Re: [Declude.JunkMail] Next release
Awesome Scott! Does this feature work with "PREWHITELIST ON" so that we can conserve some resources for Auth'd users? Thanks, Bill -Original Message- From: "R. Scott Perry" Sent: Tue, 16 Sep 2003 20:05:40 -0400 Subject: Re: [Declude.JunkMail] Next release >Scott could you give us an idea of what new tests and a possible date of the >next release of declude junkmail. We do not have an ETA for the next beta release. However: >My remote users are constantly on me about the authentication issue when on >a dial up. I have thoes users whitelisted but they do not like the side >effect of receiving spam from their own email address. We do have an interim release at http://www.declude.com/release/175i/declude.exe that includes this ability (if you are running a version of IMail that supports it, such as 8.x). A line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Next release
Same with me. This is from one of my customers: "Just a quick note to let you know how happy I am with your company's email virus scanning and spam filtering service. It really works awesome! It's not that I'm not capable, but I haven't even opened the McAfee Security software I bought -- knowing what a headache it would be to try and duplicate your service! Thanks again your patience in working through the setup process and getting us kicked off with a scalable solution to virus security web spamming problem" - Original Message - From: Joshua Levitsky To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 10:26 PM Subject: Re: [Declude.JunkMail] Next release On Sep 16, 2003, at 8:05 PM, R. Scott Perry wrote: We do have an interim release at http://www.declude.com/release/175i/declude.exe that includes this ability (if you are running a version of IMail that supports it, such as 8.x). A line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated.You are the best person in the whole world. You have the one product I feel is worth every dollar spent.Thank you for the work you do for us. It is appreciated not just by us, but by our users.Below is what my friend wrote me today after I've been using Matthew's filters in addition to my own ones for the past couple of days...On Sep 16, 2003, at 1:35 PM, Rob Cashman ((Yechiel)) wrote: my inbox has gotten strangely quiet lately... shh... listen... ;) no spam.
Re: [Declude.JunkMail] Next release
On Sep 16, 2003, at 8:05 PM, R. Scott Perry wrote: We do have an interim release at http://www.declude.com/release/175i/declude.exe that includes this ability (if you are running a version of IMail that supports it, such as 8.x). A line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated. You are the best person in the whole world. You have the one product I feel is worth every dollar spent. Thank you for the work you do for us. It is appreciated not just by us, but by our users. Below is what my friend wrote me today after I've been using Matthew's filters in addition to my own ones for the past couple of days... On Sep 16, 2003, at 1:35 PM, Rob Cashman ((Yechiel)) wrote: my inbox has gotten strangely quiet lately... shh... listen... ;) no spam.
RE: [Declude.JunkMail] Next release
>> if you are running a version of IMail that supports it, such as 8.x). A line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated. << Uhhh, finally a good reason to upgrade to 8.x. Until now it seemed like a waste of good money. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Next release
Scott could you give us an idea of what new tests and a possible date of the next release of declude junkmail. We do not have an ETA for the next beta release. However: My remote users are constantly on me about the authentication issue when on a dial up. I have thoes users whitelisted but they do not like the side effect of receiving spam from their own email address. We do have an interim release at http://www.declude.com/release/175i/declude.exe that includes this ability (if you are running a version of IMail that supports it, such as 8.x). A line "WHITELIST AUTH" in the \IMail\Declude\global.cfg file will let that interim release know to whitelist all E-mail from users who have authenticated. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Next release
Scott could you give us an idea of what new tests and a possible date of the next release of declude junkmail. My remote users are constantly on me about the authentication issue when on a dial up. I have thoes users whitelisted but they do not like the side effect of receiving spam from their own email address. Kevin Bilbee Network Administrator Standard Abrasives, Inc. Changing the way industry works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REMOTEIP as a filter?
Before trying this .. would this work? BODY0CONTAINS%REMOTEIP% No, that would not work. Variables are not processed in the filter files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] REMOTEIP as a filter?
Title: Message Kami, I don't think you can use variables in filter files. This would only flag literal %REMOTE% if found in the message body, not the remote IP address. I'm sure Scott will correct me if I am wrong... Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 3:20 PM Subject: [Declude.JunkMail] REMOTEIP as a filter? Scott.. Before trying this .. would this work? BODY 0 CONTAINS %REMOTEIP% interesting when someone refers to the IP address that the email is being sent from. I have seen some spam that come from the same IP that the email has in its body for the recipient to visit. Regards, Kami
[Declude.JunkMail] REMOTEIP as a filter?
Title: Message Scott.. Before trying this .. would this work? BODY 0 CONTAINS %REMOTEIP% interesting when someone refers to the IP address that the email is being sent from. I have seen some spam that come from the same IP that the email has in its body for the recipient to visit. Regards, Kami
Re: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's
Shouldn't find FPs in any of the examples you posed, since a query should only be done on a mail-from domain name, and VeriScam would only respond to a query with the 64.94.110.11 IP address if the domain name ends in .net or .com. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 12:14 PM Subject: Re: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's This is a great find! I'm just wondering where the potential FP's would come from so that I can determine the proper scoring. Obviously people that misspell their from domain could be tagged, but what happens when someone uses <> or how about just "John Smith", would that score on this test? I'm of course capturing to see what I get.Also, is this a total replacement for MAILFROM on .com and .net domains?Thanks,MattBill Landry wrote: Yep, that's correct, and probably not a good thing. I have been using an rhsbl test, and it appears to be doing what it should--that is, query DNS with the return address and if it comes back with 64.94.110.11, add weight to the message. Here is what I am using: VERISCAMrhsbl.64.94.110.1110 Yes, that's a period "." where you would normally list the rhsbl lookup domain. This has the effect of JunkMail doing an "A" record lookup against your own DNS for the return address listed in the message, and if it is an invalid domain, the DNS returns with 64.94.110.11, which causes the message to fail the VERISCAM test and weight gets added to the message. I've set the weight to 1 for testing, but so far messages that have gotten flagged by the VERISCAM test have been spam. Bill - Original Message - From: "Keith Anderson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 11:48 PM Subject: RE: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's The result would always be the same: 64.94.110.11 so you would tag every message as spam. Right? -Original Message- From: Joshua Levitsky [mailto:[EMAIL PROTECTED]] Sent: Monday, September 15, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's Interesting side effect of Verislime's move. Just setup a ip4r test that goes to a bogus domain and then all the bad addresses result in an answer of 64.94.110.11. Maybe this is how we can take advantage of this? If i made an ip4r test of aklsjlajkdjkhskljdkjldhsjdshkhklshdkjl.com then I'd probably be good no? -Josh
[Declude.JunkMail] Imail v8 features
As a Declude JM & AV user I try to post this question here. We've in use Imail v7.1 with latest patches. As I've understand we can install the KWM templates also on v7.1. Imail Antispam and AV is not for our interest. So remains the queue manager. I've read about some stability problems... What's your opinion/experiences with v8? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: [IMail Forum] OT Verisign hijack *.net - crosspost
Well, can't you have a valid mail domain that only has an MX record (and no A record), which points to a server in another domain (with an A record)? Yes. But if the domain exists, Network Solutions won't sent back an A record. It only does that for domains that do not exist. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Developer Moves to Neutralize Web Helper
Developer Moves to Neutralize Web Helper: Software Developer Releases Program That Neutralizes Controversial Navigation Service http://biz.yahoo.com/ap/030916/internet_typos_2.html Great! Maybe Microsoft will also release a patch for those that use their DNS server? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: [IMail Forum] OT Verisign hijack *.net - crosspost
Well, can't you have a valid mail domain that only has an MX record (and no A record), which points to a server in another domain (with an A record)? /Roger >>If I understand this correctly, the drawback with this work-around, >>compared with the MAILFROM test, is that it only looks up the A record and >>doesn't check for any MX records. > >True. It's designed to work with the MAILFROM test. The MAILFROM test >works properly, and works with most TLDs. The VERISCAM test works just >with .com and .net domains. The MX record test is not necessary with the >VERISCAM test (if the A record is 64.94.110.11, the domain doesn't exist, >and therefore can't have an MX record). > >>Any idea if this will cause a number of false positives? > >Only for domains that point to sitefinder.verisign.com -- but if that is >the case, they probably aren't a domain that you would want mail from. :) > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to config subjectchars test
Can specific characters be specified? If so how? If not a feature request to look for a specified char and the count, just like the subjectspaces test. Could be useful for "U*n*i*v*e*r*s*i*t*y d*i*p*l*o*m*a" Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Mike, Good point, however there is a problem. What you have is HTML encoded UNICODE, and there are thousands upon thousands of these: http://www.alanwood.net/unicode/unicode_samples_no.html , and there might be a good reason for this in multi-lingual mailings. I don't think though that mail clients would be supporting this method because base64 encoding is a lot more efficient with the overhead than HTML encoding is. You could potentially test for just ";&#" in order to find two HTML encoded characters of any type in succession, however there are valid uses where you are listing two symbols in succession and the FP's would probably come into play. Such examples would probably be rare, so if you score the filter low in the first place, this wouldn't have a big impact. Adding that three character string would also defeat the need for 62 of the BODY checks in that filter and save on some processing, I just don't know that it would be safe to do. If someone with a decent mail volume and a decent number of clients that have foreign language customers would like to test this for FP's and let the list know, that would be valuable. The filter would be the following: -Global.cfg- HTMLENCODE-TEST filter C:\IMail\Declude\Filters\HTMLEncode-Test.txt x 0 0 -HTMLEncode-Test.txt- BODY 0 CONTAINS ;&# -$Default$.JunkMail- HTMLENCODE-TEST COPYTO [EMAIL PROTECTED] I don't think my volume is large enough to get a feeling for the potential of FP's from this modification. The existing filter though should hardly ever get an FP. Matt Mike K wrote: May want to account for foreign languages also. I just received this spam while I was adding your URL obfuscation filter. Недорогие звонки зарубеж! Mike - Original Message - From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 12:40 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter Pete, It's not redundant because the two by themselves only check for strings of two, while the combination checks for strings with one of each in succession. This way, if they go back and forth between the two, it will get caught as long as there is a "." or "@" between them, or as long as it is URL encoding followed by HTML encoding. I left out the other way around because it was only a two character string, ";%" and wanted to protect from FP's. I do appreciate the feedback though...I do of course make mistakes. Matt Pete McNeil wrote: Matt, It appears that your coding for a combination of http & url encoding in urls is redundant since you capture both types individually. It's a small optimization, but worth mentioning. _M At 07:46 PM 9/14/2003 -0400, you wrote: I've posted a newer version of the OBFUSCATION filter on my site. This contains the removal of the attachment thing and also the removal of 6 (of over 100) tests in order to be more forgiving, sans the PayPal issue. http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt If you find any false positives with this besides the Ticketmaster one that I've already counterbalanced, please let me know. I would imagine that posting to this group would be better than PM's unless others mind having discussion here. That way everyone would know about any issues ASAP. Thanks, Matt
Re: [Declude.JunkMail] OBFUSCATION filter
Mike, The same thing can happen in the body, so it's worth knowing. Naturally the filter can easily be modified for use in the subject, and there is really no reason at all to be HTML encoding subject lines unless it is a non-Western European language, and still they should be base64 encoded I would think. I don't think the URL encoding techniques need be applied to subjects though, but searching a subject shouldn't be that process intensive. Matt Mike K wrote: Sorry, just noticed, this was in the "subject". Mike - Original Message - From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 3:32 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter May want to account for foreign languages also. I just received this spam while I was adding your URL obfuscation filter. Недорогие звонки зарубеж! Mike - Original Message - From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 12:40 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter Pete, It's not redundant because the two by themselves only check for strings of two, while the combination checks for strings with one of each in succession. This way, if they go back and forth between the two, it will get caught as long as there is a "." or "@" between them, or as long as it is URL encoding followed by HTML encoding. I left out the other way around because it was only a two character string, ";%" and wanted to protect from FP's. I do appreciate the feedback though...I do of course make mistakes. Matt Pete McNeil wrote: Matt, It appears that your coding for a combination of http & url encoding in urls is redundant since you capture both types individually. It's a small optimization, but worth mentioning. _M At 07:46 PM 9/14/2003 -0400, you wrote: I've posted a newer version of the OBFUSCATION filter on my site. This contains the removal of the attachment thing and also the removal of 6 (of over 100) tests in order to be more forgiving, sans the PayPal issue. http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt If you find any false positives with this besides the Ticketmaster one that I've already counterbalanced, please let me know. I would imagine that posting to this group would be better than PM's unless others mind having discussion here. That way everyone would know about any issues ASAP. Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: [IMail Forum] OT Verisign hijack *.net - crosspost
If I understand this correctly, the drawback with this work-around, compared with the MAILFROM test, is that it only looks up the A record and doesn't check for any MX records. True. It's designed to work with the MAILFROM test. The MAILFROM test works properly, and works with most TLDs. The VERISCAM test works just with .com and .net domains. The MX record test is not necessary with the VERISCAM test (if the A record is 64.94.110.11, the domain doesn't exist, and therefore can't have an MX record). Any idea if this will cause a number of false positives? Only for domains that point to sitefinder.verisign.com -- but if that is the case, they probably aren't a domain that you would want mail from. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Auto-unsubscribe
Curious on how you have your auto-unsubscribe set. I have been unsubscribed twice now and each time I usually figure out when the list seems unusually quiet. You'll get unsubscribed if there are too many bounces. This time is probably because of a filter that was a little too aggressive yesterday that I quickly caught and removed... I rejected two messages from the list but was still receiving messages for a little while after that point so didn't think it had triggered an auto-unsub. If it was the infamous "ACL" test, that would account for it. We have little tolerance for rejecting E-mail based just on that test. :) Just curious so I can watch out for it in the future. ( do/can you send a notice to a recipient when you auto-un subscribe them? ) No. The thought here is that if the E-mails from the list are bouncing, E-mails from us will likely bounce as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: [IMail Forum] OT Verisign hijack *.net - crosspost
Scott, If I understand this correctly, the drawback with this work-around, compared with the MAILFROM test, is that it only looks up the A record and doesn't check for any MX records. Any idea if this will cause a number of false positives? /Roger >>Scott could yo explain how this works? >> >> > Or, if you have Declude JunkMail, you can just add a line "VERISCAM >> rhsbl . 64.94.110.11 8 0" > >That line will add a test of the "rhsbl" type named VERISCAM. That test >uses "." as the zone to query, and expects a return IP of >64.94.110.11. RHSBL tests look up the domain in the return address of an >E-mail. For a similar test, you can look at: > >DSN rhsbl dsn.rfc-ignorant.org127.0.0.2 3 > 0 > >For example, if the E-mail address is "[EMAIL PROTECTED]", the VERISCAM test >would look up the A record for "example.com.", whereas the DSN test would >look up the A record for "example.com.dsn.rfc-ignorant.org". > >The VERISCAM test is essentially a hack that take advantage of the fact >that you can use "." at the end of a domain you are looking up, and the >fact that RHSBL tests use the domain name in the return address. > >-Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
Sorry, just noticed, this was in the "subject". Mike - Original Message - From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 3:32 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter > May want to account for foreign languages also. I just received this spam > while I was adding your URL obfuscation filter. > > Недорогие > звонки > зарубеж! > > Mike > > > - Original Message - > From: "Matthew Bramble" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, September 15, 2003 12:40 PM > Subject: Re: [Declude.JunkMail] OBFUSCATION filter > > > > Pete, > > > > It's not redundant because the two by themselves only check for strings > > of two, while the combination checks for strings with one of each in > > succession. This way, if they go back and forth between the two, it > > will get caught as long as there is a "." or "@" between them, or as > > long as it is URL encoding followed by HTML encoding. I left out the > > other way around because it was only a two character string, ";%" and > > wanted to protect from FP's. > > > > I do appreciate the feedback though...I do of course make mistakes. > > > > Matt > > > > Pete McNeil wrote: > > > > > Matt, > > > > > > It appears that your coding for a combination of http & url encoding > > > in urls is redundant since you capture both types individually. It's a > > > small optimization, but worth mentioning. > > > > > > _M > > > > > > At 07:46 PM 9/14/2003 -0400, you wrote: > > > > > >> I've posted a newer version of the OBFUSCATION filter on my site. > > >> This contains the removal of the attachment thing and also the > > >> removal of 6 (of over 100) tests in order to be more forgiving, sans > > >> the PayPal issue. > > >> > > >> > http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt > > >> > > >> > > >> If you find any false positives with this besides the Ticketmaster > > >> one that I've already counterbalanced, please let me know. I would > > >> imagine that posting to this group would be better than PM's unless > > >> others mind having discussion here. That way everyone would know > > >> about any issues ASAP. > > >> > > >> Thanks, > > >> > > >> Matt > > >> > > >> --- > > >> [This E-mail was scanned for viruses by Declude Virus > > >> (http://www.declude.com)] > > >> > > >> --- > > >> This E-mail came from the Declude.JunkMail mailing list. To > > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > >> type "unsubscribe Declude.JunkMail". The archives can be found > > >> at http://www.mail-archive.com. > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OBFUSCATION filter
May want to account for foreign languages also. I just received this spam while I was adding your URL obfuscation filter. Недорогие звонки зарубеж! Mike - Original Message - From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 12:40 PM Subject: Re: [Declude.JunkMail] OBFUSCATION filter > Pete, > > It's not redundant because the two by themselves only check for strings > of two, while the combination checks for strings with one of each in > succession. This way, if they go back and forth between the two, it > will get caught as long as there is a "." or "@" between them, or as > long as it is URL encoding followed by HTML encoding. I left out the > other way around because it was only a two character string, ";%" and > wanted to protect from FP's. > > I do appreciate the feedback though...I do of course make mistakes. > > Matt > > Pete McNeil wrote: > > > Matt, > > > > It appears that your coding for a combination of http & url encoding > > in urls is redundant since you capture both types individually. It's a > > small optimization, but worth mentioning. > > > > _M > > > > At 07:46 PM 9/14/2003 -0400, you wrote: > > > >> I've posted a newer version of the OBFUSCATION filter on my site. > >> This contains the removal of the attachment thing and also the > >> removal of 6 (of over 100) tests in order to be more forgiving, sans > >> the PayPal issue. > >> > >> http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003c.txt > >> > >> > >> If you find any false positives with this besides the Ticketmaster > >> one that I've already counterbalanced, please let me know. I would > >> imagine that posting to this group would be better than PM's unless > >> others mind having discussion here. That way everyone would know > >> about any issues ASAP. > >> > >> Thanks, > >> > >> Matt > >> > >> --- > >> [This E-mail was scanned for viruses by Declude Virus > >> (http://www.declude.com)] > >> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Auto-unsubscribe
Scott: Curious on how you have your auto-unsubscribe set. I have been unsubscribed twice now and each time I usually figure out when the list seems unusually quiet. This time is probably because of a filter that was a little too aggressive yesterday that I quickly caught and removed... I rejected two messages from the list but was still receiving messages for a little while after that point so didn't think it had triggered an auto-unsub. Just curious so I can watch out for it in the future. ( do/can you send a notice to a recipient when you auto-un subscribe them? ) Thanks Tom --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's
This is a great find! I'm just wondering where the potential FP's would come from so that I can determine the proper scoring. Obviously people that misspell their from domain could be tagged, but what happens when someone uses <> or how about just "John Smith", would that score on this test? I'm of course capturing to see what I get. Also, is this a total replacement for MAILFROM on .com and .net domains? Thanks, Matt Bill Landry wrote: Yep, that's correct, and probably not a good thing. I have been using an rhsbl test, and it appears to be doing what it should--that is, query DNS with the return address and if it comes back with 64.94.110.11, add weight to the message. Here is what I am using: VERISCAMrhsbl.64.94.110.1110 Yes, that's a period "." where you would normally list the rhsbl lookup domain. This has the effect of JunkMail doing an "A" record lookup against your own DNS for the return address listed in the message, and if it is an invalid domain, the DNS returns with 64.94.110.11, which causes the message to fail the VERISCAM test and weight gets added to the message. I've set the weight to 1 for testing, but so far messages that have gotten flagged by the VERISCAM test have been spam. Bill - Original Message - From: "Keith Anderson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 11:48 PM Subject: RE: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's The result would always be the same: 64.94.110.11 so you would tag every message as spam. Right? -Original Message- From: Joshua Levitsky [mailto:[EMAIL PROTECTED]] Sent: Monday, September 15, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's Interesting side effect of Verislime's move. Just setup a ip4r test that goes to a bogus domain and then all the bad addresses result in an answer of 64.94.110.11. Maybe this is how we can take advantage of this? If i made an ip4r test of aklsjlajkdjkhskljdkjldhsjdshkhklshdkjl.com then I'd probably be good no? -Josh
Re: [Declude.JunkMail] FW: [IMail Forum] OT Verisign hijack *.net - crosspost
Scott could yo explain how this works? > Or, if you have Declude JunkMail, you can just add a line "VERISCAM rhsbl . 64.94.110.11 8 0" That line will add a test of the "rhsbl" type named VERISCAM. That test uses "." as the zone to query, and expects a return IP of 64.94.110.11. RHSBL tests look up the domain in the return address of an E-mail. For a similar test, you can look at: DSN rhsbl dsn.rfc-ignorant.org127.0.0.2 3 0 For example, if the E-mail address is "[EMAIL PROTECTED]", the VERISCAM test would look up the A record for "example.com.", whereas the DSN test would look up the A record for "example.com.dsn.rfc-ignorant.org". The VERISCAM test is essentially a hack that take advantage of the fact that you can use "." at the end of a domain you are looking up, and the fact that RHSBL tests use the domain name in the return address. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Disposable Domains
Dan, That would be a valuable test IMO, however I think there might be issues with load since I am not aware of a standard method of caching whois lookups. Because whois output also comes in many forms (as opposed to DNS) it would be process intensive to grab the registration date. Then lastly, there are limitations on automated lookups on many whois databases. Otherwise I love the idea :) Matt Dan Patnode wrote: Spammers put links in the body of messages and more recently are creating them by the pound, changing to new ones multiple times/days. Is it possible to have a test that checks the age of domain names in the body? This information is available from a number of places: http://www-whois.internic.net/cgi/whois?whois_nic=uzbeki98.biz&type=domain But is it possible to make an automated test that can collect and use it? Simplest would be just specifying the location and age, in days, fewer than which it would trip, under one month in this example: DomainAge domainage body 30 1 0 Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] FW: [IMail Forum] OT Verisign hijack *.net - crosspost
Scott could yo explain how this works? > Or, if you have Declude JunkMail, you can just add a line "VERISCAM rhsbl -Scott I looked throught the manual and the only description of RHSBL in the manual it the following line. The "dnsbl" test type is used to support future DNS-based spam databases, that use something other than the IP address (ip4r) or return address (rhsbl) to detect spam. I also googled "rhsbl" it and found 2080 hits. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] GIBBERISH - 09/16/2003 filter update
I think that I've stumbled onto a large source of false positives in legitimate bulk mail. Instead of listing individual mailers that offend in many cases, it turns out that these are often customers of one of a few companies, CheetahMail and SilverPOP. Each of these companies uses URL's in their message bodies that contain random characters. The CheetahMail can be stopped by looking for their server in the body, i.e. .chtah.com, and SilverPop seems to have several domains so instead I'm filtering for their script, i.e. /servlet/ClickThru?. These together with Yahoo's and CNet's ad servers seem to account for the vast majority of the false positives that I have been seeing with the GIBBERISH filter. CheetahMail and SilverPOP seems to have a very respectable client list, and today I say from chtah.com hits on APC, EdditBauer, CarFax, Neiman Marcus, Delux, and Newport News...but no more will these be scored. Please see the updated files for GIBBERISH and ANTIGIBBERISH that address this problem. The older versions files have been removed. Please also let me know any false positives that result, especially from legitimate bulk mailers which can be excluded with similar methods. GIBBERISH and ANTIGIBBERISH http://www.mailpure.com/decludefilters/gibberish/Gibberish_09-16-2003.txt http://www.mailpure.com/decludefilters/gibberish/AntiGibberish_09-16-2003.txt Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What is going on with OpenRBL.org
Title: Message For those who like to use http://openrbl.org but found it unavailable for longer than any usual system maintenance, your guess that it was due to a DDOS is right. Meanwhile, Declude's own http://www.dnsstuff.com/ and http://moensted.dk/spam/ can get you the lookup information. I also like to use Google Newsgroup searches in *.abuse.* for suspect domain names and IP addresses. Here is the web page returned when you go to one the openrbl.org mirrors, if you get a response at all: 503 - website unavailable due to ddos the webserver has to be reconfigured to absorb a 'normal' ddos with a few mbps,and probably will be unavailable for a few days.Please use http://moensted.dk/spam/ instead. nameservers already updated, more will be added, secondaries sought the website will be moved to another address, hidden from the attacker public access will be exclusively trough one of at least 6 proxy-servers located in different networks. the attacker would need a multiple of the current bandwith and a simultan ddos against multiple targets to achieve any noticable results. probably much too risky for the spammer located somewhere around the timezone of Florida trying to take off antispam-sites the distribution of dnsbl-lists via mirror.bliab.com will commence soon with http-redirects, could not get an update from spews tonight anyway... Currently there are 2 proxy-servers available, and some more urgently required. If you are able to help with a proxy-server (Apache/mod_proxy, Pound, Squid or similar, dedicated ip recommended) with 1..4gb traffic per month (limit may be set by you) please contact with details. It may be even possible to display your ad for those requests tunneled thru your proxy, negotiable. Guestbook available for questions.
RE: [Declude.JunkMail] Any easy way
Yes I see that per user but I run it as a per domain service would it work there too ? Was a little wrong in my mail where I typed per user but meant per domain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: 16. september 2003 19:07 To: ISPhuset Nordic / Benny Samuelsen > ...or make a line in declude.junkmail which goes to a global file > where u change the settings for all of those having this "profile" See the REDIRECT keyword. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Any easy way
> ...or make a line in declude.junkmail which goes to a global file > where u change the settings for all of those having this "profile" See the REDIRECT keyword. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Any easy way
We are running a per user setting on our Declude junkmail, as a paid service on mail. But everytime there are huge changes there is a lot of works updating the configs. Would it be possible to run this either in a database where u add the domain and just click in for which filters the customer shall have or make a line in declude.junkmail which goes to a global file where u change the settings for all of those having this "profile" Because when u have to edit 600 config files its a pain in the a.. Benny
Re: [Declude.JunkMail] RevDNS
> I'm guessing that your local DNS server thinks that it is authoritative for > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > When you say local, you are talking about the internal Private DNS server, right? By "local" I mean the DNS server that IMail uses. Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. That will happen if the DNS server that IMail uses reports that 209.7.3.194 has no reverse DNS entry (which would be incorrect, since it does have a reverse DNS entry). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Character set/unicode testing?
Mark, Such E-mail should be tagged in the message header. Even your message got sent in charset="koi8-r", though I have seen at least one other Cyrillic characterset. Here's a page full of them: http://czyborra.com/charsets/cyrillic.html I would imagine that if you have no customers speaking such languages, such as I, then you can score a filter for this pretty high. If I'm correct, it's just one spam outfit doing this because they have my personal account tagged and always list it the same way, i.e. Matt <[EMAIL PROTECTED]> instead of the more typical matt <[EMAIL PROTECTED]> when they configure such programs to use the address as the name. Matt Mark Smith wrote: Is there any way to filter based on character set, code page, etc? I'm getting swamped with tons of Cirilic spam lately and it's passing my RBL's recently. I can't filter by code word or phrase and the MAILFROM field is random. Any thoughts? Here's a sample --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH and GIBBERISHSUB filters updated
I've seen different results than what you are reporting. Almost all of the hits for GIBBERISH that set off ANTIGIBBERISH are E-mails containing base64 attachments. When you see a spam trigger both of these, it's likely because it's sent in base64 and it should trip Declude's BASE64 test instead. GIBBERISHSUB has a similar problem with base64 encoding, and gives no score when it is found. Although this can be highly indicative of spam if ISO-8859 is encoded in the subject, that's a job for a different filter. These filters are designed to work within the capabilities of Declude, and while triggering multiple tests only to defeat the filters is undesirable, it is necessary. If you are looking to figure out how well they work, you literally have to pay attention to the scoring that it gives. If it gives no score, technically that's not a hit as far as the design goes. 95% of the hits on the body filter that trigger the anti test are because of base 64 encoding, which includes any E-mail with an attachment or inline attached content such as non-Western European language, occasionally a valid E-mail needlessly using that encoding, or in some cases spam that is trying to get past text filters. If you see a lot of E-mails containing base64 encoding because of non-Western European languages, then these filters will tag a lot of that E-mail, but not add score to it. The intended target is english spam that isn't base64 encoded and it works pretty well there. Matt Frederick Samarelli wrote: I assume you using all four of these items at one time. GIBBERISHSUB ANTIGIBBERISHSUB GIBBERISH ANTIGIBBERISH I have notice that almost all spam that set off GIBBERISHSUB/GIBBERISH will set off the ANTIGIBBERISHSUB/ANTIGIBBERISH making the test none productive. Fred - Original Message - From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 4:29 PM Subject: [Declude.JunkMail] GIBBERISH and GIBBERISHSUB filters updated They're still a work in progress of course, but most of the major sources of FP's seem to have been fixed. The major changes are that the tests have both been split into two files, on for positives, and one for counterbalancing false positives. This reduces the possibility of crediting too much back to any E-mail. It also makes testing a lot easier as any test that fails the main filter, and doesn't fail the "anti" filter gets scored, those that fail both don't. The GIBBERISHSUB filter is pretty much there with the only things that I expect to add being exceptions in the ANTIGIBBERISHSUB filter. Those exemptions should be for words, acronyms and stock market symbols, and they should match the same exemptions in ANTIGIBBERISH filter. The GIBBERISH filter similarly has ANTIGIBBERISH as a counterbalance. Some things are listed in both files if they only occasionally don't tend to throw positives, which makes monitoring easier. The test will no longer interfere with BASE64 except that it will add extra score to any base64 encoded content that isn't tagged anywhere in the headers or message body as being such. This is not a bad thing because that would be very highly indicative of spam. I have also found that many spams are caught because they contain gibberish in the message boundary only. Normal mail clients use time stamps, either in decimal or hexadecimal form so they won't trip the test. Spammers also tend to create fake directories in their links that are made from gibberish, and this will detect that as well, though unfortunately, some legitimate mailers are random enough to get caught and they are being kept track of in the "anti" file. I haven't had time to massage the comments, but wanted to put this out for testing because it resolves many of the false positives. Please let me know if you have a nomination for counterbalancing measures, such as words, mail clients, bulk mailers, etc. Offending code is helpful because a literal exception might not be the best way around it. For instance, I just too care of a MS Word mail issue by exempting XML tags instead of one particular string of characters. You can download those filters plus the OBFUSCATION filter at the following locations: GIBBERISH and ANTIGIBBERISH http://www.mailpure.com/decludefilters/gibberish/Gibberish_09-15-2003.txt http://www.mailpure.com/decludefilters/gibberish/AntiGibberish_09-15-2003.txt GIBBERISHSUB and ANTIGIBBERISHSUB http://www.mailpure.com/decludefilters/gibberishsub/GibberishSub_09-15-2003.txt http://www.mailpure.com/decludefilters/gibberishsub/AntiGibberishSub_09-15-2003.txt OBFUSCATION http://www.mailpure.com/decludefilters/obfuscation/Obfuscation_09-14-2003c.txt Recommendations how to best obscure the files long-term would be appreciated. It shouldn't be anything too convoluted, like maybe a secret handshake or something :) Matt
Re: [Declude.JunkMail] RevDNS
> Is the IMail server in the DMZ? The IMail server is actually outside of our firewall on the internet side of things. > > I'm guessing that your local DNS server thinks that it is authoritative for > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > When you say local, you are talking about the internal Private DNS server, right? Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. drats. - Original Message - From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 10:06 AM Subject: Re: [Declude.JunkMail] RevDNS > > > I've had this problem for a while, and although I found a way around it, I > >want to get it corrected > >so that I don't see this warning...anyway... > > > > My work is behind a firewall, this firewall, contains 3 zones: > >Our Private network with a 192.168.x.x IP range > >Our DMZ > >and the Internet Zone > > > >The firewall does NAT to hide all our machines behind one IP which is > >designated on the firewall. > > Is the IMail server in the DMZ? > > >X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with > >no reverse DNS entry. > > >But I would like to know why declude is thinking that 209.7.3.194 is > >actually the mail server ( or at least, that's how > >I interpret these warnings to say) > > The E-mail was sent from the IP 209.7.3.194 -- it really, really was. :) > > I'm guessing that your local DNS server thinks that it is authoritative for > reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask about our free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH and GIBBERISHSUB filters updated
I assume you using all four of these items at one time. GIBBERISHSUB ANTIGIBBERISHSUB GIBBERISH ANTIGIBBERISH I have notice that almost all spam that set off GIBBERISHSUB/GIBBERISH will set off the ANTIGIBBERISHSUB/ANTIGIBBERISH making the test none productive. Fred - Original Message - From: "Matthew Bramble" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 4:29 PM Subject: [Declude.JunkMail] GIBBERISH and GIBBERISHSUB filters updated > They're still a work in progress of course, but most of the major > sources of FP's seem to have been fixed. > > The major changes are that the tests have both been split into two > files, on for positives, and one for counterbalancing false positives. > This reduces the possibility of crediting too much back to any E-mail. > It also makes testing a lot easier as any test that fails the main > filter, and doesn't fail the "anti" filter gets scored, those that fail > both don't. > > The GIBBERISHSUB filter is pretty much there with the only things that I > expect to add being exceptions in the ANTIGIBBERISHSUB filter. Those > exemptions should be for words, acronyms and stock market symbols, and > they should match the same exemptions in ANTIGIBBERISH filter. > > The GIBBERISH filter similarly has ANTIGIBBERISH as a counterbalance. > Some things are listed in both files if they only occasionally don't > tend to throw positives, which makes monitoring easier. The test will > no longer interfere with BASE64 except that it will add extra score to > any base64 encoded content that isn't tagged anywhere in the headers or > message body as being such. This is not a bad thing because that would > be very highly indicative of spam. I have also found that many spams > are caught because they contain gibberish in the message boundary only. > Normal mail clients use time stamps, either in decimal or hexadecimal > form so they won't trip the test. Spammers also tend to create fake > directories in their links that are made from gibberish, and this will > detect that as well, though unfortunately, some legitimate mailers are > random enough to get caught and they are being kept track of in the > "anti" file. > > I haven't had time to massage the comments, but wanted to put this out > for testing because it resolves many of the false positives. Please let > me know if you have a nomination for counterbalancing measures, such as > words, mail clients, bulk mailers, etc. Offending code is helpful > because a literal exception might not be the best way around it. For > instance, I just too care of a MS Word mail issue by exempting XML tags > instead of one particular string of characters. > > You can download those filters plus the OBFUSCATION filter at the > following locations: > > > GIBBERISH and ANTIGIBBERISH > http://www.mailpure.com/decludefilters/gibberish/Gibberish_09-15-2003.txt > http://www.mailpure.com/decludefilters/gibberish/AntiGibberish_09-15-2003.txt > > > GIBBERISHSUB and ANTIGIBBERISHSUB > http://www.mailpure.com/decludefilters/gibberishsub/GibberishSub_09-15-2003.txt > http://www.mailpure.com/decludefilters/gibberishsub/AntiGibberishSub_09-15-2003.txt > > > OBFUSCATION > http://www.mailpure.com/decludefilters/obfuscation/Obfuscation_09-14-2003c.txt > > > Recommendations how to best obscure the files long-term would be > appreciated. It shouldn't be anything too convoluted, like maybe a > secret handshake or something :) > > Matt > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer
I knew I should have done that. Also, I just realized that this is the wrong forum for Declude Virus. My bad. Oh, well. I'm sure others are anxiously anticipaing the outcome of this issue at this point. ;) Everything in the file looks fine. Are you sure that it is this file (sender.eml, with the subject "WARNING: YOU MAY HAVE A VIRUS") that is being sent out, as opposed to the otherpostmaster.eml or one of the other files? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Action vs weight
Title: Action vs weight IGNORE will Ignore the message but still weight it. I have IGNORE set as the action for all of my tests (except my kill file). Then I apply bounce/delete, etc actions for the weight tests. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharyn SchmidtSent: Tuesday, September 16, 2003 10:52 AMTo: Declude Junkmail ListSubject: [Declude.JunkMail] Action vs weight If I have a test in my global.cfg, say the easynet-proxies, and the weight is 7, but in my default junkmail file, I don't put any action associated with the test (such as WARN), will the weight still be counted in for the test, or will it be totally ignored? The reason I am asking is, I don't particularly care if there is reference to the failed test in the headers of the message, but I rely on my own weighting system and I want to be sure a failed test is going to add towards the total weight. Sorry if the question is stupid, I don't really play around much with the configs. Thanks, Sharyn
RE: [Declude.JunkMail] Action vs weight
Yes, a test will still count towards the weight even if there is no action defined for it. -Scott Great..thanks! Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS Fizzer
>Open your sender.eml with notepad, then copy and paste into a new text >document. >Outlook treats this as an attached e-mail and messes with it. >John Tolmachoff MCSE CSSA I knew I should have done that. Also, I just realized that this is the wrong forum for Declude Virus. My bad. Oh, well. I'm sure others are anxiously anticipaing the outcome of this issue at this point. ;) Here's the text file. SKIPIFVIRUSNAMEHAS Fizzer SKIPIFVIRUSNAMEHAS Yaha SKIPIFVIRUSNAMEHAS Lentin SKIPIFVIRUSNAMEHAS Magistr SKIPIFVIRUSNAMEHAS Klez SKIPIFVIRUSNAMEHAS Vulnerability SKIPIFVIRUSNAMEHAS Bugbear SKIPIFVIRUSNAMEHAS Bridex SKIPIFVIRUSNAMEHAS Braid SKIPIFVIRUSNAMEHAS Sobig SKIPIFVIRUSNAMEHAS Palyh From: [EMAIL PROTECTED] To: %MAILFROM% Subject: WARNING: YOU MAY HAVE A VIRUS The Declude Virus software on %LOCALHOST% has reported that you sent an E-mail to %ALLRECIPS%, containing the %VIRUSNAME% virus in the %VIRUSFILE% attachment. The subject of the E-mail was "%SUBJECT%". The E-mail containing the virus has been quarantined to prevent further damage. NOTE: Sender information is easily forged, so while the email containing the virus purportedly was sent by you, it may not actually have come from you, in which case we apologize for this notification. Headers Follow: %HEADERS%
Re: [Declude.JunkMail] Action vs weight
If I have a test in my global.cfg, say the easynet-proxies, and the weight is 7, but in my default junkmail file, I don't put any action associated with the test (such as WARN), will the weight still be counted in for the test, or will it be totally ignored? The reason I am asking is, I don't particularly care if there is reference to the failed test in the headers of the message, but I rely on my own weighting system and I want to be sure a failed test is going to add towards the total weight. Yes, a test will still count towards the weight even if there is no action defined for it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do I block this...what is best way?
Keith, One of the lists I use is Tom's from ImageFx. It's pretty good and always seems to be updated. http://www.imagefxonline.net/apps/delog/fromfile.txt Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com Keith Anderson writes: Not to feed the spammers again by asking this, but is there a repository of blacklists out there somewhere? Anyone willing to share? -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How do I block this...what is best way? @beefymailer.net has been in our Blacklist since 6/13/2003. We refuse connection if that address is used in the mail- in other words this is in our kill list at Imail level. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
I've had this problem for a while, and although I found a way around it, I want to get it corrected so that I don't see this warning...anyway... My work is behind a firewall, this firewall, contains 3 zones: Our Private network with a 192.168.x.x IP range Our DMZ and the Internet Zone The firewall does NAT to hide all our machines behind one IP which is designated on the firewall. Is the IMail server in the DMZ? X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with no reverse DNS entry. But I would like to know why declude is thinking that 209.7.3.194 is actually the mail server ( or at least, that's how I interpret these warnings to say) The E-mail was sent from the IP 209.7.3.194 -- it really, really was. :) I'm guessing that your local DNS server thinks that it is authoritative for reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
- Original Message - From: "EN" <[EMAIL PROTECTED]> > The firewall does NAT to hide all our machines behind one IP which is > designated on the firewall. > When a user sends email while using the web interface of Imail, all is well. > When a user sends an email using Outlook Express, then declude starts to > give warnings, e.g. > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 > X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with > no reverse DNS entry. > X-Declude-Sender: [EMAIL PROTECTED] [209.7.3.194] > X-Declude-Spoolname: D1cda001201d0db47.SMD > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for > spam. > X-Spam-Tests-Failed: IPNOTINMX, REVDNS [4] > X-Note: This E-mail was sent from [No Reverse DNS] ([209.7.3.194]). Easiest thing to do here is whitelist your internal address space. Otherwise, you would need to setup PTR & MX records for all of you IP addresses, which usually doesn't make sense if your users are behind a firewall that is doing address translation anyway. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] JM held mail viewer
Perfect, Thank you. Mike - Original Message - From: "Bill Landry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 10:11 AM Subject: Re: [Declude.JunkMail] JM held mail viewer > Yes, there is a neat little decode app from Funduc Software that supports > decoding of several encoding types, and it integrates nicely into the > Windows Explorer right-click feature (so if you right-click on a file, one > of your options is "Decode"). You can find it at www.funduc.com under the > "Free Stuff" section (which makes it even better). > > Bill > - Original Message - > From: "Mike K" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, September 16, 2003 7:00 AM > Subject: [Declude.JunkMail] JM held mail viewer > > > > Is there a util that allows viewing/decoding of base64 encoded D*.SMD > spool > > files thats been held by JM? > > > > Mike > > > > > > > > --- > > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Action vs weight
Title: Action vs weight If I have a test in my global.cfg, say the easynet-proxies, and the weight is 7, but in my default junkmail file, I don't put any action associated with the test (such as WARN), will the weight still be counted in for the test, or will it be totally ignored? The reason I am asking is, I don't particularly care if there is reference to the failed test in the headers of the message, but I rely on my own weighting system and I want to be sure a failed test is going to add towards the total weight. Sorry if the question is stupid, I don't really play around much with the configs. Thanks, Sharyn
[Declude.JunkMail] RevDNS
Hi all, I've had this problem for a while, and although I found a way around it, I want to get it corrected so that I don't see this warning...anyway... My work is behind a firewall, this firewall, contains 3 zones: Our Private network with a 192.168.x.x IP range Our DMZ and the Internet Zone The firewall does NAT to hide all our machines behind one IP which is designated on the firewall. When a user sends email while using the web interface of Imail, all is well. When a user sends an email using Outlook Express, then declude starts to give warnings, e.g. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.7.3.194 with no reverse DNS entry. X-Declude-Sender: [EMAIL PROTECTED] [209.7.3.194] X-Declude-Spoolname: D1cda001201d0db47.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, REVDNS [4] X-Note: This E-mail was sent from [No Reverse DNS] ([209.7.3.194]). Now, our domain is fenwickfriars.com and we have the proper records for DNS settings, and for our mail server. But I would like to know why declude is thinking that 209.7.3.194 is actually the mail server ( or at least, that's how I interpret these warnings to say) Any ideas or help? Thanks! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] JM held mail viewer
Yes, there is a neat little decode app from Funduc Software that supports decoding of several encoding types, and it integrates nicely into the Windows Explorer right-click feature (so if you right-click on a file, one of your options is "Decode"). You can find it at www.funduc.com under the "Free Stuff" section (which makes it even better). Bill - Original Message - From: "Mike K" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 16, 2003 7:00 AM Subject: [Declude.JunkMail] JM held mail viewer > Is there a util that allows viewing/decoding of base64 encoded D*.SMD spool > files thats been held by JM? > > Mike > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] JM held mail viewer
Is there a util that allows viewing/decoding of base64 encoded D*.SMD spool files thats been held by JM? Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I block this...what is best way?
Not to feed the spammers again by asking this, but is there a repository of blacklists out there somewhere? Anyone willing to share? I use the pre-made blacklist file (Kill List) from ImageFx as I don't have a lot of spare time to do my own configurations. Good job, guys, by the way! :) http://www.imagefxonline.net/apps/delog/ I don't use this in my IMAIL kill list, I use it in JM. (blacklist fromfile) Sharyn We are the worldwide producer and marketer of the award winning Cruzan Single Barrel Rum, judged "Best in the World" at the annual San Francisco Wine and Spirits Championships. For more information, please click (go to) http://www.cruzanrums.com";>www.cruzanrums.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I block this...what is best way?
Not to feed the spammers again by asking this, but is there a repository of blacklists out there somewhere? Anyone willing to share? > -Original Message- > From: Kami Razvan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 16, 2003 6:57 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] How do I block this...what is > best way? > > > @beefymailer.net has been in our Blacklist since 6/13/2003. We refuse > connection if that address is used in the mail- in other > words this is in > our kill list at Imail level. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I block this...what is best way?
Thanks Kim. Can you send me a copy of your kill.lst? I think it would help us out a lot. Samantha -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 8:57 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How do I block this...what is best way? @beefymailer.net has been in our Blacklist since 6/13/2003. We refuse connection if that address is used in the mail- in other words this is in our kill list at Imail level. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bridges, Samantha Sent: Tuesday, September 16, 2003 8:48 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How do I block this...what is best way? I have been seeing more and more Junk Mail in the past few weeks. Here are headers from a junk message I am getting. I am afraid to block anything individually and I don't feel comfortable using the weighting. Declude Junk Mail runs great right out of the box, however I know I am going to have to be more creative and start blocking this stuff with manual entries in the junkmail file. Here is the header from one message. Maybe if I start with this as an example, I will feel comfortable manually blocking others. Thanks for any input, advice or comments. I have been using Declude for awhile now and am a little embarrassed that I haven't spent more time with this wonderful product. It is just that good that it works great right "out of the box". Thanks Declude for the great product and patience with people like me that still struggle to keep the junk out! Here are the headers: Microsoft Mail Internet Headers Version 2.0 Received: from apollo.misd.net ([64.88.0.98]) by xmail1.macombisd.org with Microsoft SMTPSVC(5.0.2195.6713); Tue, 16 Sep 2003 01:40:31 -0400 Received: from SMTP32-FWD by apollo.misd.net (SMTP32) id A00FAE1D9; Tue, 16 Sep 2003 01:47:54 -0400 Received: from m1.beefymailer.net [65.60.8.106] by apollo.misd.net (SMTPD32-8.02) id A3F726C40092; Tue, 16 Sep 2003 01:47:35 -0400 To: [EMAIL PROTECTED] Date: Mon, 15 Sep 2003 21:44:18 -0800 Message-ID: <[EMAIL PROTECTED]> X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6-pre2-xfs i686) From: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Return-Path: <[EMAIL PROTECTED]> X-Sender: <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> Subject: Get a FREE $100 Target(r) Gift Card from Bluedolphin.com - Compliments of Mr. Beef Content-Type: text/html X-RBL-Warning: EASYNET-DNSBL: Blacklisted by easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html X-RBL-Warning: SBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL6105 X-RBL-Warning: DSN: Not supporting null originator (DSN) X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.60.8.106 with no reverse DNS entry. X-RBL-Warning: WEIGHT10: Weight of 16 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [65.60.8.106] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: EASYNET-DNSBL, SBL, DSN, REVDNS, WEIGHT10 [16] X-IMAIL-SPAM-STATISTICS: 1. X-OriginalArrivalTime: 16 Sep 2003 05:40:31.0214 (UTC) FILETIME=[0AB298E0:01C37C15] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I block this...what is best way?
@beefymailer.net has been in our Blacklist since 6/13/2003. We refuse connection if that address is used in the mail- in other words this is in our kill list at Imail level. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bridges, Samantha Sent: Tuesday, September 16, 2003 8:48 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How do I block this...what is best way? I have been seeing more and more Junk Mail in the past few weeks. Here are headers from a junk message I am getting. I am afraid to block anything individually and I don't feel comfortable using the weighting. Declude Junk Mail runs great right out of the box, however I know I am going to have to be more creative and start blocking this stuff with manual entries in the junkmail file. Here is the header from one message. Maybe if I start with this as an example, I will feel comfortable manually blocking others. Thanks for any input, advice or comments. I have been using Declude for awhile now and am a little embarrassed that I haven't spent more time with this wonderful product. It is just that good that it works great right "out of the box". Thanks Declude for the great product and patience with people like me that still struggle to keep the junk out! Here are the headers: Microsoft Mail Internet Headers Version 2.0 Received: from apollo.misd.net ([64.88.0.98]) by xmail1.macombisd.org with Microsoft SMTPSVC(5.0.2195.6713); Tue, 16 Sep 2003 01:40:31 -0400 Received: from SMTP32-FWD by apollo.misd.net (SMTP32) id A00FAE1D9; Tue, 16 Sep 2003 01:47:54 -0400 Received: from m1.beefymailer.net [65.60.8.106] by apollo.misd.net (SMTPD32-8.02) id A3F726C40092; Tue, 16 Sep 2003 01:47:35 -0400 To: [EMAIL PROTECTED] Date: Mon, 15 Sep 2003 21:44:18 -0800 Message-ID: <[EMAIL PROTECTED]> X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6-pre2-xfs i686) From: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Return-Path: <[EMAIL PROTECTED]> X-Sender: <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> Subject: Get a FREE $100 Target(r) Gift Card from Bluedolphin.com - Compliments of Mr. Beef Content-Type: text/html X-RBL-Warning: EASYNET-DNSBL: Blacklisted by easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html X-RBL-Warning: SBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL6105 X-RBL-Warning: DSN: Not supporting null originator (DSN) X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.60.8.106 with no reverse DNS entry. X-RBL-Warning: WEIGHT10: Weight of 16 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [65.60.8.106] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: EASYNET-DNSBL, SBL, DSN, REVDNS, WEIGHT10 [16] X-IMAIL-SPAM-STATISTICS: 1. X-OriginalArrivalTime: 16 Sep 2003 05:40:31.0214 (UTC) FILETIME=[0AB298E0:01C37C15] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How do I block this...what is best way?
I have been seeing more and more Junk Mail in the past few weeks. Here are headers from a junk message I am getting. I am afraid to block anything individually and I don't feel comfortable using the weighting. Declude Junk Mail runs great right out of the box, however I know I am going to have to be more creative and start blocking this stuff with manual entries in the junkmail file. Here is the header from one message. Maybe if I start with this as an example, I will feel comfortable manually blocking others. Thanks for any input, advice or comments. I have been using Declude for awhile now and am a little embarrassed that I haven't spent more time with this wonderful product. It is just that good that it works great right "out of the box". Thanks Declude for the great product and patience with people like me that still struggle to keep the junk out! Here are the headers: Microsoft Mail Internet Headers Version 2.0 Received: from apollo.misd.net ([64.88.0.98]) by xmail1.macombisd.org with Microsoft SMTPSVC(5.0.2195.6713); Tue, 16 Sep 2003 01:40:31 -0400 Received: from SMTP32-FWD by apollo.misd.net (SMTP32) id A00FAE1D9; Tue, 16 Sep 2003 01:47:54 -0400 Received: from m1.beefymailer.net [65.60.8.106] by apollo.misd.net (SMTPD32-8.02) id A3F726C40092; Tue, 16 Sep 2003 01:47:35 -0400 To: [EMAIL PROTECTED] Date: Mon, 15 Sep 2003 21:44:18 -0800 Message-ID: <[EMAIL PROTECTED]> X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6-pre2-xfs i686) From: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Return-Path: <[EMAIL PROTECTED]> X-Sender: <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> Subject: Get a FREE $100 Target(r) Gift Card from Bluedolphin.com - Compliments of Mr. Beef Content-Type: text/html X-RBL-Warning: EASYNET-DNSBL: Blacklisted by easynet.nl DNSBL - http://blackholes.easynet.nl/errors.html X-RBL-Warning: SBL: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL6105 X-RBL-Warning: DSN: Not supporting null originator (DSN) X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 65.60.8.106 with no reverse DNS entry. X-RBL-Warning: WEIGHT10: Weight of 16 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [65.60.8.106] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: EASYNET-DNSBL, SBL, DSN, REVDNS, WEIGHT10 [16] X-IMAIL-SPAM-STATISTICS: 1. X-OriginalArrivalTime: 16 Sep 2003 05:40:31.0214 (UTC) FILETIME=[0AB298E0:01C37C15] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] What do I do about this?
Filter the body and header for .naturalherbal.biz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stanley Lyzak Sent: Tuesday, 16 September, 2003 15:28 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] What do I do about this? I have to admin, the level of help I get from this forum is great! Well, I have a tough one (for me) Here is an email that I have no clue how to filter for (with the exception of the domain name at the end- but these constantly change). If you ignore what is between the brackets <>, it's an add to help increase the size of an anatomical part. This couldn't be filtered with the comments test, right? I don't know my HTML at all, but there must be a way to catch this type of junk. Any help would be appreciated. Thanks! Genital Enlargement - Medical Breakthrough For Men! 2 amazing ways to enlarge your manhood - read below.. Doctors worked for years creating a pill to enlarge the male genitalia by length and width. The years of work produced a pill called "VPRX", - http://www.naturalherbal.biz/info/v/"; target="_blank">VPRX Pills info click here. and also a patch similair to the quit smoking patch. - http://www.naturalherbal.biz/info/p/"; target="_blank">Penis Patches info click here. http://www.naturalherbal.biz/info/out.html";> delete yourself from our database. Stan Lyzak, BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What do I do about this?
I think Matthew's GIBBERISH test he posted to the list would catch that. Also the address "naturalherbal.biz" you could add to a URL filter using filter file. Make sense? On Sep 16, 2003, at 8:28 AM, Stanley Lyzak wrote: I have to admin, the level of help I get from this forum is great! Well, I have a tough one (for me) Here is an email that I have no clue how to filter for (with the exception of the domain name at the end- but these constantly change). If you ignore what is between the brackets <>, it's an add to help increase the size of an anatomical part. This couldn't be filtered with the comments test, right? I don't know my HTML at all, but there must be a way to catch this type of junk. Any help would be appreciated. Thanks! Genital Enlargement - Medical Breakthrough For Men! 2 amazing ways to enlarge your manhood - read below.. Doctors worked for years creating a pill to enlarge the male genitalia by length and width. The years of work produced a pill called "VPRX", - http://www.naturalherbal.biz/info/v/"; target="_blank">VPRX Pills info click here. and also a patch similair to the quit smoking patch. - http://www.naturalherbal.biz/info/p/"; target="_blank">Penis Patches info click here. http://www.naturalherbal.biz/info/out.html";> delete yourself from our database. Stan Lyzak, BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] What do I do about this?
I have to admin, the level of help I get from this forum is great! Well, I have a tough one (for me) Here is an email that I have no clue how to filter for (with the exception of the domain name at the end- but these constantly change). If you ignore what is between the brackets <>, it's an add to help increase the size of an anatomical part. This couldn't be filtered with the comments test, right? I don't know my HTML at all, but there must be a way to catch this type of junk. Any help would be appreciated. Thanks! Genital Enlargement - Medical Breakthrough For Men! 2 amazing ways to enlarge your manhood - read below.. Doctors worked for years creating a pill to enlarge the male genitalia by length and width. The years of work produced a pill called "VPRX", - http://www.naturalherbal.biz/info/v/"; target="_blank">VPRX Pills info click here. and also a patch similair to the quit smoking patch. - http://www.naturalherbal.biz/info/p/"; target="_blank">Penis Patches info click here. http://www.naturalherbal.biz/info/out.html";> delete yourself from our database. Stan Lyzak, BSEE, CISSP, MCSE², CCNA, Security+, A+ Network Security Engineer ASysTech, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Character set/unicode testing?
Is there any way to filter based on character set, code page, etc?
I'm getting swamped with tons of Cirilic spam lately and it's passing my
RBL's recently.
I can't filter by code word or phrase and the MAILFROM field is random.
Any thoughts?
Here's a sample
-0-
ETOpJa8Lj9twl9fIQ
Продам или сдам помещение (офис, мед. центр и.т.д.)
м. Красногвардейская. Ореховый бульвар, д.59, (7-10 мин. пешком). 352,8
кв. м. 1-й этаж ж/д (нежилой фонд), 2 отд. входа с улицы , большие окна,
отдельный блок, рабочее состояние, любое количество телефонов, ПА,
удобный подъезд и парковка. Можно делить помещение на 2 части.
Продажа 1100$ кв. м, возможна аренда: 200$ кв. м. /год (с торгом).
Татьяна Александровна: rcl506TD940837
TIGQEcqiUgIFpRrJ
А┼а&j)pjк
jyчuЗ+╬*Н╠Кх7°√Г^V*Н╡m╖ЪПц^r[²yй&N╛f╒∙ф╕yЗХ ь^
Г%╧в┴╨y
j)fj)b· b╡тХ╨{.nг+┴╥ё╨кlzwZ°I ┼[h┼f╒√йОuГ%╧в°╒f╖vэ╘zИЛ╧╩
╝&ч
Г%╧в┴╨y
j)S┘Ф╚r╞zг²╥÷╒Ищjьm╤÷Ъц
&j)Z╜хb╫Г(��
RE: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's
That could end up being one of the better tests. Thanks. > -Original Message- > From: Bill Landry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 16, 2003 1:09 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate > RBL's > > > Yep, that's correct, and probably not a good thing. I have > been using an > rhsbl test, and it appears to be doing what it should--that > is, query DNS > with the return address and if it comes back with > 64.94.110.11, add weight > to the message. Here is what I am using: > > VERISCAMrhsbl.64.94.110.1110 > > Yes, that's a period "." where you would normally list the > rhsbl lookup > domain. This has the effect of JunkMail doing an "A" record > lookup against > your own DNS for the return address listed in the message, > and if it is an > invalid domain, the DNS returns with 64.94.110.11, which > causes the message > to fail the VERISCAM test and weight gets added to the > message. I've set > the weight to 1 for testing, but so far messages that have > gotten flagged by > the VERISCAM test have been spam. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's
Yep, that's correct, and probably not a good thing. I have been using an rhsbl test, and it appears to be doing what it should--that is, query DNS with the return address and if it comes back with 64.94.110.11, add weight to the message. Here is what I am using: VERISCAMrhsbl.64.94.110.1110 Yes, that's a period "." where you would normally list the rhsbl lookup domain. This has the effect of JunkMail doing an "A" record lookup against your own DNS for the return address listed in the message, and if it is an invalid domain, the DNS returns with 64.94.110.11, which causes the message to fail the VERISCAM test and weight gets added to the message. I've set the weight to 1 for testing, but so far messages that have gotten flagged by the VERISCAM test have been spam. Bill - Original Message - From: "Keith Anderson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 15, 2003 11:48 PM Subject: RE: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's > > The result would always be the same: 64.94.110.11 so you would tag every > message as spam. Right? > > -Original Message- > From: Joshua Levitsky [mailto:[EMAIL PROTECTED] > Sent: Monday, September 15, 2003 10:47 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's > > Interesting side effect of Verislime's move. Just setup a ip4r test that > goes to a bogus domain and then all the bad addresses result in an answer of > 64.94.110.11. Maybe this is how we can take advantage of this? > > If i made an ip4r test of aklsjlajkdjkhskljdkjldhsjdshkhklshdkjl.com then > I'd probably be good no? > > > -Josh > > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's
The result would always be the same: 64.94.110.11 so you would tag every message as spam. Right? -Original Message- From: Joshua Levitsky [mailto:[EMAIL PROTECTED] Sent: Monday, September 15, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Fwd: Verisign's New Change and Outdate RBL's Interesting side effect of Verislime's move. Just setup a ip4r test that goes to a bogus domain and then all the bad addresses result in an answer of 64.94.110.11. Maybe this is how we can take advantage of this? If i made an ip4r test of aklsjlajkdjkhskljdkjldhsjdshkhklshdkjl.com then I'd probably be good no? -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
