RE: [Declude.JunkMail] Body Filter - Stupid/Simple Question

2007-03-16 Thread David Barker
Don you could do this:

BODY5   CONTAINS Cialisspace

The Space is just to show you that there is a space there, do NOT use
Space

David 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don
Brown
Sent: Thursday, March 15, 2007 9:28 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Body Filter - Stupid/Simple Question

I should know the answer to this, but obviously . . .

How do I filter on cialis and not catch specialist?  I don't know anything
but 'Contains' that will catch it, but it also catches specialist.

There has to be a way to look for just a word . . .

Thanks,



Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]   http://www.inetconcepts.net
(972) 788-2364Fax: (972) 788-5049




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Bounce / Spoof Analysis Help Please

2007-03-16 Thread Robert Grosshandler
Hi

We're seeing bounce messages similar to the following.  I don't think our
server has been compromised, but I want to be sure.  We legitimately send
mail from 208.100.26.91, but I think (hope) its appearance in the following
is spoofed.



--l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
The-original-message-was-received-at-Fri,-16-Mar-2007-08: 55:31 -0400 (EDT)

   - The following addresses had permanent fatal errors -
[EMAIL PROTECTED]
(reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED])
   - Transcript of session follows -
... when talking to ahrc00bh0106287.nae.ds.army.mil. while trying to contact
hrcmail.hoffman.army.mil.:
 DATA
 550 5.7.1 Unable to relay for [EMAIL PROTECTED]
550 5.1.1 [EMAIL PROTECTED]... User unknown
 554 5.5.2 No valid recipients

--l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
Content-Type: message/delivery-status

Reporting-MTA: dns; hrcpro21.hoffman.army.mil
Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT)

Final-Recipient: RFC822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Remote-MTA: DNS; hrcmail.hoffman.army.mil
Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for
[EMAIL PROTECTED]
Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT)


--l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
Content-Type: message/rfc822

Return-Path: [EMAIL PROTECTED]
Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl
[89.78.68.55])
by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425;
Fri, 16 Mar 2007 08:55:31 -0400 (EDT)
Received: from 208.100.26.91 (HELO smtp.igive.com)
 by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+)
 id JLM3A5-)G'4.A-M/
 for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060
From: Effie Drummond
To: [EMAIL PROTECTED]
Subject: Choosing Online Pharmacy.
Date: Fri, 16 Mar 2007 12:55:33 -0060
Message-ID: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_000E_01C767D2.C434B490
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Importance: Normal
X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message
X-Antivirus-Status: Clean
x-scc-prev-hop: 89.78.68.55




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please

2007-03-16 Thread Colbeck, Andrew
You're safe, Robert.

I've seen this part in spam sent to my domain for about a year:

 Received: from 208.100.26.91 (HELO smtp.igive.com)
  by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+)
  id JLM3A5-)G'4.A-M/

The gibberish in the received block is a definite spam signature and
is entirely fake.  The army isn't going to be breaking down your door
and making you eat this spam.

Andrew 8)


 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Robert Grosshandler
 Sent: Friday, March 16, 2007 7:39 AM
 To: declude.junkmail@declude.com
 Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
 
 Hi
 
 We're seeing bounce messages similar to the following.  I 
 don't think our server has been compromised, but I want to be 
 sure.  We legitimately send mail from 208.100.26.91, but I 
 think (hope) its appearance in the following is spoofed.
 
 
 
 --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
 The-original-message-was-received-at-Fri,-16-Mar-2007-08: 
 55:31 -0400 (EDT)
 
- The following addresses had permanent fatal errors 
 - [EMAIL PROTECTED]
 (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED])
- Transcript of session follows - ... when talking 
 to ahrc00bh0106287.nae.ds.army.mil. while trying to contact
 hrcmail.hoffman.army.mil.:
  DATA
  550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 
 5.1.1 [EMAIL PROTECTED]... User unknown  554 5.5.2 
 No valid recipients
 
 --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
 Content-Type: message/delivery-status
 
 Reporting-MTA: dns; hrcpro21.hoffman.army.mil
 Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT)
 
 Final-Recipient: RFC822; [EMAIL PROTECTED]
 Action: failed
 Status: 5.7.1
 Remote-MTA: DNS; hrcmail.hoffman.army.mil
 Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for 
 [EMAIL PROTECTED]
 Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT)
 
 
 --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
 Content-Type: message/rfc822
 
 Return-Path: [EMAIL PROTECTED]
 Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl
 [89.78.68.55])
   by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425;
   Fri, 16 Mar 2007 08:55:31 -0400 (EDT)
 Received: from 208.100.26.91 (HELO smtp.igive.com)
  by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+)
  id JLM3A5-)G'4.A-M/
  for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060
 From: Effie Drummond
 To: [EMAIL PROTECTED]
 Subject: Choosing Online Pharmacy.
 Date: Fri, 16 Mar 2007 12:55:33 -0060
 Message-ID: [EMAIL PROTECTED]
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
   boundary==_NextPart_000_000E_01C767D2.C434B490
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
 Importance: Normal
 X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message
 X-Antivirus-Status: Clean
 x-scc-prev-hop: 89.78.68.55
 
 
 
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please

2007-03-16 Thread Robert Grosshandler
Many thanks.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
Andrew
Sent: Friday, March 16, 2007 11:02 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Bounce / Spoof Analysis Help Please

You're safe, Robert.

I've seen this part in spam sent to my domain for about a year:

 Received: from 208.100.26.91 (HELO smtp.igive.com)
  by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+)
  id JLM3A5-)G'4.A-M/

The gibberish in the received block is a definite spam signature and
is entirely fake.  The army isn't going to be breaking down your door
and making you eat this spam.

Andrew 8)


 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Robert Grosshandler
 Sent: Friday, March 16, 2007 7:39 AM
 To: declude.junkmail@declude.com
 Subject: [Declude.JunkMail] Bounce / Spoof Analysis Help Please
 
 Hi
 
 We're seeing bounce messages similar to the following.  I 
 don't think our server has been compromised, but I want to be 
 sure.  We legitimately send mail from 208.100.26.91, but I 
 think (hope) its appearance in the following is spoofed.
 
 
 
 --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
 The-original-message-was-received-at-Fri,-16-Mar-2007-08: 
 55:31 -0400 (EDT)
 
- The following addresses had permanent fatal errors 
 - [EMAIL PROTECTED]
 (reason: 550 5.7.1 Unable to relay for [EMAIL PROTECTED])
- Transcript of session follows - ... when talking 
 to ahrc00bh0106287.nae.ds.army.mil. while trying to contact
 hrcmail.hoffman.army.mil.:
  DATA
  550 5.7.1 Unable to relay for [EMAIL PROTECTED] 550 
 5.1.1 [EMAIL PROTECTED]... User unknown  554 5.5.2 
 No valid recipients
 
 --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
 Content-Type: message/delivery-status
 
 Reporting-MTA: dns; hrcpro21.hoffman.army.mil
 Arrival-Date: Fri, 16 Mar 2007 08:55:31 -0400 (EDT)
 
 Final-Recipient: RFC822; [EMAIL PROTECTED]
 Action: failed
 Status: 5.7.1
 Remote-MTA: DNS; hrcmail.hoffman.army.mil
 Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for 
 [EMAIL PROTECTED]
 Last-Attempt-Date: Fri, 16 Mar 2007 08:55:34 -0400 (EDT)
 
 
 --l2GCtYMS006458.1174049734/hrcpro21.hoffman.army.mil
 Content-Type: message/rfc822
 
 Return-Path: [EMAIL PROTECTED]
 Received: from cbs-6rhxyt1d3ub.chello.pl (chello089078068055.chello.pl
 [89.78.68.55])
   by hrcpro21.hoffman.army.mil with ESMTP id l2GCtQV4006425;
   Fri, 16 Mar 2007 08:55:31 -0400 (EDT)
 Received: from 208.100.26.91 (HELO smtp.igive.com)
  by hoffman.army.mil with esmtp (9(A'R/,ZVN :36=Q+)
  id JLM3A5-)G'4.A-M/
  for [EMAIL PROTECTED]; Fri, 16 Mar 2007 12:55:33 -0060
 From: Effie Drummond
 To: [EMAIL PROTECTED]
 Subject: Choosing Online Pharmacy.
 Date: Fri, 16 Mar 2007 12:55:33 -0060
 Message-ID: [EMAIL PROTECTED]
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
   boundary==_NextPart_000_000E_01C767D2.C434B490
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
 Importance: Normal
 X-Antivirus: avast! (VPS 000724-0, 2007-03-15), Outbound message
 X-Antivirus-Status: Clean
 x-scc-prev-hop: 89.78.68.55
 
 
 
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] PCRE FILTERING

2007-03-16 Thread John Olden
Would anyone be willing to share their regular expressions files (lines) 
with the group?
I know this will be a valuable addition to Declude but most of us don't 
want to (or know how to) re-invent the wheel.

Thanks.
--
John Olden - Technology Manager
Champaign Park District


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] PCRE FILTERING

2007-03-16 Thread Gary Steiner
Here are some web pages you might check out:

http://www.cecilw.com/eudora/regexp.htm

http://www.adamlyon.com/spam/spam_filter_regex.html

http://www.adamlyon.com/spam/afo.txt

http://trac.edgewall.org/wiki/BadContent

http://www.regexlib.com/

Hopefully at some point Declude will post a list of good examples on their web 
site.

Gary



 Original Message 
 From: John Olden [EMAIL PROTECTED]
 Sent: Friday, March 16, 2007 4:58 PM
 To: declude.junkmail@declude.com
 Subject: Re: [Declude.JunkMail] PCRE FILTERING
 
 Would anyone be willing to share their regular expressions files (lines) 
 with the group?
 I know this will be a valuable addition to Declude but most of us don't 
 want to (or know how to) re-invent the wheel.
 Thanks.
 -- 
 John Olden - Technology Manager
 Champaign Park District
 
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com. 







---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re[2]: [Declude.JunkMail] PCRE FILTERING

2007-03-16 Thread Sanford Whiteman
 Hopefully at some point Declude will post a list of good examples on
 their web site.

I  hope  people  aren't ignoring the ridiculously profuse SpamAssassin
Rules Emporium, SA built-in rules, etc.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.