
compare only  IP with RDNS.


Scott,

Would that still be effective?


Dan


On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote:
I'm not sure that I agree with this test.  I use Earthlink DSL
at home, and I never send out emails using my @earthlink.net
address.  I always use my personal or business address, neither
of which are provided by Earthlink.

I'd bet that a large percentage of DSL, Cable and Dial-up
customers do not use the email account that their ISP provides,
but they use their ISP's outgoing mail server because they are
forced to due to port 25 filtering.

Bill


-Original Message-
From: R. Scott Perry
Sent: Sun, 08 Jun 2003 09:36:56 -0400
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea



Another idea for a new test, a close cousin to the SpamDomains test:

 Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
 (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700

This message came from a road runner IP.  How about a test where we build 
a list of CIDRs for a given ISP, then match it with all the domains those 
IPs use.  In this case, the file entry would be (I know rr doesn't use .net)

24.208.0.0/14rr.com   rr.net

In this case, it would match the IP, look for both RR entries, find 
styggen.com and fail the message.

That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day
evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread R. Scott Perry

Looking back at my original posting, I showed RNDS, then said all the 
domains those IPs use.  The intent is to ignore MAILFROM (which Spam 
Domains already checks) and compare only  IP with RDNS.

Scott,

Would that still be effective?
Yes, I think the test would work with comparing to HELO/EHLO (but not for 
the return address).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] KillListGen Utility

2003-06-08 Thread Todd Smith @ Teksolvers
KillListGen incoming via email

Todd Smith
Teksolvers, LLC
1077 Glenharbor Circle
Winter Garden, FL  34787
407-877-8450 (phone)
407-877-8451 (fax)
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Dodell
Sent: Sunday, June 08, 2003 3:35 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] KillListGen Utility

Does anyone have the KillListGen utility they can mail to me ... the
link at nerosoft is broken, and email sent to them is returned as
invalid user.

Thanks,

David

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] SpamIPs Test Idea

2003-06-08 Thread Dan Patnode
Yes Bill, HELO not RDNS (that keyboard virus sure gets around).

I've been running a BadIP list for some time that maps the CIDRs of many ISPs 
(broadband ranges in particular).  With 2500 entries, its on the heavy side but when a 
new range appears, the spammers find it and tell me about it.  SpamIPs would 
essentially be a smart version of this.

Interesting, comparing RDNS to HELO!  Essentially, every comparison test is battling 
the same problem, forged headers.  Spammers have software with fields for typing in 
all these things and they plug away.  If we total them, the number of possible 
comparisons is awesome:

MAILFROM vs HELO(Spam Domains)
IP vs HELO(SpamIPs)
RDNS vs HELO
RNDS vs MAILFROM
IP vs RDNS
IP vs MAILFROM

I like the first 3, Scott can pick the one(s) he likes best.  :)

Dan


On Sunday, June 8, 2003 12:44, Bill B. [EMAIL PROTECTED] wrote:
Ahh, I get it.  But it would have to compare the REMOTEIP to the
HELO string, not to the REVDNS.  Because styggen.com in the
header below indicates the HELO string sent by the remote mail
server, rather than the REVDNS value.

 Received: from styggen.com [24.208.153.243] by
mx2.spamsoap.com

It would be difficult to maintain an accurate list of ISP CIDRs
though.  So what about a variation of this idea where the test
would force REVDNS and HELO strings to contain a partial match.
 For example, an entry like this...

..rr.com  .rr.net

would required a REVDNS that contains .rr.com, to use a
HELO string containing either .rr.com or .rr.net.  Or
perhaps the other way around.

Bill 


-Original Message-
From: Dan Patnode
Sent: 08 Jun 2003 12:47:11 -0700
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea


Thanks for the question Bill,

Looking back at my original posting, I showed RNDS, then said
all the domains those IPs use.  The intent is to ignore
MAILFROM (which Spam Domains already checks) and compare only 
IP with RDNS.


Scott,

Would that still be effective?


Dan


On Sunday, June 8, 2003 11:49, Bill B. [EMAIL PROTECTED] wrote:
I'm not sure that I agree with this test.  I use Earthlink DSL
at home, and I never send out emails using my @earthlink.net
address.  I always use my personal or business address, neither
of which are provided by Earthlink.

I'd bet that a large percentage of DSL, Cable and Dial-up
customers do not use the email account that their ISP provides,
but they use their ISP's outgoing mail server because they are
forced to due to port 25 filtering.

Bill


-Original Message-
From: R. Scott Perry
Sent: Sun, 08 Jun 2003 09:36:56 -0400
Subject: Re: [Declude.JunkMail] SpamIPs Test Idea



Another idea for a new test, a close cousin to the SpamDomains test:

 Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
 (SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700

This message came from a road runner IP.  How about a test where we build 
a list of CIDRs for a given ISP, then match it with all the domains those 
IPs use.  In this case, the file entry would be (I know rr doesn't use .net)

24.208.0.0/14rr.com   rr.net

In this case, it would match the IP, look for both RR entries, find 
styggen.com and fail the message.

That's a pretty neat idea.  That would work well for ISPs that don't allow 
their customers to run a mailserver, as it would provide an easy way to 
catch (most) mail from spammers on their networks, while allowing the 
legitimate E-mail through.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day
evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was 

[Declude.JunkMail] cs.com - SPAMDOMAINS

2003-06-08 Thread Kami Razvan
Title: Message



Hi;

Does anyone know 
what entry we should have for cs.com?

Considering it is 
a 2 letter domain I think this can cause problem with the way spamdomain test 
works. We get a lot of spam with @cs.com and it would be good if we can 
put an entry for it.

Example 
header:
===
X-Mailfrom: 
53lkikq5.cs.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse 
DNS: u231n155.eastlink.ca ([24.222.231.155]).X-Hello: 
u231n155.eastlink.caX-Note: Recipient(s): 
--DELETED--
X-Country-Chain: 
UNITED STATES-CANADA-UNITED STATES-destinationX-Spam-Prob: 
0.988397
===

Ideas?

Regards,
Kami


Re: [Declude.JunkMail] cs.com - SPAMDOMAINS

2003-06-08 Thread Bill B.
That is compuserve (aol).  Our logs show the legit email from that domain coming from 
IPs having revdns similar to this:

imo-m07.mx.aol.com

...so I'd add this entry to spamdomains:

@cs.com  .aol.com

...the @ symbol will keep it from matching senders such as [EMAIL PROTECTED]

Bill


-Original Message-
From: Kami Razvan
Sent: Sun, 8 Jun 2003 16:26:43 -0400
Subject: [Declude.JunkMail] cs.com - SPAMDOMAINS


Hi;
 
Does anyone know what entry we should have for cs.com?
 
Considering it is a 2 letter domain I think this can cause problem with the
way spamdomain test works.  We get a lot of spam with @cs.com and it would
be good if we can put an entry for it.
 
Example header:
===
X-Mailfrom: 53lkikq5.cs.com
X-Note: Sent from: [EMAIL PROTECTED]
X-Note: Sent from Reverse DNS:  u231n155.eastlink.ca ([24.222.231.155]).
X-Hello: u231n155.eastlink.ca
X-Note: Recipient(s):  --DELETED--
X-Country-Chain: UNITED STATES-CANADA-UNITED STATES-destination
X-Spam-Prob: 0.988397
===
 
Ideas?
 
Regards,
Kami


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] cs.com - SPAMDOMAINS

2003-06-08 Thread Bill Landry
Title: Message



Why not:

@cs.com .aol.com

Bill

  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Sunday, June 08, 2003 1:26 PM
  Subject: [Declude.JunkMail] cs.com - 
  SPAMDOMAINS
  
  Hi;
  
  Does anyone know 
  what entry we should have for cs.com?
  
  Considering it 
  is a 2 letter domain I think this can cause problem with the way spamdomain 
  test works. We get a lot of spam with @cs.com and it would be good if we 
  can put an entry for it.
  
  Example 
  header:
  ===
  X-Mailfrom: 
  53lkikq5.cs.comX-Note: Sent from: [EMAIL PROTECTED]X-Note: Sent from Reverse 
  DNS: u231n155.eastlink.ca ([24.222.231.155]).X-Hello: 
  u231n155.eastlink.caX-Note: Recipient(s): 
  --DELETED--
  X-Country-Chain: 
  UNITED STATES-CANADA-UNITED STATES-destinationX-Spam-Prob: 
  0.988397
  ===
  
  Ideas?
  
  Regards,
  Kami


Re: [Declude.JunkMail] new message header

2003-06-08 Thread Mike Nice

 ... Let's keep the spammers guessing for a while.That'll improve its
effectiveness!

- Original Message - 
 So when might you be willing to share this new spam test with us...?
:-)))
  I see new X-Spam-Prob: headers being added after upgrading to Declude

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] KillListGen Utility

2003-06-08 Thread David Dodell
 Huh? Link is broken? You should be able to get it here:
 http://www.nerosoft.com/Download/KillListGenInst.exe

Thanks Scott.  I was following a link from the Declude website

 What address were you sending email to?

On your main webpage it shows [EMAIL PROTECTED] but it is really
linked to [EMAIL PROTECTED] ... and that bounces user unknown.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.