RE: [Declude.JunkMail] Body Filter - Stupid/Simple Question
Don you could do this: BODY5 CONTAINS Cialisspace The Space is just to show you that there is a space there, do NOT use Space David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Brown Sent: Thursday, March 15, 2007 9:28 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Body Filter - Stupid/Simple Question I should know the answer to this, but obviously . . . How do I filter on cialis and not catch specialist? I don't know anything but 'Contains' that will catch it, but it also catches specialist. There has to be a way to look for just a word . . . Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bounce / Spoof Analysis Help Please
Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
You're safe, Robert. I've seen this part in spam sent to my domain for about a year: Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite spam signature and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, March 16, 2007 7:39 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
Many thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Friday, March 16, 2007 11:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please You're safe, Robert. I've seen this part in spam sent to my domain for about a year: Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ The gibberish in the received block is a definite spam signature and is entirely fake. The army isn't going to be breaking down your door and making you eat this spam. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, March 16, 2007 7:39 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please Hi We're seeing bounce messages similar to the following. I don't think our server has been compromised, but I want to be sure. We legitimately send mail from 208.100.26.91, but I think (hope) its appearance in the following is spoofed. --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT) - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED]) - Transcript of session follows - ... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact hrcmail.hoffman.army.mil.: DATA 550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED]... User unknown 554 5.5.2 No valid recipients --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/delivery-status Reporting-MTA: dns; hrcpro21.hoffman.army.mil Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Remote-MTA: DNS; hrcmail.hoffman.army.mil Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT) --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil Content-Type: message/rfc822 Return-Path: [EMAIL PROTECTED] Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl [89.78.68.55]) by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425; Fri, 16 Mar 2007 08:55:31 -0400 (EDT) Received: from 208.100.26.91 (HELO smtp.igive.com) by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+) id JLM3A5-)G'4.A-M/ for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060 From: Effie Drummond To: [EMAIL PROTECTED] Subject: Choosing Online Pharmacy. Date: Fri, 16 Mar 2007 12:55:33 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000E_01C767D2.C434B490 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message X-Antivirus-Status: Clean x-scc-prev-hop: 89.78.68.55 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
Would anyone be willing to share their regular expressions files (lines) with the group? I know this will be a valuable addition to Declude but most of us don't want to (or know how to) re-invent the wheel. Thanks. -- John Olden - Technology Manager Champaign Park District --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PCRE FILTERING
Here are some web pages you might check out: http://www.cecilw.com/eudora/regexp.htm http://www.adamlyon.com/spam/spam_filter_regex.html http://www.adamlyon.com/spam/afo.txt http://trac.edgewall.org/wiki/BadContent http://www.regexlib.com/ Hopefully at some point Declude will post a list of good examples on their web site. Gary Original Message From: John Olden [EMAIL PROTECTED] Sent: Friday, March 16, 2007 4:58 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] PCRE FILTERING Would anyone be willing to share their regular expressions files (lines) with the group? I know this will be a valuable addition to Declude but most of us don't want to (or know how to) re-invent the wheel. Thanks. -- John Olden - Technology Manager Champaign Park District --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] PCRE FILTERING
Hopefully at some point Declude will post a list of good examples on their web site. I hope people aren't ignoring the ridiculously profuse SpamAssassin Rules Emporium, SA built-in rules, etc. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.