Re: [Declude.JunkMail] Spam out of 86.* 87.*
interbusiness.it is actually Telecom Italia, that domain is used for almost all customers reverse DNS including Dial-Up (not sure), ADSL, E1 lines, even if customers have their own dns for domain resolution. I.E: www.example.it resolves in86.111.222.333 86.111.222.333resolves in host333-222.pool86111.interbusiness.it That means a lot of zombies with fast lines but also many regular (probably abused also) mailservers. --- Franco Celli [EMAIL PROTECTED] - Original Message - From: Scott Fisher [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, February 27, 2006 10:33 PM Subject: Re: [Declude.JunkMail] Spam out of 86.* 87.* You've got a lot of European DUL space in 86.* and 87.*. interbusiness.it , chello.pl , chello.fr, versanet.de, wanadoo.fr, ntl.com, btcentralplus.com. So anything that target Zombies should help. Quipo Free Internet - 2 email, 150 Mb di spazio web e molto di più. ADSL, HardwareSoftware Online Store: http://www.quipo.it This E-mail was scanned for viruses by Declude Virus. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BADHEADER code c010100e
Hi Goran, The keyword Date: Date: appears twice. Best Regards Mike Higgins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam out of 86.* 87.*
Hi John, What is my best bet - jack up the score a number of points for any mail coming from 86 87? Many of the messages hardly trip any of the regular tests. Wouldn't hurt - use blackholes.us and maybe score 40% of your hold weight? I would say though blocking a /8 is not a good idea. way too many false positives. My first question is why the leakage? My guess would be a new spam campaign that eventually will leak from other blocks. So first maybe figure out how to score these on header / body content, etc . Next examine the ip's that they are coming from and selectively block accordingly. Here are 2 blocks I have tagged in that range - 86.59.128.0 255.255.252.0 esnet.com ROKSO 20-May-2005 01:27 GMT 86.111.128.0 255.255.240.0 ROKSO Boris Mizhen Don't be discouraged. There will be a new campaign tomorrow :) -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam out of 86.* 87.*
Thanks, will look at blackholes.us. My real problem is time. I've written a program and spreadsheet that extracts the domains and IP's of delivered messages and shows the unique IP's and how many messages came from them. But when I spend time cross-checking with SenderBase and ARIN, I can spend hours updating my IP filters. Cost/benefit isn't there. Agree; have to be careful about blocking. Plan was to add points on /8 IP's, something below my subject tag score. Hopefully legit messages would come through ok, but the kinky ones, with the new scoring added, would be enough to at least trip the tag weight. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, February 28, 2006 9:22 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Spam out of 86.* 87.* Hi John, What is my best bet - jack up the score a number of points for any mail coming from 86 87? Many of the messages hardly trip any of the regular tests. Wouldn't hurt - use blackholes.us and maybe score 40% of your hold weight? I would say though blocking a /8 is not a good idea. way too many false positives. My first question is why the leakage? My guess would be a new spam campaign that eventually will leak from other blocks. So first maybe figure out how to score these on header / body content, etc . Next examine the ip's that they are coming from and selectively block accordingly. Here are 2 blocks I have tagged in that range - 86.59.128.0 255.255.252.0 esnet.com ROKSO 20-May-2005 01:27 GMT 86.111.128.0 255.255.240.0 ROKSO Boris Mizhen Don't be discouraged. There will be a new campaign tomorrow :) -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam out of 86.* 87.*
2 other tactics against these: 1. Spamdomain test. A verizon.com from address is unlikely to come from a wanadoo.fr reverse dns. Spamdomains will have some false positive consequences... 2. Reverse DNS Filters. I'd consider a reverse dns with a cable or -dsl- in it to be suspicious and worthy of some points. Definitely is some good servers in dul-type space so there is some false positives here. I've attached a filter I use specific to interbusiness.it - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 10:20 AM Subject: RE: [Declude.JunkMail] Spam out of 86.* 87.* Thanks, will look at blackholes.us. My real problem is time. I've written a program and spreadsheet that extracts the domains and IP's of delivered messages and shows the unique IP's and how many messages came from them. But when I spend time cross-checking with SenderBase and ARIN, I can spend hours updating my IP filters. Cost/benefit isn't there. Agree; have to be careful about blocking. Plan was to add points on /8 IP's, something below my subject tag score. Hopefully legit messages would come through ok, but the kinky ones, with the new scoring added, would be enough to at least trip the tag weight. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, February 28, 2006 9:22 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Spam out of 86.* 87.* Hi John, What is my best bet - jack up the score a number of points for any mail coming from 86 87? Many of the messages hardly trip any of the regular tests. Wouldn't hurt - use blackholes.us and maybe score 40% of your hold weight? I would say though blocking a /8 is not a good idea. way too many false positives. My first question is why the leakage? My guess would be a new spam campaign that eventually will leak from other blocks. So first maybe figure out how to score these on header / body content, etc . Next examine the ip's that they are coming from and selectively block accordingly. Here are 2 blocks I have tagged in that range - 86.59.128.0 255.255.252.0 esnet.com ROKSO 20-May-2005 01:27 GMT 86.111.128.0 255.255.240.0 ROKSO Boris Mizhen Don't be discouraged. There will be a new campaign tomorrow :) -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. # # #REVDNS-interbusiness.itREVDNS of known Cox addresses # # # # SKIPIFWEIGHT440 # # Bypass's for all filters # TESTSFAILED END CONTAINSFILTER-BYPASS TESTSFAILED END CONTAINSRBL-BYPASS # # exclude the big emails and those with good attachments # TESTSFAILED END CONTAINSSIZE-BT-100KB-200KB TESTSFAILED END CONTAINSSIZE-BT-200KB-500KB TESTSFAILED END CONTAINSSIZE-BT-500KB-1MB TESTSFAILED END CONTAINSSIZE-BT-1MB-10MB TESTSFAILED END CONTAINSSIZE-GT-10MB TESTSFAILED END CONTAINSATTACHMENT-GOOD # # Fairly successful whitelist tests # TESTSFAILED END CONTAINSSUBJECT-AGTERMS-WL TESTSFAILED END CONTAINSSUBJECT-MAGNAMES-WL TESTSFAILED END CONTAINSSUBJECT-PUBTERMS-WL TESTSFAILED END CONTAINSBODY-MAGNAMES-WL # # If Mailpure's tests say it comes from bulk or an email server... # #TESTSFAILEDEND CONTAINSMPPT-BULKEMAIL TESTSFAILED END CONTAINSMPM-EMAILSERVER REVDNS END CONTAINSSMTP REVDNS END CONTAINSSTATIC REVDNS END CONTAINSMAIL REVDNS END CONTAINS.DED. REVDNS END CONTAINS.SIP. REVDNS END CONTAINS.MX. REVDNS END STARTSWITH MX. REVDNS END STARTSWITH MTA REVDNS END CONTAINS-mx- REVDNS END CONTAINSexchange REVDNS END CONTAINSmx01 REVDNS END CONTAINSmx02 REVDNS END CONTAINSmx03 REVDNS END CONTAINSmx04 REVDNS END CONTAINSmx05 REVDNS END CONTAINSmx06 REVDNS END
RE: [Declude.JunkMail] Damaged Image Files
Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: Abrahams[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=ms020700070106060404020304 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
RE: [Declude.JunkMail] Damaged Image Files
Title: Message The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave BeckstromSent: Tuesday, February 28, 2006 6:41 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans MartinSent: Tuesday, February 28, 2006 12:38 AMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: "Abrahams"[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
Re: [Declude.JunkMail] Damaged Image Files
Title: Message Would you be willing to post the full contents of one of the D* files and also indicate the version that you are running. This is for my own interest, but I think it might be beneficial to others. It would also be useful to see what was logged for this message. It may be that it was scanned and Declude just failed to insert the headers. I don't know. Thanks, Matt Erik wrote: The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: "Abrahams"[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
RE: [Declude.JunkMail] Damaged Image Files
Title: Message Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ErikSent: Tuesday, February 28, 2006 12:49 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave BeckstromSent: Tuesday, February 28, 2006 6:41 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans MartinSent: Tuesday, February 28, 2006 12:38 AMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: "Abrahams"[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
RE: [Declude.JunkMail] Damaged Image Files
Title: Message Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Tuesday, February 28, 2006 10:10 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ErikSent: Tuesday, February 28, 2006 12:49 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave BeckstromSent: Tuesday, February 28, 2006 6:41 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans MartinSent: Tuesday, February 28, 2006 12:38 AMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: "Abrahams"[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
RE: [Declude.JunkMail] Damaged Image Files
Title: Message Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this "spammer" has corrected "his" image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 28, 2006 7:34 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Tuesday, February 28, 2006 10:10 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ErikSent: Tuesday, February 28, 2006 12:49 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave BeckstromSent: Tuesday, February 28, 2006 6:41 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans MartinSent: Tuesday, February 28, 2006 12:38 AMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: "Abrahams"[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
RE: [Declude.JunkMail] Damaged Image Files
I received a couple with the broken gif as late as yesterday. The Declude headers end up at the bottom of the message, but they are there. I'm running Declude 3.0.5.26 and SmarterMail 2.6. Gary Original Message From: Erik [EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 1:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this spammer has corrected his image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this spammer is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. Smart coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: Abrahams[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=ms020700070106060404020304 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net http://www.martek.net/ PROGRAMMING: http://www.martekware.com http://www.martekware.com/ iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Damaged Image Files
Title: Message Erik, I don't doubt the possibility of a bug causing the scanning of such a message to fail, but there is a possibility of this also just simply being a spam that passed, and a failure to insert the headers in the correct place. It would be great if you guys could supply the full source of one such E-mail and check your logs for an entry that matches, and clarify which version you are running. Thanks, Matt Erik wrote: Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this "spammer" has corrected "his" image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: "Abrahams"[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="ms020700070106060404020304" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
RE: [Declude.JunkMail] Damaged Image Files
Title: Message Interesting. As Matt, said, if you can get an original D*.SMD that would be great for following this trail. I would note that in addition, use the headers that were received to track the sending IP and time, and check your IMail log, and from there you will have the GUID for the message. Then check the Declude log for that GUID (but do a case-insensitive search). That will tell you whether Declude processed the message at all; it could be that Declude processed the message but failed to insert the headers, or failed to lock the file and had to "fail open" and allow IMail to deliver the message without being able to insert the headers. For more information, I found all 94 of the messages with this title sent to my server in today and yesterday, and found that they were all held as spam. I then copied each to my workstation and compared the filesize to see if I could spot any that were obviously different. They were all with 1 or 2 KB of each other, so I opened quite a few and found them all intact, and all with the Declude headers correctly placed. My mileage will vary from yours, but it doesn't seem that I received any broken images in this particular spam run, and I've had no user feedback indicating spam received today. Hopefully, this counter-example will help narrow down the problem. I'm using Declude v2.0.6.16 from 2005-05-25 and IMail v8.14 with whatever hotfixes. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ErikSent: Tuesday, February 28, 2006 10:51 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this "spammer" has corrected "his" image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 28, 2006 7:34 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Tuesday, February 28, 2006 10:10 AMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ErikSent: Tuesday, February 28, 2006 12:49 PMTo: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave BeckstromSent: Tuesday, February 28, 2006 6:41 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans MartinSent: Tuesday, February 28, 2006 12:38 AMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail
RE: [Declude.JunkMail] Damaged Image Files
Title: Message We had an issue with Declude corrupting images from SmarterStats long ago. It turned out the SmarterStats wasnt inserting line breaks in their images, and thus single lines were going out past 8,000 characters, at which point Declude truncated the line. I wouldnt be surprised if the spamware being used to send these was doing something similar. Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 2:54 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Interesting. As Matt, said, if you can get an original D*.SMD that would be great for following this trail. I would note that in addition, use the headers that were received to track the sending IP and time, and check your IMail log, and from there you will have the GUID for the message. Then check the Declude log for that GUID (but do a case-insensitive search). That will tell you whether Declude processed the message at all; it could be that Declude processed the message but failed to insert the headers, or failed to lock the file and had to fail open and allow IMail to deliver the message without being able to insert the headers. For more information, I found all 94 of the messages with this title sent to my server in today and yesterday, and found that they were all held as spam. I then copied each to my workstation and compared the filesize to see if I could spot any that were obviously different. They were all with 1 or 2 KB of each other, so I opened quite a few and found them all intact, and all with the Declude headers correctly placed. My mileage will vary from yours, but it doesn't seem that I received any broken images in this particular spam run, and I've had no user feedback indicating spam received today. Hopefully, this counter-example will help narrow down the problem. I'm using Declude v2.0.6.16 from 2005-05-25 and IMail v8.14 with whatever hotfixes. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 10:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this spammer has corrected his image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this spammer is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. Smart coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached
Re: [Declude.JunkMail] Damaged Image Files
Gary, you should upgrade to 3.0.6, which has been out for about a week now, as 3.0.5.26 had serious problems with handling certain kinds of mime encapsulate messages. We actually had to roll back to 3.0.5.23 after reporting the issues with 3.0.5.26 to Declude. Version 3.0.6 fixed this issue. Bill - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 11:06 AM Subject: RE: [Declude.JunkMail] Damaged Image Files I received a couple with the broken gif as late as yesterday. The Declude headers end up at the bottom of the message, but they are there. I'm running Declude 3.0.5.26 and SmarterMail 2.6. Gary Original Message From: Erik [EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 1:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this spammer has corrected his image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this spammer is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. Smart coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files We're getting the same. Also using Declude with smartermail. Because Declude doesn't appear to be scanning the headers there is no way for us to stop them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files I'm getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so I'm not sure if these are being scanned or not. I don't know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? I'm running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: Abrahams[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=ms020700070106060404020304 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net http://www.martek.net/ PROGRAMMING: http://www.martekware.com http://www.martekware.com/ iPlus Info Browser - IPB's IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
Re: [Declude.JunkMail] Damaged Image Files
Title: Message There is also a longstanding bug in at least Declude Virus that has issues with very long base64 encoding. I have seen no reports that this was fixed. I am wondering in this case whether or not the bug is now being exploited by spammers also. Matt Jay Sudowski - Handy Networks LLC wrote: We had an issue with Declude corrupting images from SmarterStats long ago. It turned out the SmarterStats wasnt inserting line breaks in their images, and thus single lines were going out past 8,000 characters, at which point Declude truncated the line. I wouldnt be surprised if the spamware being used to send these was doing something similar. Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 2:54 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Interesting. As Matt, said, if you can get an original D*.SMD that would be great for following this trail. I would note that in addition, use the headers that were received to track the sending IP and time, and check your IMail log, and from there you will have the GUID for the message. Then check the Declude log for that GUID (but do a case-insensitive search). That will tell you whether Declude processed the message at all; it could be that Declude processed the message but failed to insert the headers, or failed to lock the file and had to "fail open" and allow IMail to deliver the message without being able to insert the headers. For more information, I found all 94 of the messages with this title sent to my server in today and yesterday, and found that they were all held as spam. I then copied each to my workstation and compared the filesize to see if I could spot any that were obviously different. They were all with 1 or 2 KB of each other, so I opened quite a few and found them all intact, and all with the Declude headers correctly placed. My mileage will vary from yours, but it doesn't seem that I received any broken images in this particular spam run, and I've had no user feedback indicating spam received today. Hopefully, this counter-example will help narrow down the problem. I'm using Declude v2.0.6.16 from 2005-05-25 and IMail v8.14 with whatever hotfixes. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Erik Sent: Tuesday, February 28, 2006 10:51 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this "spammer" has corrected "his" image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this "spammer" is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. "Smart" coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To:
RE: [Declude.JunkMail] Damaged Image Files
Title: Message Are you utilizing smartermail as your mail server? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 12:10 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this spammer is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. Smart coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files Were getting the same. Also using Declude with smartermail. Because Declude doesnt appear to be scanning the headers there is no way for us to stop them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files Im getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so Im not sure if these are being scanned or not. I dont know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? Im running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: Abrahams[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=ms020700070106060404020304 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thanks, Evans Martin EVANS MARTIN [EMAIL PROTECTED] HOSTING: http://www.martek.net PROGRAMMING: http://www.martekware.com iPlus Info Browser IPBs IMail Migration Tool, password browser, reporting suite make IPlus Info Browser something no IMail administrator should be without. http://www.martek.net/Default.aspx?tabid=96
[Declude.JunkMail] 3.06
I haven't received notification of 3.06. Did others receive a notice that it was available? Rob --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Damaged Image Files
They kept that one quiet. I wasn't aware of any problems with 3.0.5.26, and this is the first mention I've seen of 3.0.6, on this list or anywhere else. I guess I need to check Declude's upgrade section on a daily basis to see when they've snuck out a new release, since this information isn't announced anywhere. Original Message From: Bill Landry [EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 3:07 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Damaged Image Files Gary, you should upgrade to 3.0.6, which has been out for about a week now, as 3.0.5.26 had serious problems with handling certain kinds of mime encapsulate messages. We actually had to roll back to 3.0.5.23 after reporting the issues with 3.0.5.26 to Declude. Version 3.0.6 fixed this issue. Bill - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 11:06 AM Subject: RE: [Declude.JunkMail] Damaged Image Files I received a couple with the broken gif as late as yesterday. The Declude headers end up at the bottom of the message, but they are there. I'm running Declude 3.0.5.26 and SmarterMail 2.6. Gary Original Message From: Erik [EMAIL PROTECTED] Sent: Tuesday, February 28, 2006 1:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Yes, they are passing SNIFFER and Darrell's INV-URIBL at this time. But what Evans wrote is true. Either this spammer has corrected his image.. the fact remains that in the past when it was a corrupted; Declude failed in our version. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, February 28, 2006 7:34 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Ditto. I've received and held 24 messages with the same title. Re-queuing 3 of these to myself, they had an image that was intact. They fail the usual RBL tests plus Message Sniffer. Andrew 8) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry Vanderzand Sent: Tuesday, February 28, 2006 10:10 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files Judgement is quick to pass for some around here. These are getting caught by my system X-Note: Spam Tests Failed: SBL [28], SORBS-DUHL [4], HELOBOGUS [3], SNIFFER [13] Harry Vanderzand inTown Internet Computer Services 519-741-1222 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Sent: Tuesday, February 28, 2006 12:49 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Damaged Image Files The problem that we've seen this spammer is that the image is corrupted as you mentioned... and Declude is exiting; thus why it's being allowed to be delivered. Smart coding on the spammer... Not so smart on Declude. -Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Tuesday, February 28, 2006 6:41 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Damaged Image Files We're getting the same. Also using Declude with smartermail. Because Declude doesn't appear to be scanning the headers there is no way for us to stop them. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evans Martin Sent: Tuesday, February 28, 2006 12:38 AM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Damaged Image Files I'm getting a lot of messages that have only a graphic in them. The graphic appears to have been damaged as only about ½ of it displays. Declude has not modified the headers at all so I'm not sure if these are being scanned or not. I don't know how it could be bypassing Declude. I have attached the .msg file. Anyone have any ideas what might be causing this? I'm running Declude 3.0.5.22 and SmarterMail 2.6. The header is as follows: Return-Path: [EMAIL PROTECTED] Tue Feb 28 00:24:32 2006 Received: from 225-65-10-72.planters.net [72.10.65.225] by matrix.martek.net with SMTP; Tue, 28 Feb 2006 00:24:32 -0600 Date: Tue, 28 Feb 2006 01:24:22 +0100 Return-path: [EMAIL PROTECTED] From: Abrahams[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: C1alis 10 Pills 20 mg $89.95 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary=ms020700070106060404020304 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180
[Declude.JunkMail] Checking DUL Space
In looking through my DNS tests I see only the following two to be obviously checks on the DUL space NJABL-DUL SORBS-DUHL Are there other DNS tests that would also indicate that it came from the DUL space? Thanx Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 3.06
Only after I submitted an issue to Tech Support. No release notes for it either... I am running it. - Original Message - From: Robert Grosshandler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 4:14 PM Subject: [Declude.JunkMail] 3.06 I haven't received notification of 3.06. Did others receive a notice that it was available? Rob --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Checking DUL Space
Here's what I use to target DUL space: SORBS-DUHL IP4R dnsbl.sorbs.net 127.0.0.10 0 0 NJABL-DYNABLOCK IP4R dynablock.njabl.org 127.0.0.3 0 0 NJABL-DUL IP4R dnsbl.njabl.org 127.0.0.3 0 0 MAILPOLICE-HELO dnsbl %HELO%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 MAILPOLICE-REVDNS dnsbl %REVDNS%.dynamic.rhs.mailpolice.com 127.0.0.2 0 0 I score the MailPolice in a filter MAILPOLICE-DYN-COMBO: TESTSFAILED 0 CONTAINS MAILPOLICE-HELO TESTSFAILED 0 CONTAINS MAILPOLICE-REVDNS I then score all of the DUL in a filter with a maxweight to prevent too much piling on. Dul space isn't a precise indication of spam The first four are listed above. The next 19 are REVDNS filters specific to certain providers. MPM REVDNSCONTAINSIP is an external program that looks for IP numbers in the reverse DNS MP-Dynamic is Mailpure's filter for IP numbers in the reverse DNS REVDNS-DUL-KEYWORDS is a filter to look for dul type keywords in the reverse DNS (dsl, cable, etc) HELO-DUL-KEYWORDS is a filter to look for dul type keywords in the HELO (only if no hit on REVDNS-DUL-KEYWORD) REVDNS-DIALUP is a filter of Dialup addresses that I got off Jeff Makey's website (http://www.sdsc.edu/~jeff/spam/Dialup_Zones.html) MAXWEIGHT 125 TESTSFAILED 60 CONTAINS NJABL-DUL TESTSFAILED 75 CONTAINS NJABL-DYNABLOCK TESTSFAILED 60 CONTAINS SORBS-DUHL TESTSFAILED 60 CONTAINS MAILPOLICE-DYN-COMBO TESTSFAILED 49 CONTAINS REVDNS-ADELPHIA TESTSFAILED 49 CONTAINS REVDNS-AOL TESTSFAILED 48 CONTAINS REVDNS-BELLSOUTH TESTSFAILED 49 CONTAINS REVDNS-CABLEONE TESTSFAILED 49 CONTAINS REVDNS-CGOCABLE TESTSFAILED 49 CONTAINS REVDNS-CHARTER TESTSFAILED 48 CONTAINS REVDNS-COMCAST TESTSFAILED 49 CONTAINS REVDNS-OTHER-COMCAST TESTSFAILED 32 CONTAINS REVDNS-COVAD TESTSFAILED 33 CONTAINS REVDNS-COX TESTSFAILED 33 CONTAINS REVDNS-EARTHLINK TESTSFAILED 48 CONTAINS REVDNS-INTERBUSINESS TESTSFAILED 24 CONTAINS REVDNS-QWEST TESTSFAILED 48 CONTAINS REVDNS-ROADRUNNER TESTSFAILED 33 CONTAINS REVDNS-ROGERS TESTSFAILED 24 CONTAINS REVDNS-SBC TESTSFAILED 48 CONTAINS REVDNS-SHAWCABLE TESTSFAILED 48 CONTAINS REVDNS-VERIZON TESTSFAILED 48 CONTAINS REVDNS-VIDEOTRON TESTSFAILED 32 CONTAINS MPM-REVDNSCONTAINSIP TESTSFAILED 29 CONTAINS MP-DYNAMIC TESTSFAILED 49 CONTAINS REVDNS-DUL-KEYWORDS TESTSFAILED 49 CONTAINS HELO-DUL-KEYWORDS TESTSFAILED 49 CONTAINS REVDNS-DIALUP - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 6:34 PM Subject: [Declude.JunkMail] Checking DUL Space In looking through my DNS tests I see only the following two to be obviously checks on the DUL space NJABL-DUL SORBS-DUHL Are there other DNS tests that would also indicate that it came from the DUL space? Thanx Goran Jovanovic Omega Network Solutions --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 3.06
I downloaded it from the Declude site last week and it's running just fine. Wolf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Tuesday, February 28, 2006 5:14 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] 3.06 I haven't received notification of 3.06. Did others receive a notice that it was available? Rob --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ?? Start of phish/virus campaign ??
Starting to catch EXE attached messages with following subject lines coming (at least currently) MESWILLEY.org [68.63.231.44]. You steal from innocent people You are a criminal and will be busted! Phshing is illigal Where did you learn to scam? John C 9:15p CST --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ?? Start of phish/virus campaign ??
Hi, John- Thanks. The address belongs to Comcast and is assigned to Hattiesburg-Laurel, MS. Please send a complaint to [EMAIL PROTECTED] -d - Original Message - From: John Carter [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, February 28, 2006 10:17 PM Subject: [Declude.JunkMail] ?? Start of phish/virus campaign ?? Starting to catch EXE attached messages with following subject lines coming (at least currently) MESWILLEY.org [68.63.231.44]. You steal from innocent people You are a criminal and will be busted! Phshing is illigal Where did you learn to scam? John C 9:15p CST --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ?? Start of phish/virus campaign ??
I got this one: htmlbody Hi!br brJust to inform you that your email is used by a spamer who intendsbrto steal bank account information thru a fake site.br brIf you are not involded, I can bring you additionnal information. Check attached file for a proof.br brIf you are, you're a little son of a bitch.brbr br /body/html --JHYRUPLXCQFFELGFCEOR Content-Type: application/octet-stream; name=proof.exe Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=proof.exe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Carter Sent: Tuesday, February 28, 2006 10:18 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] ?? Start of phish/virus campaign ?? Starting to catch EXE attached messages with following subject lines coming (at least currently) MESWILLEY.org [68.63.231.44]. You steal from innocent people You are a criminal and will be busted! Phshing is illigal Where did you learn to scam? John C 9:15p CST --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
