[Declude.JunkMail] Quote a Minute Spammer
This is a re-send. I didn't see it make it on the list. We're receiving spam where the Ad graphic states its QuoteAMinute.com but the domain referenced in the link is one of the following: lainsnow.com laquickquotes.com lahealthinstogo.com lahotquotes.com lahealthsite.com The mail is failing sniffer but apparently not failing invURIBL. Its scoring high enough to be tagged as spam but not high enough to be blocked from delivery. I have a few questions: Is there a way to block all email where the domain resolves back to a certain DNS server? The host DNS server is NS1.LAHOSTINABOX.COM Is there a way to do a whois and find out all of the domain names registered to these jerks so that I can block all of the domains ahead of time? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Nasty Spammer
Dave, I checked those domains and they are now all listed in SURBL. I am also seeing them picked up now as well on my system. 2005-11-02 05:52:00.421 2005-11-02 05:52:00.500 x:\IMail\spool\proc\work\D9a47e5b202722cef.smd laqui om 127.0.0.20 URI from message body found in multi.surbl.org [20] [Total Weight=5] One thing you can do is go to www.senderbase.org and get the ip addresses of the providers that host that - http://www.senderbase.org/search?searchBy=organization&searchString=Integrat ed%20Comm%20Concepts and create filters that will block mail from those ip blocks. Darrell http://www.invariantsystems.com Dave Beckstrom writes: We're receiving spam where the Ad graphic states its QuoteAMinute.com but the domain referenced in the link is one of the following: lainsnow.com laquickquotes.com lahealthinstogo.com lahotquotes.com lahealthsite.com The mail is failing sniffer but apparently not failing invURIBL. Its scoring high enough to be tagged as spam but not high enough to be blocked from delivery. I have a few questions: Is there a way to block all email where the domain resolves back to a certain DNS server? The host DNS server is NS1.LAHOSTINABOX.COM Is there a way to do a whois and find out all of the domain names registered to these jerks so that I can block all of the domains ahead of time? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Anyone at Exchange and Windows Connections This week?
Does I want to be count? It is only 2 hours away, but I am just too busy. How come it is never in the LA basin? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Wednesday, November 02, 2005 7:12 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Anyone at Exchange and Windows Connections This week? Here in San Diego?
[Declude.JunkMail] Spam not getting scanned
I have a customer that is getting swamped with blank emails - there is no from, to, subject or body. Here are what the headers of one email said. Date: Wed, 2 Nov 2005 04:57:45 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Comment: Sending client does not conform to RFC822 minimum requirements X-Originating-IP: [208.182.249.15] It appears that Declude did not scan the email. That IP address is on a couple of blacklists and would have been held. Anyone know why declude would not scan it - are the headers too corrupted to scan? Is there a way to block these? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [W~ 29][Declude.JunkMail] Nasty Spammer
Try senderbase http://tinyurl.com/7j7fy > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Wednesday, November 02, 2005 10:08 AM > To: Declude.JunkMail@declude.com > Subject: [W~ 29][Declude.JunkMail] Nasty Spammer > > > We're receiving spam where the Ad graphic states its > QuoteAMinute.com but the domain referenced in the link is one > of the following: > > lainsnow.com > laquickquotes.com > lahealthinstogo.com > lahotquotes.com > lahealthsite.com > > The mail is failing sniffer but apparently not failing > invURIBL. Its scoring high enough to be tagged as spam but > not high enough to be blocked from delivery. > > I have a few questions: > > Is there a way to block all email where the domain resolves > back to a certain DNS server? The host DNS server is > NS1.LAHOSTINABOX.COM > > Is there a way to do a whois and find out all of the domain > names registered to these jerks so that I can block all of > the domains ahead of time? > > > > > > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- > [This E-mail scanned by Citizens Internet Services with > Declude Virus.] > > --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Anyone at Exchange and Windows Connections This week?
Here in San Diego?
[Declude.JunkMail] Nasty Spammer
We're receiving spam where the Ad graphic states its QuoteAMinute.com but the domain referenced in the link is one of the following: lainsnow.com laquickquotes.com lahealthinstogo.com lahotquotes.com lahealthsite.com The mail is failing sniffer but apparently not failing invURIBL. Its scoring high enough to be tagged as spam but not high enough to be blocked from delivery. I have a few questions: Is there a way to block all email where the domain resolves back to a certain DNS server? The host DNS server is NS1.LAHOSTINABOX.COM Is there a way to do a whois and find out all of the domain names registered to these jerks so that I can block all of the domains ahead of time? --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] problem with declude 3.0.5.12
just detected a new bug (or ist it a feature?):
i 've got mails moved to a special directory even if they don't trigger the
specified test.
i.e.
content of $default$.junkmail:
GESPERRTEANHAENGE HOLD g:\imail\gesperrteanhaenge\%DATE%
there is NO way that this mail could trigger the GESPERRTEANHAENGE test. this
test is only triggered when there is a *.pif, *.scr, etc. -file attached.
the other way works too: a lot of mails pass this test that shouldn't pass it.
this test is a way for us to pre-filter virusses. we are using avafterjm so the
virusses that pass this test get tested by all of our declude-tests and
afterward by our anti-virus software, so they don't get delivered but increase
our porcessor-load immense.
is it possible that the same problem discussed under declude virus ("Virus name
reported as different than what scanner detected") is causing this too?
i quote markus gufler:
"Hmm, looks like there is one single variable containing the last
detected virus name and several threads writing to and reading from
this variable..."
if this is true, we are a little bit pissed, because we are using a lot of
combo-testing to move not delivered mails to certain directories (depends on the
reason, why they are not delivered) and i will have to check each one of these
directories file by file and decide what to do. even worse: in my opinoion a lot
of spam gets delivered to our customers and i don't think they will be happy
about it.
the complete mail:
Received: from 192.184.162.44 for DK.67.clbtrplkqomlzxho.fundatingisfun.com;
Wed, 02 Nov 2005 00:59:06 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "commodious Smart" <[EMAIL PROTECTED]>
Reply-To: "commodious Smart" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: I'm cute and bored lets meet
Date: Wed, 02 Nov 2005 11:00:06 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--8385_cpvcpixtwoinnecwteyean_0127"
X-Webmail-Time: Wed, 02 Nov 2005 02:02:06 -0600
X-RBL-Warning: CBL: "Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=81.10.172.131";
X-RBL-Warning: SPAMCOP: "Blocked - see
http://www.spamcop.net/bl.shtml?81.10.172.131";
X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with
spam [210f].
X-RBL-Warning: DIREKTANUNS: Message failed DIREKTANUNS test (line 16, weight 0)
X-RBL-Warning: LAENDERPRUEFUNG: Message failed LAENDERPRUEFUNG test (line 316,
weight 5)
X-RBL-Warning: HOUR2: Hour was between 6:00 and 19:59.
X-RBL-Warning: MITLNKEXTERNWEICH: Message failed MITLNKEXTERNWEICH test (line
16, weight 30)
X-RBL-Warning: PORNO: Message failed PORNO test (line 472, weight 40)
X-Declude-Sender: [EMAIL PROTECTED] [81.10.172.131]
X-Declude-Spoolname: D71b8180c0136c6f4.smd
X-Note: This incoming E-mail was scanned on Schulmail NRW by Declude 3.0.5.12
(www.declude.com) for spam and virus.
X-Spam-Tests-Failed: CBL, SPAMCOP, ROUTING, DIREKTANUNS, LAENDERPRUEFUNG, HOUR2,
MITLNKEXTERNWEICH, PORNO, WEIGHT4099nutzer [95]
X-Country-Chain: [Multi-Regional]->AUSTRIA->destination
X-Note: This E-mail was sent from cm172-131.liwest.at ([81.10.172.131]).
8385_cpvcpixtwoinnecwteyean_0127
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
Hey 105442, Bob here,
I had to tell you about this great hook up site.
I joined it 4 days ago and I got laid twice over the weekend
(by 2 different girls)
How cool is that? Its so easy and these babes want to hook up right away
with any guys they meet.
I'm tellin you, you will get some action. Check it out and see what you think.
I am sure you will be thrilled with results.
Oh I forgot to mention,
it doesnt cost anything to join in the fun.
http://fundatingisfun.com/aac/aprof.html
Its so easy to get laid tonight
no more ofthis
http://fundatingisfun.com/r.html
They said balletomane uppercut incompetent solicitor.
Its all about him deadhead gedanken neuron anthropogenic The
They said indeterminable dulcet [EMAIL PROTECTED] decision giveaway.
They is him ada curricula gunmen mccrackendavy She is prima bacon bake.
she is lydia deplore boss aspirepave.
8385_cpvcpixtwoinnecwteyean_0127--
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
[Declude.JunkMail] testing mailserver
Hi, I was testing our mailserver by setting up a telnet session on port 25 and then entering the commands. I must have done something realy wrong as my tekst appears in the headers in a way not even Outlook Express can see. ;-0 It will show a blank message. This is wat was delivered to me: Received: from TEST [194.109.165.42] by tio.nl (SMTPD-8.21) id AE3902D0; Wed, 02 Nov 2005 12:08:41 +0100dit is een testX-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c200041].X-Declude-Sender: [EMAIL PROTECTED] [194.109.165.42]X-Declude-Spoolname: D9DFC01B0059C.SMDX-Declude-Note: Scanned at tio.nl by Declude 2.0.6 (http://www.declude.com/x-note.htm) for spam.X-Declude-Scan: Score [8] at 12:09:30 on 02 Nov 2005X-Declude-Tests: BADHEADERSX-Country-Chain: NETHERLANDS->destination---[E-mail scanned at tio.nl for viruses by Declude Virus]From: [EMAIL PROTECTED]Date: Wed, 2 Nov 2005 12:09:30 +0100X-RCPT-TO: <[EMAIL PROTECTED]>Status: UX-UIDL: 383765952X-IMail-ThreadID: 9dfc01b0059c See the "dit is een test" below the received from line? This is what I did: Start (Windows) telnetset LOCAL_ECHOopen mail.tio.nl 25HELO TESTMAIL FROM:<[EMAIL PROTECTED]>RCPT TO:<[EMAIL PROTECTED]>DATAdit is een test.QUIT Did I make a BIG mistake? I know I should have added a msgid somewhere and a date line to have a proper valid message but is that nessecary in order to have the text after the DATA command appear as the body part of a mail? I'm using Declude 2.0.6 Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool toerisme en hospitality julianalaan 9 / 7553 ab hengelo t 074 255 06 10 / f 074 255 06 16 [EMAIL PROTECTED] / www.tio.nl
