RE: [Declude.JunkMail] Imail and Declude process order ... etc
Imail SMTP Kill.lst and Control Access lists. Declude Virus Declude Hijack Declude JunkMail Imail Rules For Imail 8.x, the following is true: Imail SMTP Kill.lst and Control Access lists. Imail AntiSpam checks (if used) Declude Virus Declude Hijack Declude JunkMail Imail AntiSpam statistical header Imail Rules I believe if the recipient has forwarding set, that forwarding addresses is used in the Q file and all tests use that. John Tolmachoff Engineer/Consultant/Owner eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Michael L. Hardrick > Sent: Monday, November 10, 2003 9:31 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Imail and Declude process order ... etc > > Greetings All, > What is the Declude Virus/Junkmail & Imail process order > for emails sent to the server and are mailbox forwards > treated different then standard mailboxes?? > > Thanks, > Mike > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Imail and Declude process order ... etc
Greetings All, What is the Declude Virus/Junkmail & Imail process order for emails sent to the server and are mailbox forwards treated different then standard mailboxes?? Thanks, Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] some spam slipping through...
Scot, The dictionary randomization is obviously a better system and won't get tagged by many of my tests. The DYNAMIC filter would have scored this one though, as well as some others. It would be a good idea to look at adding canada.com to SPAMDOMAINS if you can find the standard reverse DNS entries for their service (please share the info if you do find it so that I can add it too). This type of spam will mostly use domains appropriate for SPAMDOMAINS, which makes it a great test if you have the entries. I recommend configuring SPAMDOMAINS in the following format: @aol.com aol.com I score my DYNAMIC filter at a 3, and it is over 98% positive on spam of this type since it likely comes from broadband zombie machines. That would have been enough to fail this message on your system. Considering that you have seen the URL several times, Message Sniffer might have it listed, and SPAMCOP has now added the IP as well. Attached is a more current version of DYNAMIC. This is definitely better than what was previously shared since I excluded some business-class providers from scoring points by way of negative weight. In addition to this custom filter, there are recommendations for which DUL lists to add and the relative scoring. That IP also scores a hit for EASYNET-DYNA, which adds another 4 points in my configuration. If that message missed all of the non-DUL type of RBL's, and without any effective body filtering or SPAMDOMAINS hits would have still scored as follows on my system: 4 - EASYNET-DYNA 3 - DYNAMIC 3 - FOREIGN 1 - NOABUSE 1 - NOPOSTMASTER = 12 Points Total (fails at 10) Make sure that you customize the appropriate lines in the DYNAMIC filter for your own local domains and reverse DNS entries so it won't add points to to that type of E-mail (will miss some forged spam, but it is necessary). Matt Scot Desort wrote: Matt: The FOREIGN/TLD filter set that I shared yesterday for instance would have added at least 3 points to this message and possibly two more depending on the X-Declude-Sender which you cut out. I saw your post and I have not yet added that filter. I will be reviewing it shortly and plan on adding it tomorrow This type of spam also tends to randomize the From, HELO and MAILFROM addresses, and/or use common domains like aol.com or yahoo.com, in which case some points from a SPAMDOMAINS test would be effective. No, passed through spamdomains without being tagged. The body often has gibberish in it, if not the subject, and the my GIBBERISH filters work for that, or they use obfuscation to hide URL's from filtering software which can also be caught without keeping track of the URL's themselves. No. Your GIBBERISH filter did not get triggered either. I am using your latest release. This spam is also commonly sent from zombie machines resulting from virus infections, and they are often on residential broadband networks, in which case my DYNAMIC filter might add some points (but not in this case). I don't recall seeing your DYNAMIC filter before. Would you mind reposting, or is it on your site? Message Sniffer also might be tracking the URL's in the body for another potential hit. I am still experimenting with Sniffer. Maybe it would have added some points. Maybe if you shared the entirety of the message body plus the MAILFROM, I and others could tell you what common used/shared filters might be effective. OK. Here's another with headers and message body in tact. This one also did not trigger gibberish, obfuscation, comments, or spamdomains: X-F: <[EMAIL PROTECTED]> Mon Nov 10 20:36:46 2003 Received: from 68-232-53-222.atlsfl.adelphia.net [68.232.53.222] by njaccess.com (SMTPD32-6.06) id AD2BB120124; Mon, 10 Nov 2003 20:36:43 -0500 Received: from 80.80.226.90 by 68.232.53.222; Mon, 10 Nov 2003 19:31:08 +0600 Message-ID: <[EMAIL PROTECTED]> From: "Isaac" <[EMAIL PROTECTED]> Reply-To: "Isaac" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: %RND_UC_CHAR[2-8], excuse me!' boldly Date: Mon, 10 Nov 2003 08:35:08 -0500 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--2352250528194467" X-Priority: 1 X-MSMail-Priority: High X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-Warn: This message contains content that is likely spam Message failed SPAMCHK: 4. X-Declude-Sender: [EMAIL PROTECTED] [68.232.53.222] X-Declude-Spoolname: D3d2b124.SMD X-SpamWatch-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, SPAMCHK [7] X-SpamWatch-Country-Chain: SWITZERLAND->[ARIN Unlisted]->destination X-SpamWatch-ReverseLookUp: 68-232-53-222.atlsfl.adelphia.net ([68.232.53.222]). X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 362076711 Status: U 23
Re: [Declude.JunkMail] some spam slipping through...
Fritz, Well, you did pretty well on tagging that one I would say :) You caught it with a SPAMDOMAINS entry for instance, and I can't verify if Message Sniffer would catch this. The only additional scoring that my server would have levied outside of Message Sniffer would have been with my DYNAMIC filter (search the archives), which looks for REVDNS strings that contain IP addresses in the naming. This particular randomization method makes use of a dictionary for inserting the random text, and the GIBBERISH filters wouldn't catch it, however there is typically more than one type of obfuscation method used which makes these fairly easy to tag. The broken randomization in the subject was intended to insert a line like the following: Subject: [5] Re: Yadda yadda yadda This is done to fool some subject tagging systems, though I don't know how effective it is. There is a simple test for this one technique though when the randomization actually works: SUBJECT 15 BEGINSWITH [0] SUBJECT 15 BEGINSWITH [1] SUBJECT 15 BEGINSWITH [2] SUBJECT 15 BEGINSWITH [3] SUBJECT 15 BEGINSWITH [4] SUBJECT 15 BEGINSWITH [5] SUBJECT 15 BEGINSWITH [6] SUBJECT 15 BEGINSWITH [7] SUBJECT 15 BEGINSWITH [8] SUBJECT 15 BEGINSWITH [9] SUBJECT 15 CONTAINS re[0] SUBJECT 15 CONTAINS re[1] SUBJECT 15 CONTAINS re[2] SUBJECT 15 CONTAINS re[3] SUBJECT 15 CONTAINS re[4] SUBJECT 15 CONTAINS re[5] SUBJECT 15 CONTAINS re[6] SUBJECT 15 CONTAINS re[7] SUBJECT 15 CONTAINS re[8] SUBJECT 15 CONTAINS re[9] Those are at least the two variations that I have seen, but I never seem to see this stuff getting through with the other protections in place. Matt Fritz Squib wrote: Matt, Great job on the filters...Thanks. Here is one in it's entirety from one of my spamtraps, only the names have been changed to protect my 'honeypot'. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] some spam slipping through...
Matt: > The FOREIGN/TLD filter set that I shared yesterday for instance would > have added at least 3 points to this message and possibly two more > depending on the X-Declude-Sender which you cut out. I saw your post and I have not yet added that filter. I will be reviewing it shortly and plan on adding it tomorrow > This type of spam > also tends to randomize the From, HELO and MAILFROM addresses, and/or > use common domains like aol.com or yahoo.com, in which case some points > from a SPAMDOMAINS test would be effective. No, passed through spamdomains without being tagged. >The body often has > gibberish in it, if not the subject, and the my GIBBERISH filters work > for that, or they use obfuscation to hide URL's from filtering software > which can also be caught without keeping track of the URL's themselves. No. Your GIBBERISH filter did not get triggered either. I am using your latest release. > This spam is also commonly sent from zombie machines resulting from > virus infections, and they are often on residential broadband networks, > in which case my DYNAMIC filter might add some points (but not in this > case). I don't recall seeing your DYNAMIC filter before. Would you mind reposting, or is it on your site? Message Sniffer also might be tracking the URL's in the body for > another potential hit. I am still experimenting with Sniffer. Maybe it would have added some points. > Maybe if you shared the entirety of the message body plus the MAILFROM, > I and others could tell you what common used/shared filters might be > effective. OK. Here's another with headers and message body in tact. This one also did not trigger gibberish, obfuscation, comments, or spamdomains: X-F: <[EMAIL PROTECTED]> Mon Nov 10 20:36:46 2003 Received: from 68-232-53-222.atlsfl.adelphia.net [68.232.53.222] by njaccess.com (SMTPD32-6.06) id AD2BB120124; Mon, 10 Nov 2003 20:36:43 -0500 Received: from 80.80.226.90 by 68.232.53.222; Mon, 10 Nov 2003 19:31:08 +0600 Message-ID: <[EMAIL PROTECTED]> From: "Isaac" <[EMAIL PROTECTED]> Reply-To: "Isaac" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: %RND_UC_CHAR[2-8], excuse me!' boldly Date: Mon, 10 Nov 2003 08:35:08 -0500 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--2352250528194467" X-Priority: 1 X-MSMail-Priority: High X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-Warn: This message contains content that is likely spam Message failed SPAMCHK: 4. X-Declude-Sender: [EMAIL PROTECTED] [68.232.53.222] X-Declude-Spoolname: D3d2b124.SMD X-SpamWatch-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, SPAMCHK [7] X-SpamWatch-Country-Chain: SWITZERLAND->[ARIN Unlisted]->destination X-SpamWatch-ReverseLookUp: 68-232-53-222.atlsfl.adelphia.net ([68.232.53.222]). X-RCPT-TO: <[EMAIL PROTECTED]> X-UIDL: 362076711 Status: U 2352250528194467 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable douse henri deliver dewitt elk jetliner bed macropha= ge demented characteristic curtsey superlunary decouple bergen committing=20= Our US Licensed Doctors will Prescribes Your Medication For Free Medications Shipped Overnight To = Your Door. Phentermine, Adipex Soma, Fioriice= t, Ulltram, , Viagra, and many, many others. Meds for: Weight Loss, Pain= Relief, MusclePain Relief, Women's H= ealth, Men's Health, Impotence, Allergy Relief, H= eartburn Relief, Migraine Relief = & MORE Upon Approval http://www.pouvrcentral.biz/vpr6232/";>show Me more http://www.creditcard2003.com/p3x.jpg";> fib darn saracen hellenic ancestral butane dan gator gallonage talus appre= hension forgive=20 2352250528194467-- Thanks, Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] some spam slipping through...
FYI:We have Sniffer and it has been catching these for us. - Original Message - From: "Fritz Squib" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, November 10, 2003 10:26 PM Subject: RE: [Declude.JunkMail] some spam slipping through... > Matt, > Great job on the filters...Thanks. > > Here is one in it's entirety from one of my spamtraps, only the names have > been changed to protect my 'honeypot'. > > Fritz > > Frederick P. Squib, Jr. > Network Operations/Mail Administrator > Citizens Telephone Company of Kecksburg > http://www.wpa.net > > () ascii ribbon campaign - against html mail > /\- against microsoft attachments > > > > > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How can I whitelist my users? Reverse DNS?
Whitelisting by IP is the safest since it is the hardest to spoof. Whitelisting by reverse DNS would do no better than by IP because you have off-network users connecting directly to your mail server (seen with that X-Declude-Sender entry), so choose IP over reverse DNS. The best solution though would be to upgrade to IMail 8 and Declude 1.76 in order to make use of Declude's WHITELIST AUTH functionality which will whitelist SMTP AUTH'ed users. There have been enough reports about IMail 8 having issues (only on the 8.03 release) to scare me away from the rush to upgrade. Matt Marc Catuogno wrote: I am running IMAIL 7.15 and Declude 1.75. I knew I had a big no-no in my Global file; whitelist from prudentialrand.com. A spammer has now been exploiting it. How can I get my users whitelisted so they can communicate with each other without worrying about being filtered without letting the spammers use it? I wanted to use whitelist REVDNS prudentialrand.com would that work??? It does sometimes seem that e-mails have the IP address of whatever ISP I happen to be connected to and not the IP of my mailserver: X-Declude-Sender: [EMAIL PROTECTED] [67.83.160.48] That IP is optonline and not my mailserver IP. Does that seem right? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] some spam slipping through...
Matt, Great job on the filters...Thanks. Here is one in it's entirety from one of my spamtraps, only the names have been changed to protect my 'honeypot'. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments Received: from mail2.wpa.net [208.31.212.41] by wpa.net with ESMTP (SMTPD32-7.15) id A7B93430116; Mon, 10 Nov 2003 19:05:13 -0500 Received: from 208.31.212.41 [165.98.151.196] by mail2.wpa.net (SMTPD32-7.15) id A6DB2DA30090; Mon, 10 Nov 2003 19:01:31 -0500 Received: from 108.66.128.147 by 165.98.151.196; Mon, 10 Nov 2003 10:01:28 -0200 Message-ID: <[EMAIL PROTECTED]> From: "Whitley" <[EMAIL PROTECTED]> Reply-To: "Mike Whitley" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [W~ 58]Re: %RND_UC_CHAR[2-8], that's all well Date: Mon, 10 Nov 2003 15:05:28 +0300 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--64088188390659958926" X-Priority: 1 X-MSMail-Priority: High X-RBL-Warning: COUNTRY: Message failed COUNTRY test (167) X-RBL-Warning: FILTER-HELO: Message failed FILTER-HELO test (2) X-RBL-Warning: FILTER-SUBJECT: Message failed FILTER-SUBJECT test (10) X-RBL-Warning: SPAMDOMAINS: Spamdomain 'yahoo.' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS]. X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 165.98.151.196 with no reverse DNS entry. X-RBL-Warning: SPAMCHECK: Message failed SPAMCHECK: 2. X-RBL-Warning: WEIGHT30: Weight of 58 reaches or exceeds the limit of 32. X-Declude-Sender: [EMAIL PROTECTED] [165.98.151.196] X-Declude-Spoolname: D27b9034301169884.SMD X-Note: This E-Mail was scanned by Declude JunkMail v1.76i15 for spam. X-Spam-Tests-Failed: COUNTRY, FILTER-HELO, FILTER-SUBJECT, SPAMDOMAINS, NOLEGITCONTENT, NOABUSE, IPNOTINMX, REVDNS, REVDNSa, SPAMCHECK, WEIGHT20, WEIGHT30 X-Country-Chain: [IANA Reserved]->NICARAGUA->UNITED STATES->destination. X-Hello: 208.31.212.41 X-Note: SMTP Real From [EMAIL PROTECTED] X-Note: This E-mail was sent from [No Reverse DNS] ([165.98.151.196]). X-Note: Total spam weight of this E-mail is 58. X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 344048811 64088188390659958926 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable derision brushfire perez papa indiscriminate bail ed= ict asparagine pixy perjure council citywide cutlet amaze katharine eavesd= ropper pedestrian confirmatory bragg cheerleader baldpate=20 The ultimate digital cable filter The filter will allow you to receive all the channels that you order with your remove control! payperviews, adult movies,spor= t events,special events! http://www.inkworlds.com/cable/";> see now!http://www.inkworlds= com/cable/"> http://www.creditcard2003.com/= %CUSTOM2_"> conquistador decorum streamline sunfish shepherd mor= phemic snakelike flatus allay extolled apology bowie eccles replica bluebu= sh apprehend bin kurt caret=20 64088188390659958926-- --- [This E-mail scanned by Citizens Internet Services with Declude Virus.]
[Declude.JunkMail] How can I whitelist my users? Reverse DNS?
I am running IMAIL 7.15 and Declude 1.75. I knew I had a big no-no in my Global file; whitelist from prudentialrand.com. A spammer has now been exploiting it. How can I get my users whitelisted so they can communicate with each other without worrying about being filtered without letting the spammers use it? I wanted to use whitelist REVDNS prudentialrand.com would that work??? It does sometimes seem that e-mails have the IP address of whatever ISP I happen to be connected to and not the IP of my mailserver: X-Declude-Sender: [EMAIL PROTECTED] [67.83.160.48] That IP is optonline and not my mailserver IP. Does that seem right? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] some spam slipping through...
Scot, Yep, seen quite a few %RND_UC_CHAR, also have seen in the subject from different broken spamware. I have added the following to my subject filter to push them over the edge. SUBJECT 20 CONTAINS%RND_ SUBJECT 20 CONTAINS Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scot Desort Sent: Monday, November 10, 2003 9:26 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] some spam slipping through... We've had quite a bit of spam getting through lately, all with a similarly formatted subject line: --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] some spam slipping through...
Scot Desort wrote: Notice the "%RND_UC_CHAR[2-8]" in the subject. Looks like broken spam software that is supposed to insert RaNDom characters into the subject. We've seen this coming from a variety of sources. I guess we can just filter for that string in the SUBJECT? It's not failing enough tests to give it a high enough weight. Anyone else seeing this? All the time actually, but it's all over the place, often in fake tags and comments in the HTML body code, or in the subject where the name ought to be. I don't know that it is effective to stop this by filtering for the variables they use because such patterns don't last long in my experience. This is the type of message though that typically has many characteristics that my own custom filters are tagging. Relying exclusively on RBL's and built-in technical tests will let a lot of this stuff through, however at the same time, there are many patterns which are common enough to this sort of spam that you should be able to catch it. The FOREIGN/TLD filter set that I shared yesterday for instance would have added at least 3 points to this message and possibly two more depending on the X-Declude-Sender which you cut out. This type of spam also tends to randomize the From, HELO and MAILFROM addresses, and/or use common domains like aol.com or yahoo.com, in which case some points from a SPAMDOMAINS test would be effective. The body often has gibberish in it, if not the subject, and the my GIBBERISH filters work for that, or they use obfuscation to hide URL's from filtering software which can also be caught without keeping track of the URL's themselves. This spam is also commonly sent from zombie machines resulting from virus infections, and they are often on residential broadband networks, in which case my DYNAMIC filter might add some points (but not in this case). Message Sniffer also might be tracking the URL's in the body for another potential hit. Maybe if you shared the entirety of the message body plus the MAILFROM, I and others could tell you what common used/shared filters might be effective. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] some spam slipping through...
We've had quite a bit of spam getting through lately, all with a similarly formatted subject line: X-F: Mon Nov 10 15:23:57 2003 Received: from h51n1fls34o281.telia.com [213.66.91.51] by xxx (SMTPD32-6.06) id A3D216140152; Mon, 10 Nov 2003 15:23:46 -0500 Received: from 206.147.156.5 by 213.66.91.51; Mon, 10 Nov 2003 04:24:42 -0400 Message-ID: <[EMAIL PROTECTED]> From: "Heriberto" Reply-To: "Heriberto" To: xxx Subject: Re: %RND_UC_CHAR[2-8], rapier under their Date: Mon, 10 Nov 2003 13:20:42 +0500 X-Mailer: Internet Mail Service (5.5.2650.21) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--866095091364674" X-Priority: 1 X-MSMail-Priority: High X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [210f]. X-Warn: This message contains content that is likely spam Message failed SPAMCHK: 2. X-Declude-Sender: xxx [213.66.91.51] X-Declude-Spoolname: Df3d2152.SMD X-SpamWatch-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, ROUTING, SPAMCHK [9] X-SpamWatch-Country-Chain: UNITED STATES->SWEDEN->destination X-SpamWatch-ReverseLookUp: h51n1fls34o281.telia.com ([213.66.91.51]). X-RCPT-TO: X-UIDL: 364066639 Status: U Notice the "%RND_UC_CHAR[2-8]" in the subject. Looks like broken spam software that is supposed to insert RaNDom characters into the subject. We've seen this coming from a variety of sources. I guess we can just filter for that string in the SUBJECT? It's not failing enough tests to give it a high enough weight. Anyone else seeing this? -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Compatibility with .NET
If you are going to try to get ASP.net to work it will not on NT. the .net frame work will function but the IIS portion will not. If you want to use ASP.net the you need to update to Windows 2000 Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Keith Purtell > Sent: Monday, November 10, 2003 3:02 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Compatibility with .NET > > > I spoke with one of our programmers regarding a simple idea I had > to allow us to simplify white list > administration via the Web. All we have to do is upload new > entries in a text file and have them > automatically added to my existing white list text file. But he > wants to install a Microsoft .NET > component on our Windows NT 4.0 server where IMail/Declude are > installed. Am I looking at any > possible compatibility issues or gotchas? > > Keith Purtell, Web/Network Administrator > VantageMed Operations (Kansas City) > > CONFIDENTIALITY NOTICE: This email message, including any > attachments, is for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. Any unauthorized > review, use, disclosure or distribution is prohibited. If you are > not the intended recipient, please > contact the sender by reply email and destroy all copies of the > original message. > > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Compatibility with .NET
I spoke with one of our programmers regarding a simple idea I had to allow us to simplify white list administration via the Web. All we have to do is upload new entries in a text file and have them automatically added to my existing white list text file. But he wants to install a Microsoft .NET component on our Windows NT 4.0 server where IMail/Declude are installed. Am I looking at any possible compatibility issues or gotchas? Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Entry Not Being Triggered
Are you sure it didn't contain a line break in the source? Try out my OBFUSCATION filter. I've attached it since I haven't had time to comment it up appropriately and put it on my site. Matt Darrell LaRock wrote: BODY 5 CONTAINS href="http Should there by any reason why the above filter entry wouldn't be triggered on an email that contains that string in the html source? What am I doing wrong? Darrell # OBFUSCATION # Last Update: 11/02/2003 # # Description: # Encoding of letters and numbers in E-mail is unnecessary, however various techniques are # sometimes used by spammers to hide from filters, even mixing multiple techniques in URL's at # times. This filter will detect text and URL encoding only in combinations where multiple # encoded numbers and characters are in succession or mixed with HTTP address components. More # information on URL obfuscation techniques can be found at: http://www.pc-help.org/obscure.htm # # Usage: # OBFUSCATION filter C:\IMail\Declude\Obfuscation.txt x 7 0 # # False Positives: # Web designers and programmers passing inline code, ASCII text art, and legitimate bulk mailers # that needlessly URL encode letters and numbers in their script arguments (only special # characters are necessary). False positives are extremely rare. # Counterbalances: # Negative weighting is applied for responsible bulk mailers that fail this test. # # Test Exclusions: # Ticketmaster. MAILFROM-7 ENDSWITHticketmaster.com MAILFROM-7 ENDSWITHeconomist.com # URL Encoded Obfuscation: # This technique is used to obfuscate URL's. The filter will only match two characters in # succession with the first being a letter or number in order to protect from false positives. # # Example: # http://%77%77%77.%67%6F%6F%67%6C%65.%63%6F%6D/ # 0-9 BODY0 CONTAINS%30% BODY0 CONTAINS%31% BODY0 CONTAINS%32% BODY0 CONTAINS%33% BODY0 CONTAINS%34% BODY0 CONTAINS%35% BODY0 CONTAINS%36% BODY0 CONTAINS%37% BODY0 CONTAINS%38% BODY0 CONTAINS%39% # A-Z BODY0 CONTAINS%41% BODY0 CONTAINS%42% BODY0 CONTAINS%43% BODY0 CONTAINS%44% BODY0 CONTAINS%45% BODY0 CONTAINS%46% BODY0 CONTAINS%47% BODY0 CONTAINS%48% BODY0 CONTAINS%49% BODY0 CONTAINS%4a% BODY0 CONTAINS%4b% BODY0 CONTAINS%4c% BODY0 CONTAINS%4d% BODY0 CONTAINS%4e% BODY0 CONTAINS%4f% BODY0 CONTAINS%50% BODY0 CONTAINS%51% BODY0 CONTAINS%52% BODY0 CONTAINS%53% BODY0 CONTAINS%54% BODY0 CONTAINS%55% BODY0 CONTAINS%56% BODY0 CONTAINS%57% BODY0 CONTAINS%58% BODY0 CONTAINS%59% BODY0 CONTAINS%5a% # a-z BODY0 CONTAINS%61% BODY0 CONTAINS%62% BODY0 CONTAINS%63% BODY0 CONTAINS%64% BODY0 CONTAINS%65% BODY0 CONTAINS%66% BODY0 CONTAINS%67% BODY0 CONTAINS%68% BODY0 CONTAINS%69% BODY0 CONTAINS%6a% BODY0 CONTAINS%6b% BODY0 CONTAINS%6c% BODY0 CONTAINS%6d% BODY0 CONTAINS%6e% BODY0 CONTAINS%6f% BODY0 CONTAINS%70% BODY0 CONTAINS%71% BODY0 CONTAINS%72% BODY0 CONTAINS%73% BODY0 CONTAINS%74% BODY0 CONTAINS%75% BODY0 CONTAINS%76% BODY0 CONTAINS%77% BODY0 CONTAINS%78% BODY0 CONTAINS%79% BODY0 CONTAINS%7a% # HTML Encoded Obfuscation: # This technique is used to obfuscate URL's and hide keywords. The filter will only match # two characters in succession with the first being a letter or number in order to protect # from false positives. # # Examples: # http://www.google.com/";>Google # VIAGRA # 0-9 BODY0 CONTAINS
Re: [Declude.JunkMail] More ATTACH and MAILBOX questions
I'm sorry, I was referring specifically to web messaging. Burzin At 03:04 PM 11/10/2003, you wrote: Is support for emails within emails required to preface the original email with... You have spam! Subject:%SUBJECT% From: %MAILFROM% Tests Failed: %TESTSFAILED% To view the E-mail, just click the attachment. That all depends on the MIME implementation. Most mail clients would display that preface. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Entry Not Being Triggered
BODY5 CONTAINS href="http Should there by any reason why the above filter entry wouldn't be triggered on an email that contains that string in the html source? What am I doing wrong? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02]
Title: Message Only statistical filtering happens after Declude. Other IMail spam tests are run before Declude, so you can track those headers with Declude. Bill - Original Message - From: Danny Klopfer To: [EMAIL PROTECTED] Sent: Sunday, November 09, 2003 5:26 PM Subject: RE: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] I just wanted to confirm that the Statistical filtering is after Declude does it's thing so letting IMail score for spam does no good for sorting in Declude? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Monday, September 08, 2003 3:49 AMTo: [EMAIL PROTECTED]Subject: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Oh Oh... Interesting... I sure will. So I am imagining things... has happened before. I will try to add up the weights and see - I will review the archives now.. so perhaps that explains why the headers show up at the bottom of the header and not at the top like the IP4R tests of IMail. thanks for the info... that sure was a case of false sense of security. Regards, Kami -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Sunday, September 07, 2003 4:55 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Hmmm, how is it possible for Declude JunkMail to track the statistical filtering header when statistical filtering does not happen until after Declude has finished its message processing and handed the message back to IMail for delivery? Search the archives, there was a discussion between Sandy Whiteman and I a few months back about this. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 12:47 PM Subject: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Hi; Just wondering if others have experimented with the Statistical Filtering of IMail. I am simply sharing what I have seen so far since last week. I started testing it last week and so far it is showing good results. Several instances it was enough weight to block a spam that would have otherwise gone through with our filters. I simply enabled Statistical Filtering and chose Insert Header option. then added the following to our header filter: HEADERS 3 CONTAINS X-IMAIL-SPAM-STATISTICS: 0.9HEADERS 5 CONTAINS X-IMAIL-SPAM-STATISTICS: 1. So far anything with 1 has been spam and several 0.9's are seen that all have been spam. Basically I have not seen a false positive with the above. I may increase their weights.. but need more time to test. Anyone else has any experience? Regards, Kami
Re: [Declude.JunkMail] More ATTACH and MAILBOX questions
Is support for emails within emails required to preface the original email with... You have spam! Subject:%SUBJECT% From: %MAILFROM% Tests Failed: %TESTSFAILED% To view the E-mail, just click the attachment. That all depends on the MIME implementation. Most mail clients would display that preface. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More ATTACH and MAILBOX questions
Is support for emails within emails required to preface the original email with... You have spam! Subject:%SUBJECT% From: %MAILFROM% Tests Failed: %TESTSFAILED% To view the E-mail, just click the attachment. Burzin At 02:22 PM 11/10/2003, you wrote: I'm testing out the ATTACH and MAILBOX options. In web messaging many of the Declude tagged MAILBOX and ATTACH messages do not display the Declude spam hider info. or appear as attachments. Is this are there workarounds for web messaging? I believe that IMail's web messaging doesn't support E-mail attachments ("E-mails within a E-mail") that the ATTACH action uses. Unfortunately, I don't know of any workaround. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More ATTACH and MAILBOX questions
I'm testing out the ATTACH and MAILBOX options. In web messaging many of the Declude tagged MAILBOX and ATTACH messages do not display the Declude spam hider info. or appear as attachments. Is this are there workarounds for web messaging? I believe that IMail's web messaging doesn't support E-mail attachments ("E-mails within a E-mail") that the ATTACH action uses. Unfortunately, I don't know of any workaround. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] More ATTACH and MAILBOX questions
Hello, I'm testing out the ATTACH and MAILBOX options. In web messaging many of the Declude tagged MAILBOX and ATTACH messages do not display the Declude spam hider info. or appear as attachments. Is this are there workarounds for web messaging? I'm using Declude 1.75 and Imail 8.03. Burzin -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WhitelistFile
Can I have Whitelist File in the Global.cfg ? No. It only applies to config files for incoming E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] WhitelistFile
Can I have Whitelist File in the Global.cfg ? whitelistfile d:\Imail\Declude\mywhitelist.txt Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net "I am always doing that which I can not do, in order that I may learn how to do it." --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02]
Title: Message Correct. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Klopfer Sent: Sunday, November 09, 2003 5:27 PM To: [EMAIL PROTECTED] Subject: RE: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] I just wanted to confirm that the Statistical filtering is after Declude does it's thing so letting IMail score for spam does no good for sorting in Declude? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami Razvan Sent: Monday, September 08, 2003 3:49 AM To: [EMAIL PROTECTED] Subject: [0] RE: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Oh Oh... Interesting... I sure will. So I am imagining things... has happened before. I will try to add up the weights and see - I will review the archives now.. so perhaps that explains why the headers show up at the bottom of the header and not at the top like the IP4R tests of IMail. thanks for the info... that sure was a case of false sense of security. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, September 07, 2003 4:55 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Hmmm, how is it possible for Declude JunkMail to track the statistical filtering header when statistical filtering does not happen until after Declude has finished its message processing and handed the message back to IMail for delivery? Search the archives, there was a discussion between Sandy Whiteman and I a few months back about this. Bill - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Sunday, September 07, 2003 12:47 PM Subject: [Declude.JunkMail] Experience with Statistical Filtering [IMail 8.02] Hi; Just wondering if others have experimented with the Statistical Filtering of IMail. I am simply sharing what I have seen so far since last week. I started testing it last week and so far it is showing good results. Several instances it was enough weight to block a spam that would have otherwise gone through with our filters. I simply enabled Statistical Filtering and chose Insert Header option. then added the following to our header filter: HEADERS 3 CONTAINS X-IMAIL-SPAM-STATISTICS: 0.9 HEADERS 5 CONTAINS X-IMAIL-SPAM-STATISTICS: 1. So far anything with 1 has been spam and several 0.9's are seen that all have been spam. Basically I have not seen a false positive with the above. I may increase their weights.. but need more time to test. Anyone else has any experience? Regards, Kami