Re: [Declude.JunkMail] Hostile email
Not a virus, spam combined with social engineering combined with a malware installation attempt. ... and then many line breaks so as to scroll off the message window, then: Actually, Declude Virus treats this one as a vulnerability, and should block it automatically. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Hostile email
Title: Message Not a virus, spam combined with social engineering combined with a malware installation attempt. We've received spam from this dynamic IP in Brazil: 200-153-121-39.customer.tdatabrasil.net.br [200.153.121.39] Which was HTML formatted with the message: "Hey...haven't talked to you guys in a while just wanted to see how things are going ttyl" and then many line breaks so as to scroll off the message window, then: which decode to this address in China (heavily listed in ip4r, e.g. http://www.spamhaus.org/SBL/sbl.lasso?query=SBL10762 ) http://219.153.5.88/page.htahttp://219.153.5.88/page.phphttp://219.153.5.88/page.html Which in turn are fired off, perhaps invisibly to the user, and executes an encrypted VBScript whose purpose is to create a "dropper" file called c:\x.exe and launch it. This in turn downloads: http://219.153.5.88/mstasks.exe it then launches it to do whatever. This last executable is UPX packed, and it in turn contains a UPX packed section, so mstasks.exe is likely a dropper as well. I wasn't interested in running it to find out. Various bits of these files, including the last executable are detected by McAfee as the Inor trojan. http://vil.nai.com/vil/content/v_100939.htm Inor has been around since 2002 and is definitely linked to further spam distribution via a backdoor. Andrew 8)
RE: [Declude.JunkMail] Spamtest quality report
> > TESTSFAILED 0 CONTAINSBHOLE-CN-KR > TESTSFAILED 0 CONTAINSBHOLE-JAPAN > TESTSFAILED 0 CONTAINSBHOLE-KOREA > TESTSFAILED 0 CONTAINSKOREASPAM Don't forget, that all this lists has listed all known IP's of the entire country. So it would be very likely that it produces a false positive when a legit message come's from this country. Statistical reports can be usefull but as you can see it's very important to know the story behind each test to realy evaluate the reliability. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamtest quality report
> > TESTSFAILED 0 CONTAINSBHOLE-CN-KR > TESTSFAILED 0 CONTAINSBHOLE-JAPAN > TESTSFAILED 0 CONTAINSBHOLE-KOREA > TESTSFAILED 0 CONTAINSKOREASPAM BHOLE-CN-KR ip4rcn-kr.blackholes.us 127.0.0.2 10 0 BHOLE-JAPAN ip4rjapan.blackholes.us 127.0.0.2 10 0 BHOLE-KOREA ip4rkorea.blackholes.us 127.0.0.2 30 0 KOREASPAM ip4rkorea.services.net * 30 0 Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamtest quality report
Markus: What are the following IP4R tests, I could not cross reference them with the Declude Manual or the list at http://www.declude.com/Articles.asp?ID=97 TESTSFAILED 0 CONTAINSBHOLE-CN-KR TESTSFAILED 0 CONTAINSBHOLE-JAPAN TESTSFAILED 0 CONTAINSBHOLE-KOREA TESTSFAILED 0 CONTAINSKOREASPAM Thanks for your help. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Markus Gufler > Sent: Wednesday, August 11, 2004 3:15 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Spamtest quality report > > > > > This is really helpful. Could you explain some of your combo > > tests? I did not know that declude could do combo tests. > > You can use combo-test with TESTSFAILED lines in Declude Junkmail > Pro filter > files > > For example > > You've running several IP4R tests > > SPAMCOP, FIVETEN, CBL, SBL, > > Now set up a test COMBO-IP4R with the following filterfile containing only > your reliable IP4R-tests > > ## > TESTSFAILED 0 CONTAINSAHBLDOMAINS > TESTSFAILED 0 CONTAINSAHBLPROXIES > TESTSFAILED 0 CONTAINSAHBLSOURCES > TESTSFAILED 0 CONTAINSBHOLE-CN-KR > TESTSFAILED 0 CONTAINSBHOLE-JAPAN > TESTSFAILED 0 CONTAINSBHOLE-KOREA > TESTSFAILED 0 CONTAINSBLITZEDALL > TESTSFAILED 0 CONTAINSORDB > TESTSFAILED 0 CONTAINSCBL > TESTSFAILED 0 CONTAINSDSBL > TESTSFAILED 0 CONTAINSDSN > TESTSFAILED 0 CONTAINSFABEL > TESTSFAILED 0 CONTAINSKOREASPAM > TESTSFAILED 0 CONTAINSMAILPOLICE-BULK > TESTSFAILED 0 CONTAINSNJABLPROXIES > TESTSFAILED 0 CONTAINSSBL > TESTSFAILED 0 CONTAINSSORBS-HTTP > TESTSFAILED 0 CONTAINSSORBS-MISC > TESTSFAILED 0 CONTAINSSORBS-SOCKS > TESTSFAILED 0 CONTAINSSPAMBAG > TESTSFAILED 0 CONTAINSSPAMCOP > TESTSFAILED 0 CONTAINSSPAMHAUS > TESTSFAILED 0 CONTAINSXBL-DYNA > ## > > This test will have no effect on your weighting system but it's > the base for > the following COMBO-Tests. COMBO-IP4R will fail if at least one of the > listed IP4R-Tests has failed before. > > Now set up one test for each other test you want to combine with the > IP4R-tests > > For example COMBO-IP4R-SNIFFER with another filterfile > > ## > TESTSFAILED END NOTCONTAINS COMBO-IP4R > TESTSFAILED 30 CONTAINS SNIFFER > ## > > So what happens > COMBO-IP4R-SNIFFER will terminate wtihout result if COMBO-IP4R > hasn't failed > before > Otherwise it will add 30 points if SNIFFER has identified this message as > spam. > > You can combine several other tests with the group of IP4R-tests. > > Most of you should forget to use the COMBO-IP4R-COUNTRY-US filter because > it's working good only for european mailservers. Maybe you can use a > COMBO-IP4R-COUNTRY-EU filter file. > > Unfortunately you can't use this COMBO-Test with SPAMCHK because it can > return also a negative weight if a message seems legit. If the result is > negative it's not a good idea to combine it with another group of > tests and > add weight if the second group indicates spam. A feature request > to separate > the "weight" test in "weight+" and "weight-" should be somewhere deep in > Scott's todo-list ;-) > > Markus > > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamtest quality report
In ASP without a 3rd party charting component it can be done by dynamically sizing solid color images in a table. Takes a little bit of layout work, but it can product decent bar charts. Darin. - Original Message - From: "Dave Doherty" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 12, 2004 10:45 AM Subject: Re: [Declude.JunkMail] Spamtest quality report Hi Markus- Nice report! You can do on-the-fly graphics very easily in ASP.NET. I don't know of a good way to do that in ASP. -Dave - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 04, 2004 4:05 PM Subject: [Declude.JunkMail] Spamtest quality report > > If someone is interested on this report: http://www2.spamchk.com/public.html > > > I've added Pete's explanation and additional information. > This static website from now on will be updated weekly every Sunday. > > Markus > > > > BTW: any feedback is welcome > BTW2: if there is someone who can provide a solution for ASP-based > on-the-fly calculation of web-graphics so that I can create historical > graphs for every test it would be very helpfull. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamtest quality report
Hi Markus- Nice report! You can do on-the-fly graphics very easily in ASP.NET. I don't know of a good way to do that in ASP. -Dave - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 04, 2004 4:05 PM Subject: [Declude.JunkMail] Spamtest quality report > > If someone is interested on this report: http://www2.spamchk.com/public.html > > > I've added Pete's explanation and additional information. > This static website from now on will be updated weekly every Sunday. > > Markus > > > > BTW: any feedback is welcome > BTW2: if there is someone who can provide a solution for ASP-based > on-the-fly calculation of web-graphics so that I can create historical > graphs for every test it would be very helpfull. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.