[Declude.JunkMail] test

[Madscientist]

ping

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Habeas Porn

[Madscientist]

At 04:41 PM 2/27/2004, you wrote:
Today's related counts:

My own Habeas filter: 17
HIL: 258
Number of my Habeas filters tripped that were in HIL: 1
Number of my Habeas filters tripped on my porn filter: 9
You know - it's probably crossed a mind or two - but it needs to be said.
Is it now time to use the Habeas test as a weighted indicator for spam?
_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Habeas Porn

[Madscientist]

Yes.

At 03:45 PM 2/27/2004, you wrote:
Has anybody seen the crazy amount of porn spam being sent with the Habeas
headers?
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] "Nigerian" Filter Creator Helper

[Madscientist]

Hello Kevin,

Friday, January 23, 2004, 12:37:37 PM, you wrote:

KB> I have been testing Kami's Nigerian filter and found that in 3 days it
KB> flagged 56 email and only caught out of 5 nigerian scam emails.

KB> I do not see this as a fault of Kami's effort but a fault of filtering. Some
KB> of the line are very common in ligitimate email. I even lowered all the
KB> weights to match our weighting scores. We will not be using it. Once I did
KB> that then the nigerian scam email did not get enough weight to be flagged
KB> properly.

KB> For the effort it is not worth the results, in my opinion.

Sniffer has a number of rules for nigerian scam email. So far we've
never had a reported false positive for one of those rules. Perhaps
the reason is that we can provide more complex filtering matching
combinations of phrases from different segments of the message.

_M
__
Peter G McNeil (Madscientist, CodeDweller)
President, MicroNeil Research Corporation.
Chief SortMonster, www.SortMonster.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re[2]: [Declude.JunkMail] restricted mailing?

[Madscientist]

Hello Paul, Matt

Thursday, January 22, 2004, 1:36:55 PM, you wrote:

M> Paul,

M> This isn't something that I would generally try to promote
M> because ofthe complexity of maintaining it in most cases, but for
M> one's owndaughter, it might make perfect sense. Something of course
M> though wouldneed to happen that caused her to get spam though, so
M> it might not benecessary at all.

M> You would need the Pro version to do this of course, and
M> instead ofweighting things to her address, what you would do is set
M> up aweightrange test covering almost everything and then use
M> actions (HOLD,ROUTETO or DELETE)  in a per-user JunkMail file
M> according to theManual.  Whitelisting will prevent an all inclusive
M> weightrange testfrom taking action on an E-mail.



M>   What I'd like to be able to do, isblock all mail to a certain
M> account, except from those addressesspecified via AUTOWHITELIST.
M> Kind of a 'parental control'. Let's say Igive my daughter an email
M> address, I only want to allow mail fromfamily + friends, but those
M> I specify in her contacts list within thewebmail, so using
M> Declude's AUTOWHITELIST ON, I can weight all mailcoming in to her
M> mailbox, say, 100 or so, waaay above delete range, butbecause of
M> the address, it would be delivered. Does that make sense? 

We've been experimenting a PL (Private Listcode) methodology for these
scenarios. Specifically, all messages for a particular user (domain
usually) are blocked unless a PL code is present in the message. The
PL code is a random sequence of characters like a password. The group
that uses the code freely passes it around between them. Since no
spammer has the code it can't be abused. The code usually goes into a
signature. If the code becomes compromised then a new code is made up.

We usually create a PL code in Sniffer, but the methodology works
without it - In Declude you would use WHITELIST ANYWHERE plcode, and
block everything else.

Hope this helps,
_M

-- 
Best regards,
 Peter G McNeil (Madscientist, CodeDweller)
 President, MicroNeil Research Corporation.
 Chief SortMonster, www.SortMonster.com
 mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OBFUSCATION filter

[Pete - Madscientist]

Ahh. Understood. I got confused by our rules where we code for a single
instance restricted to the URL. (Can't do that without wildcards). All
good then. Great work!
_M

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Matthew Bramble
|Sent: Monday, September 15, 2003 12:40 PM
|To: [EMAIL PROTECTED]
|Subject: Re: [Declude.JunkMail] OBFUSCATION filter
|
|
|Pete,
|
|It's not redundant because the two by themselves only check 
|for strings 
|of two, while the combination checks for strings with one of each in 
|succession.  This way, if they go back and forth between the two, it 
|will get caught as long as there is a "." or "@" between them, or as 
|long as it is URL encoding followed by HTML encoding.  I left out the 
|other way around because it was only a two character string, ";%" and 
|wanted to protect from FP's.
|
|I do appreciate the feedback though...I do of course make mistakes.
|
|Matt
|
|Pete McNeil wrote:
|
|> Matt,
|>
|> It appears that your coding for a combination of http & url encoding
|> in urls is redundant since you capture both types 
|individually. It's a 
|> small optimization, but worth mentioning.
|>
|> _M
|>
|> At 07:46 PM 9/14/2003 -0400, you wrote:
|>
|>> I've posted a newer version of the OBFUSCATION filter on my site.
|>> This contains the removal of the attachment thing and also the 
|>> removal of 6 (of over 100) tests in order to be more 
|forgiving, sans 
|>> the PayPal issue.
|>>
|>> 
|http://208.7.179.20/decludefilters/obfuscation/obfuscation_09-14-2003
|>> c.txt
|>>
|>>
|>> If you find any false positives with this besides the Ticketmaster
|>> one that I've already counterbalanced, please let me know.  I would 
|>> imagine that posting to this group would be better than PM's unless 
|>> others mind having discussion here.  That way everyone would know 
|>> about any issues ASAP.
|>>
|>> Thanks,
|>>
|>> Matt
|>>
|>> ---
|>> [This E-mail was scanned for viruses by Declude Virus
|>> (http://www.declude.com)]
|>>
|>> ---
|>> This E-mail came from the Declude.JunkMail mailing list.  To 
|>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
|>> "unsubscribe Declude.JunkMail".  The archives can be found at 
|>> http://www.mail-archive.com.
|>
|>
|> ---
|> [This E-mail was scanned for viruses by Declude Virus
|> (http://www.declude.com)]
|>
|> ---
|> This E-mail came from the Declude.JunkMail mailing list.  To 
|> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
|> "unsubscribe Declude.JunkMail".  The archives can be found at 
|> http://www.mail-archive.com.
|
|
|---
|[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Bogus comments

[Pete - Madscientist]

Not quite right. Normal HTML does often contain comments, usually
generated automatically as a deubgging aid for the developer. Normal
HTML does not usually contain comments that break up words like fr  ee (note that I added a space after fr and
before ee to be sure Message Sniffer filters wouldn't catch this
accidentally.

_M

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|interactiveaustria
|Sent: Friday, September 12, 2003 1:14 AM
|To: [EMAIL PROTECTED]
|Subject: [Declude.JunkMail] Bogus comments
|
|
|Hi,
|
|is there a possibility to test for (bogus) comments with 
|Declude.Junkmail (I'm using the lite version)? Something like
|
|VIAGRA
|
|Anyway, a "normal" HTML Mail should not contain any comments 
|at all (is that right?), so that could be a 100% indicator for spam.
|
|Best wishes
|Michael
|
|+--+
|| interactiveaustria   |
|| Michael Tobisch EDV-Dienstleistungen |
|| Wiesengasse 12, A-8160 Weiz  |
|| Tel +43 3172 4930|
|| GSM +43 664 2126941  |
|| EMail [EMAIL PROTECTED]|
|| Web http://www.iaa.at|
|+--+
|| Kundeninformationen per E-Mail:  |
|| http://www.iaa.at/kundeninfo.asp |
|+--+
|
|
|---
|[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] scrambled url in source of e-mail

[Pete - Madscientist]

Title: Message



For one thing this is a great way to filter spam. There is no good reason 
to encode part of a url, or for that matter to encode "normal" characters. So, 
anything with %30%37.biz is _ALMOST_ certain to be spam. We have been testing a 
number of rules like this already with great results. I see no reason that rules 
like this can't be made in IMail or Declude directly since they tend to be very 
simple and short.
 
Hope this helps,
_M
 
Chief Sortmonster (www.sortmonster.com)
 
"The more they rethink the plumbing, the easier it is to stop up the 
works - Scotty"

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Harry VanderzandSent: Thursday, September 04, 
  2003 9:33 AMTo: [EMAIL PROTECTED]Subject: 
  [Declude.JunkMail] scrambled url in source of e-mail
  How 
  does one deal with scrambles source in the e-mail.
   
  For 
  example I find the following address: www.%3982%30%37.biz
   
  I 
  like to us the address in my filter file but am not sure if the scrambled form 
  will work as I assume there must be a translation going on when this code gets 
  processed
   
  thanks
   
  Harry Vanderzand inTown Internet & Computer Services 11 Belmont Ave. W.Kitchener, ONN2M 1L2
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
SmithSent: Thursday, September 04, 2003 8:43 AMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] 
Placing Weight in Header
Duuuh.. Why didn't I think of that.
FWIW, if you just put Weight: %WEIGHT% in the header then you might 
be breaking RFC's.
There should be an X- before your "Weight" line which will 
denote a comment line.

  
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  GlobalWeb.net WebmasterSent: Thursday, September 04, 2003 
  8:25 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [Declude.JunkMail] Placing Weight in Header
  we use , in our global.cfg file,
   
  XINHEADER Weight: %WEIGHT%
   
  so you could out in yours:
   
  XINHEADER X-DECLDUE-WEIGHT: %WEIGHT%
   
  
  Sincerely,Randy ArmbrechtGlobal Web 
  Solutions®, Inc.804-346-5300 ext. 1877-800-GLOBAL (4562) ext. 
  1http://globalweb.net 
  
   
   
   
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
SmithSent: Thursday, September 04, 2003 7:39 AMTo: 
[EMAIL PROTECTED]Subject: [Declude.JunkMail] 
Placing Weight in Header
Is there any way to place the total weight in the SMTP 
header?
Something like:
 
X-DECLUDE-WEIGHT: 
  yyy

RE: [Declude.JunkMail] More and more email getting past Declude

[Pete - Madscientist]

They're not getting past everything - we show a rejection rate of greater
than 75% almost consistently... not to say that the problem isn't getting
worse though.

http://www.sortmonster.com/MessageSniffer/Performance/FlowRates.jsp

We have seen a significant and apparently consistent rise in the rate of new
spam since about a week ago - conciding with the closure of Osirusoft...
probably largely a matter of more reports rather than simply more spam - but
significant none the less.

http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp

_M

>  -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, September 02, 2003 9:21 AM
> To:   Declude JunkMail (E-mail)
> Subject:  [Declude.JunkMail] More and more email getting past Declude
> 
> Is it just me or have spammers found other ways to get past scanners? I've
> been getting slammed lately with more and more spam that is getting past
> declude without a single hit.
> 
> Greg Foulks
> NewFound Technologies, Inc.
> [EMAIL PROTECTED]
> http://www.nfti.com
> 614.318.5036
> 
<>

RE: [Declude.JunkMail] Alligate

[Pete - Madscientist]

John,

Our demo policy is now more open than before. I don't want to put too
fine a point on it, but as part of our open source release, we changed
the way we do demos for Message Sniffer. The sniffer2.snf license has
some restrictions but it continually updated. You might consider
implementing Message Sniffer "for evaluation purposes" using the demo
license until you have the funds you need.

Sure, it won't perform as well as a registered version, and it can't be
customized, no support, etc... None the less, as an additional test it
might be quite helpful.

Just a thought,
_M

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of John 
|Tolmachoff (Lists)
|Sent: Thursday, August 28, 2003 1:44 PM
|To: [EMAIL PROTECTED]
|Subject: RE: [Declude.JunkMail] Alligate
|
|
|I do not use MessageSniffer at this time, but would if I could.
|
|I like the product. I have evaluated it. It is a very good test to use.
|
|Why would I use both, the broader the scope of the tests, the 
|more chance of catching all spam with a lesser FP rate.
|
|They both have there strengths, and weaknesses. Their 
|weaknesses is nothing to detract from them, it is inhearant in 
|any program. 
|
|I just do not have the funds at this time.
|
|John Tolmachoff MCSE CSSA
|Engineer/Consultant
|eServices For You
|www.eservicesforyou.com
|
|
|> -Original Message-
|> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- 
|> [EMAIL PROTECTED] On Behalf Of Bill Newberg
|> Sent: Thursday, August 28, 2003 9:39 AM
|> To: [EMAIL PROTECTED]
|> Subject: FW: [Declude.JunkMail] Alligate
|> 
|> John,
|> 
|> I understand you are very pleased with the product. Do you use 
|> MessageSniffer as well? If so, why?
|> 
|> Thanks,
|> 
|> Bill
|> 
|> >
|> > -- Original Message --
|> > From: "John Tolmachoff \(Lists\)" <[EMAIL PROTECTED]>
|> > Reply-To: [EMAIL PROTECTED]
|> > Date:  Thu, 28 Aug 2003 09:03:45 -0700
|> >
|> > Please see the link to the archives in my earlier post on this.
|> >
|> > John Tolmachoff MCSE CSSA
|> > Engineer/Consultant
|> > eServices For You
|> > www.eservicesforyou.com
|> >
|> >
|> > > -Original Message-
|> > > From: [EMAIL PROTECTED] 
|[mailto:Declude.JunkMail- 
|> > > [EMAIL PROTECTED] On Behalf 
|Of bill.maillists
|> > > Sent: Thursday, August 28, 2003 8:28 AM
|> > > To: [EMAIL PROTECTED]
|> > > Subject: [Declude.JunkMail] Alligate
|> > >
|> > > I"m already using Message Sniffer with Declude. What would
|> > Alligate do
|> > that
|> > > Message Sniffer doesn't?
|> > >
|> > > Thanks,
|> > >
|> > > Bill Newberg
|> 
|> ---
|> [This E-mail was scanned for viruses by Declude Virus
|(http://www.declude.com)]
|> 
|> ---
|> This E-mail came from the Declude.JunkMail mailing list.  To 
|> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
|> "unsubscribe Declude.JunkMail".  The archives can be found at 
|> http://www.mail-archive.com.
|
|---
|[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] OT: Declude notification and SoBig assault.

[Pete - Madscientist]

Message Sniffer has rules in place for this (about 30+ of them).

We've also lifted the delay restriction on the demo license temporarily
so that ANYONE can get this protection by running the demo license
(sniffer2.snf) with Declude Junkmail. BE SURE TO DOWNLOAD THE LATEST
VERSION OF THE RULEBASE - 

http://www.sortmonster.com/MessageSniffer/Try-It.html

I am about to take off the group differentiation temporarily so that
Declude can be set up to test for the specific rule group result for
malware under the demo license.

(We will keep the restrictions off of the demo license (sniffer2.snf)
until the biggest problems with Sobig are over.)

That result code for the malware rule group is: 55.

USE CAUTION! We _think_ we've got good filters in place for all variants
of sobig.f, however we have seen minor changes showing up and nothing is
perfect. We do seem to be catching almost all of it though...

Hope this helps,
_M

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of junk mail
|Sent: Friday, August 22, 2003 12:48 PM
|To: [EMAIL PROTECTED]
|Subject: Re: [Declude.JunkMail] OT: Declude notification and 
|SoBig assault.
|
|
|We are only running Declude JunkMail is anyone setting up any 
|rules to filter out the SoBig virus other than using Declud 
|virus software.
|
|Thanks,
|Dom
|
|
|---
|[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: RE : [Declude.JunkMail] Alligate vs. Message Sniffer...opinions?

[Pete (Madscientist)]

Please forward a copy of the newsletter to me
([EMAIL PROTECTED]) as an attachment and I will adjust the rule
base (if appropriate). This is a service we provide by default to each
subscriber, but we also - in general - code the core rule base to avoid
false positives whenever we hear about them and the choice is widely
applicable.

Your assistance is greatly appreciated.

Thanks,
_M

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|[EMAIL PROTECTED]
|Sent: Thursday, August 21, 2003 7:38 AM
|To: [EMAIL PROTECTED]
|Subject: RE : [Declude.JunkMail] Alligate vs. Message 
|Sniffer...opinions?
|
|
|Hi,
|
|Message sniffer is not so bad as I tested it but have a big 
|problem with News letter it has a bif False positive rate with them.
|
|Regards
|Mehdi Blagui
|
|-Message d'origine-
|De : [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] De la part de 
|Matthew Bramble Envoyé : jeudi 21 août 2003 03:32 À : 
|[EMAIL PROTECTED] Objet : Re: [Declude.JunkMail] 
|Alligate vs. Message Sniffer...opinions?
|
|
|John,
|
|I just joined the list today, but I found your configuration file from 
|back in June and it was very helpful in understanding how to fine tune 
|Alligate.  I'm going to study it's logs more closely before I 
|start that
|
|phase though, looking for false positives.  I've turned that test down 
|to 3/10 of failure and reduced several other tests by 1/10 to 2/10 of 
|failure in order to accommodate it (BADHEADERS for instance).  
|It seems 
|to get most of it's scoring from technical-type stuff instead of the 
|heuristics, and if this is the case, I don't think that a scaled test 
|would be that much more useful to me.  If I could score the 
|content and 
|obfuscation, and just those things, I wouldn't be double counting the 
|technicals, and that should reduce some false positives.
|
|I don't want to knock Alligate, it has some nice functionality, 
|especially when used without Declude (auto whitelisting and digest 
|notification), and it does what it says, but it has a relatively high 
|false positive rate in the default configuration and therefore 
|it can't 
|be scored higher than it is on my scale.  If they could get the auto 
|whitelisting and digest notification to work with Declude, that might 
|make me a buyer.  I'm still looking for more information on Message 
|Sniffer within this context.
|
|I've looked at AutoWhite and will probably give it a try, but I can't 
|find any information on Match.  Would you care to share a link?
|
|Thanks,
|
|Matt
|
|
|
|
|John Tolmachoff (Lists) wrote:
|
|>As one of the earlier testers and helped develop the variable 
|scale of 
|>Alligate, I can understand your position. I have a client that gets a
|lot of
|>e-mail from the Far East and a lot of bcc broadcasts and 
|lists. Many of 
|>these show elements of spam, but are legit. That is what 
|makes it hard.
|>
|>There are a number of adjustments available in Alligate. You 
|might want
|to
|>look over my config file I posted earlier today.
|>
|>One thing I do for this specific issue is I use 2 programs. One is
|Match,
|>which is very simple but does need to be revised. The other is
|AutoWhite. A
|>30 demo of AutoWhite is available at 
|>www.eservicesforyou.com/products/autowhite.html. Match is free.
|>
|>While everyone can have a unique setup, please let me know if 
|you would
|like
|>to spend some time going over the possible configurations in Alligate.
|>
|>John Tolmachoff MCSE CSSA
|>Engineer/Consultant
|>eServices For You
|>www.eservicesforyou.com
|>
|>  
|>
|
|
|---
|[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] re: Strange logging

[Madscientist]

>>I caught this when my log analyser told me that I have a test called 
>>SPAM07/02/2003



>This does seem to happen occasionally when several processes 
>are appending 
>to a text file in a very short period of time (not just with 
>Declude; it 
>happens with IMail SMTP32.exe processes as well).  My guess is 
>that when an 
>internal OS buffer gets hit, rather than waiting for it to 
>clear, the OS 
>just saves part of what it is supposed to.
>
>-Scott

We also see this quite a bit with Message Sniffer logs. Consistently the
logs from Winx systems have these kinds of "odd mergers". The only way
to solve it is to serialize access to the log files - which slows things
down so we don't do it.

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Incredimail

[Madscientist]

At 10:31 AM 6/28/2003 -0700, you wrote:
Is anyone blocking these content rich "fun" E-mails?  I've had customers 
using the program have a raft of problems, the latest seems to be ISP's 
bouncing the Email based on the incredimail tag in the headers.


We had some early rules show up due to spam from incredimail and done using 
incredimail. We quickly had to abandon those rules due to false positive 
reports. It was very short lived.

(sigh)

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Mail Client with Redirect Command

[Madscientist]

At 07:27 PM 6/27/2003 -0400, you wrote:
Can
anyone out there recommend a Windows based email client that supports the
redirect command ??
 
I believe The Bat! does that.
_M

Re: [Declude.JunkMail] Greylisting

[Madscientist]

At 05:11 PM 6/20/2003 -0400, you wrote:
Just saw this
on /. and thought that you all might be interested...

http://projects.puremagic.com/greylisting/

I've just published a
paper on a new and unique spam blocking method called
"Greylisting".  The
We have comparable mechanisms designed into the AI of Message Sniffer...
When we thought about concepts like this: delaying then allowing
messages... We discovered a dark side. Spammers will likely adopt a
policy of automatically resending their spam after a delay - even if it
was not rejected (because they won't wait to see if the message got
through). 
It is likely that as methodologies like this become more widely deployed
spammers will evolve to a "double barrelled" approach of
delivery where each message is shot-gunned two or more times to each
address as a matter of course. While this requires significantly more
bandwidth from the spammers it is clear that the costs of bandwidth are
not a sufficient deterrent - in part because more and more spammers are
not paying for ANY of that bandwidth (jeem & variants of all
"compromised third party" mechanisms).
The failure in thinkng behind this "greylisting" approach is
that it holds the expectation that the spammer will be forced to follow
RFCs and resend their messages in response to temporary failures
according to those protocols. In fact, spammers already do not pay any
attention to the protocols in the first place, and since automatically
re-broadcasting their messages satisfies the "appearance" of a
retry in the current protocol there is in fact very little additional
cost-in-complexity for the spammer.
None the less, the delay-before-accept methodology is somewhat effective
and is therefore inevitable (I think) as an escalation in the battle
continues. (some similar and more lightweight implementations are already
being used and experimented with) Saddly delay-before-accept will bring
with it a profound increase in the bandwidth used by spammers.
While it seems on the surface that forcing spammers to retry their
delivery will complicate their lives and increase their costs, the
reality is that there is little additional cost for the spammers who
already use mechanisms that virtually ignore standard protocols. Their
solution is simple: send all messages again after an hour or so... and
maybe again after that.
Another unfortunate variant of this response is the "radio
rotation" methodology whereby the spammer delivers to their spambot
(some compromised or dedicated hardware) a message to be delivered to the
current lists. All messages at the spambot are repeatedly transmitted in
rotation (like songs being played at a commercial radio station) until
the message is removed from the "playlist". The spambot simply
retransmits each message in it's queue repeatedly. As new messages are
uploaded to the spambot, older messages are removed from the playlist to
make room.
It's scary I know, but it's on it's way if it's not already in place
(there is some evidence that this is already in wide deployment with some
spammers).
_M
Pete McNeil (madscientist)
President, MicroNeil Research Corporation
Chief SortMonster,
www.SortMonster.com
PS: I've considered a similar protocol that would force the required
complexity on the spammers but since it would require broad deployment to
be effective the methodology has been shelved (at least for now). Here is
a short description of the IRRQ protocol. (IRRQ = Intelligent Retry
Request).
IRRQ adjusts the SMTP protocol by enforcing a lightweight authentication
(automated challenge) for new senders to an MTA. IRRQ is still in
consideration for later deployment as part of a COT protocol suite in
SortMonster. (COT = Circle Of Trust).
1. A new sender (SMTP SENDER + SOURCE MTA) attempts to deliver a message.

2. The new sender is not in the local COT reference so their message is
initially rejected with a temporary failure. However the temporary
failure messages is modified to include an authentication code (in the
form of a special email address) for future retries of this message. The
authentication code is a secure one-time-pad.
  <- 451 Please try again later using
<[EMAIL PROTECTED]>
3. The sending MTA stores the authentication code with the message to be
retried. The receiving MTA stores the authentication message and envelope
information with an expiration time and a guard time.
4. The receiving MTA may perform other operations to automatically or
manually white-list the new sender. For example, in a COT model the peers
in the local COT might be queried for a rating of the sender or an
acceptance policy. As a result any sending MTAs that are not implementing
the protocol can be accommodated after the delay dependent upon the
policies of the receiving MTA and the services (such as COT, RBLs, etc.)
at it's disposal.
5. The sending MTA retries the message aft

Re: [Declude.JunkMail] Numeral SP00FING

[Madscientist]

We tried some generalized patterns in Message Sniffer at first, but always 
found too many false positives in the analysis. Now we just wait for an 
instance to come by and it's coded in the next update (usually within a 
couple hours). No false positives for these codings so far... but of course 
they are specific and it takes time to do this work...

_M

At 04:57 PM 6/18/2003 -0700, you wrote:
I also considered something universal like every combination of  letters 
next to numbers, but there are to many legit messages with codes, even if 
limited to the subject.  It would work if the test were smart enough to 
measure the ratio of letters to numbers.

Good luck with that.

Dan

On Wednesday, June 18, 2003 15:32, Markus Gufler <[EMAIL PROTECTED]> wrote:
>
>> ST0P Paying T00 MUCH for 1NSURANCE
>>
>> Easy to stop, but its silly to make tests for every word in
>> the dictionary.  Anyone have some already assembled?
>
>Our latest Alpha-Version of SpamChk has a new test called DigitsInWord.
>At the moment it's not very reliable because we have to finish the
>implementation of complete MIME-support. Until now this test catches
>also certain encoded strings that commonly contain digits and so will
>produce false positives.
>
>Markus
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] "Held" Spam Management

[Madscientist]

>On a separate topic, I'm curious to know how everyone handles 
>the spam which makes it into the "imail\spool\spam" directory. 
> My current implementation of Declude JunkMail Pro is enabled 
>for only 5 domains.  A couple of those domains have only been 
>active for a week.  We have about 100 domains on our IMail 
>server so I can't imagine what it's going to be like when I 
>roll this out on a large scale.

We hold spam for some period of time (typ 2 wks). If a false positive is
suspected then we perform a search for the "missing message" using
simple file search tools and if we find the message we adjust our
Message Sniffer rules and other settings to compensate. Copying the
message back into the spool directory (both D & Q files) gets the
message delivered.

( Typical adjustments would include blocking black rules, adding white
rules, or adjusting the weights on some tests. Most often the case is
adding a white rule for a list that may include advertising content or
perhaps is sent by a "gray" hoster. )

Some systems allow the user to perform the search and delivery functions
themselves and then reports false positive information based on their
activity. These systems may also make automatic adjustments such as the
addition of white rules based on the headers in the message etc... it's
all dependent upon the technical capability of the system
administrator(s).

We never do any review of the messages held in the spam folder except
when performing research and training functions for our Message Sniffer
product. As an ISP, we would probably never review this content. As a
small business or corporate office we might do a weekly search for
common keywords of interest and review only that content as a safe
guard.

>guessing that one route I could take is to take a "DELETE" 
>action on spam which has a particularly high weight.  Given 
>the DJM default weight is there any weight which people have 
>decided is a good "DELETE" weight.  Is there anything else I'm 
>not thinking of?

With Message Sniffer there are some categories of messages (such as
Porn/Adult) that are generally safe to delete. Declude allows you to
treat each of these categories differently.

You can take the same approach with other tests in Declude with varying
degrees of confidence. For example you may find that a particular test
or rbl never causes you any false positives and so you could choose to
delete on those tests.

It's tougher to be sure about deleting messages based only on weight,
but certainly worth a try given the statistics that are posted by
Declude. There appears to be a VERY high level of confidence and
accuracy at the high weight levels when a wide range of tests are
applied. I recommend you start by reviewing the latest statistics posted
by Scott and look at the simulated tests (WEIGHT 10 and WEIGHT 20). Your
mileage may vary but you might feel safe establishing a delete weight
that matches the top 10 - 20 % of the messages you stop with Declude
given the tests that you use. After watching this a while you could
adjust that number downward to capture more for deletion.

There are no _absolute_ weight values to recommend since every
installation of Declude and every system's tolerance for error is
different. I hope these suggestions are helpful to get you started.

_M

Pete McNeil (Madscientist)
Chief SortMonster (www.sortmonster.com)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Leading space

[Madscientist]

At 08:57 AM 6/12/2003 -0500, you wrote:
Hi

I'm using whitelist anywhere as a poor man's whitelist to, since I can't
justify the upgrade to Pro.
I've got the line:
whitelist anywhere nick@
in my global.cfm
(I want to whitelist [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
etc.)
Unfortunately, that also catches [EMAIL PROTECTED]

Can I force there to be a leading "space" character, so that only
[EMAIL PROTECTED] triggers the whitelist?
You may not be looking for a space anyway. In a header you would likely see 
the address as <[EMAIL PROTECTED]> so you might try whitelist anywhere 

It's not perfect but I think it will work. Scott will correct me if I'm wrong.

Hope this helps.
_M
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude on RAM Drive

[Madscientist]

We've seen systems use ram drives for Message Sniffer and virus scanning
with dramatic results. We've experimented with using ram drives for the
spool - however there are hazards (not recommended on Winx operating
systems) and this requires some additional "help" to keep the spool if
the system must stop.

_M

>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of John 
>Tolmachoff (Lists)
>Sent: Wednesday, June 04, 2003 1:27 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [Declude.JunkMail] Declude on RAM Drive
>
>
>IMO, RAM drives are best for page files and databases.
>
>John Tolmachoff MCSE CSSA
>Engineer/Consultant
>eServices For You
>www.eservicesforyou.com
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- 
>> [EMAIL PROTECTED] On Behalf Of David Sullivan
>> Sent: Wednesday, June 04, 2003 10:10 AM
>> To: [EMAIL PROTECTED]
>> Subject: [Declude.JunkMail] Declude on RAM Drive
>> 
>> I posted this on the Declude Virus list and didn't get any response. 
>> (Hope is wasn't a stupid question :-).  Anybody here have 
>anything to 
>> offer? Thanks. -David
>> 
>> 
>> >I just noticed on Declude site that it is compatible for 
>use on a RAM
>> drive.
>> >Haven't used one of these since DOS but trying to squeeze 
>every last 
>> >bit
>of
>> >performance out of Declude.  Anyone doing this or have additional
>> perfomance
>> >tuning tips?
>> >
>> >Thanks
>> >
>> >-David
>> 
>> 
>> ---
>> [This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>> 
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To 
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
>> "unsubscribe Declude.JunkMail".  The archives can be found at 
>> http://www.mail-archive.com.
>
>---
>[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Easy way to add power and flexibility.

[Madscientist]

Wouldn't it make sense to follow this logic...

Do the positive weight tests (black tests) first in highest to lowest
weight order.

If the action threshold is reached then skip to the negative weight
tests (white tests) in the same order but keep your place so you can
resume if needed.

If a negative weight test drops the weight below the action threshold
then bounce back to the positive list and continue where you left off
until you finish or break the threshold again.

Allow the system to bounce between black and white tests until the value
stabilizes.

Also include the optimization rule that the white tests never get run or
resume if either the current weight is below the action threshold or the
sum of the remaining tests would be insufficient to force it back across
the threshold.

Include a similar rule for the black tests.

The result will be a system that adapts to the tests that are available
in real time, only running the tests required to produce a determinate
result.

This is based on self organizing automata principles. It allows the
population of tests to interact with eachother and reach a stable
equilibrium in their "environment" (a determinate result) even when the
population of active tests is unknown before each instance of run time.

It sounds more complicated than it is.

_M

PS: In declude there is a wrinkle with this methodology. Since all DNS
based tests are fired at once up front there is no obvious way to
resolve the ordering of these tests... but this _might_ be solved by
recognizing that most DNS interactions are UDP based... so it would be
possible (and relatively inexpensive) to launch the queries for all of
the potential DNS based tests up front, but to reserve the evaluation of
each result in the appropriate order... if the system reached a state
where the some of these tests were not going to be evaluated then those
threads would simply die with no harm. Only Scott knows how his code is
structured so this may or many not be an easy thing to do. I'm presuming
it would be easy if each test were fired in it's own thread since that
thread would spend most of it's time waiting (sleeping) for a response
and the evaluation of that response could be encapsulated in a "result
check" method for the test.


>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of John 
>Tolmachoff (Lists)
>Sent: Wednesday, June 04, 2003 2:02 AM
>To: [EMAIL PROTECTED]
>Subject: RE: [Declude.JunkMail] Easy way to add power and flexibility.
>
>
>> Forgive the intrusion (I just troll here, don't actually have JM 
>> ), but this idea seems flawed.  If you quit testing once a 
>> certain weight has been reached, wouldn't you cut off 
>further testing 
>> that might reduce that weight?  In a system where a score can go up 
>> and down depending on the test, unless there is a way to order the 
>> tests so negative weighted tests are run first, I'd think that all 
>> tests must be accounted for.
>
>Welcome Kurt. Yes, I agree with you. That is way I have stated 
>my hesitation at having this available, either as an option or feature.
>
>The weighting system is the weighting system and should be 
>allowed to work in its entirety.
>
>John Tolmachoff MCSE CSSA
>Engineer/Consultant
>eServices For You
>www.eservicesforyou.com
>
>
>---
>[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] whitelist and mult rcpt

[Madscientist]

The whitelist entry could be any suitable address... some whitelist
postmaster, others might whiltelise sales@ or info@ in order not to miss
potential new clients... Ours is not to ask why, but to create tools
that make sense to those who use them. ;-)

_M

>-Original Message-
>From: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee
>Sent: Thursday, May 29, 2003 12:04 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [Declude.JunkMail] whitelist and mult rcpt
>
>
>Why would you white list the postmaster anyway, only 1 of 
>about 1000 emails to my postmaster account is legitimate. Same 
>for abuse.
>
>
>Madscientist wrote:
>>Most valid messages to postmaster, for example, only have 
>postmaster as 
>>the recipient.
>
>
>When ever I notify a domain of a poorly configured server or a 
>server in spam databases. I send the message to abuse, 
>postmaster, domain billing, and domain admin email addresses. 
>I find I mostly ger responses from the domain billing email address.
>
>
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] Behalf Of Karen Oland
>> Sent: Thursday, May 29, 2003 6:49 AM
>> To: [EMAIL PROTECTED]
>> Subject: RE: [Declude.JunkMail] whitelist and mult rcpt
>>
>>
>> YES. This would solve the problem we are having (although 
>not perhaps 
>> everyone's problems ).  None of these messsages were only to the 
>> postmaster.  They all came either with two names in the TO line or 
>> with a CC that included the postmaster.
>>
>> Karen
>>
>> > -Original Message-
>> > From: [EMAIL PROTECTED]
>> > [mailto:[EMAIL PROTECTED] Behalf Of 
>Madscientist
>> > Sent: Thursday, May 29, 2003 8:49 AM
>> > To: [EMAIL PROTECTED]
>> > Subject: RE: [Declude.JunkMail] whitelist and mult rcpt
>> >
>> >
>> > In the interim, a less complex method might be to have a setting 
>> > which will ignore a white list entry for an address if 
>more than one 
>> > recipient is specified. This might take the form of a special kind 
>> > of whitelist entry. Most valid messages to postmaster, for 
>example, 
>> > only have postmaster as the recipient. I know this would be less 
>> > complicated than splitting up the messages.
>> >
>> > I wonder if there is a clean way to intercept message retreival or 
>> > final delivery (better) with a program like a "second pass" of 
>> > Declude or another utility like Message Sniffer. I'm not close 
>> > enough to the guts of IMail to know if this is practical, but it 
>> > might significantly simplify this problem.
>> >
>> > Any ideas Scott?
>> >
>> > _M
>> >
>> > ]-Original Message-
>> > ]From: [EMAIL PROTECTED]
>> > ][mailto:[EMAIL PROTECTED] Behalf Of 
>Karen Oland
>> > ]Sent: Thursday, May 29, 2003 12:57 AM
>> > ]To: [EMAIL PROTECTED]
>> > ]Subject: [Declude.JunkMail] whitelist and mult rcpt
>> > ]
>> > ]
>> > ]We've been getting a lot of spam in the last week or so that 
>> > ]bypasses all ]our spam filters -- they are all copied to the 
>> > postmaster@ ]account for our
>> > ]domain.  Apparently, they are taking advantage of the common
>> > ]practice of
>> > ]whitelisting the postmaster and the inability of spam
>> > ]filtering programs to
>> > ]separate actions on messages sent to multiple users.  No
>> > ]doubt, it won't be
>> > ]long before most messages do the same, rendering both 
>your postmaster
>> > ]account and spam filters useless.
>> > ]
>> > ]I know it has been asked for before and said to be
>> > ]"impossible" (programmer
>> > ]speak, for don't want to do it -- I know, being one), but
>> > ]PLEASE consider
>> > ]creating multiple copies of messages that arrive for multiple
>> > ]recipients, so
>> > ]that the spam filters can operate (yes, this means some
>> > ]complications, but a
>> > ]little trickery could reduce problems -- for example, only
>> > ]making a copy for
>> > ]the recipient(s) that are whitelisted).
>> > ]
>> > ]---
>> > ][This E-mail was scanned for viruses by Declude Virus
>> > (http://www.declude.com)]
>> >
>> > ---
>> > This E-mail came from the Declude.JunkMail mailing list.  To 
>> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
>> > "unsu

RE: [Declude.JunkMail] whitelist and mult rcpt

[Madscientist]

In the interim, a less complex method might be to have a setting which
will ignore a white list entry for an address if more than one recipient
is specified. This might take the form of a special kind of whitelist
entry. Most valid messages to postmaster, for example, only have
postmaster as the recipient. I know this would be less complicated than
splitting up the messages.

I wonder if there is a clean way to intercept message retreival or final
delivery (better) with a program like a "second pass" of Declude or
another utility like Message Sniffer. I'm not close enough to the guts
of IMail to know if this is practical, but it might significantly
simplify this problem.

Any ideas Scott?

_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED] Behalf Of Karen Oland
]Sent: Thursday, May 29, 2003 12:57 AM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] whitelist and mult rcpt
]
]
]We've been getting a lot of spam in the last week or so that
]bypasses all
]our spam filters -- they are all copied to the postmaster@
]account for our
]domain.  Apparently, they are taking advantage of the common
]practice of
]whitelisting the postmaster and the inability of spam
]filtering programs to
]separate actions on messages sent to multiple users.  No
]doubt, it won't be
]long before most messages do the same, rendering both your postmaster
]account and spam filters useless.
]
]I know it has been asked for before and said to be
]"impossible" (programmer
]speak, for don't want to do it -- I know, being one), but
]PLEASE consider
]creating multiple copies of messages that arrive for multiple
]recipients, so
]that the spam filters can operate (yes, this means some
]complications, but a
]little trickery could reduce problems -- for example, only
]making a copy for
]the recipient(s) that are whitelisted).
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wishlist reminder... :-)

[Madscientist]

You may not always want to do this.
Some apps learn from white-list entries so if you were to prevent them
running when a message was white-listed you would prevent some of that
function. In many cases it might be ok, but not all to be sure.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED] Behalf Of Bill Landry
]Sent: Tuesday, May 27, 2003 8:41 PM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Wishlist reminder... :-)
]
]
]Scott, with talk recently of optimization and efficiency, and
]where certain
]tests should be conducted to save on CPU cycles.  I was
]thinking that one
]way to gain efficiency would be to NOT run Declude and third-party apps
](SpamChk, AlliGate/SpamManager, Sniffer, etc.) on whitelisted
]e-mails (virus
]scan only).  This would not only greatly reduce CPU
]requirements, but also
]greatly cut down on log file sizes for Declude and third-party apps.
]
]Secondly, what about spam filtering messages before virus
]scanning, and if
]the message accrues a weight high enough to be deleted, then
]delete and do
]NOT virus scan the message.  However, if it meets hold or
]deliver weights,
]then virus scan the message before final handling.
]
]Any thoughts on when or if this either of these notions will be
]entertained...(please, please, and pretty please)?  ;-)
]
]As always, thanks for a great product!
]
]Bill
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Obfuscated Addresses

[Madscientist]

Be careful about this...
Be sure that if you create a black rule for this kind of thing that you
capture the href=" part as well or else you will have quite a few false
positives - generally from subscribed lists published by larger bulk
houses. URL Encoded web links (partially encoded or fully encoded) are
common in the extended portions of image and other links in these kinds
of messages - probably as tracking measures. This was our experience
anyhow...

Hope this helps,
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED] Behalf Of Dan Patnode
]Sent: Sunday, April 06, 2003 1:54 AM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Obfuscated Addresses
]
]
]For those you who track obfuscation techniques:
]
]Besides
]http://%
]
]be sure to add a test for
]http://w%77w.
]
]it case the actual address starts with http://www.
]
]
]Dan
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] override MaxQueProc - new thread

[Madscientist]

| If you keep the MaxQueProc setting at 30, but there was also 
| a way to tell 
| Declude to wait until 20 processes were being used, then when 
| the 21st 
| E-mail arrived, Declude would just move it to the overflow 
| directory, so 
| you would end up with virtually the same results as if the MaxQueProc 
| setting were at 20.

Scott,

I think a useful feature to develop for Declude would be a "delay-new"
feature. Declude would keep a scratch file of IP addresses/networks from
which messages have been previously received. If a message arrives from
a new source, Declude would use the overflow mechanism described above
(something similar anyway) to move the message aside for some period -
perhaps a few hours or even a day.

After the delay period, the messages from the new source would begin to
be scanned and delivered normally. This would give adaptive filtering
systems and ip4 test databases time to "catch up" with new spam.

As a result, messages that are from known sources would be processed
normally, and new spam from new sources would be filtered more
effectively because all of the filtering systems would have had time to
see and adjust to the new spam.

Is this something on your wish list? (Not sure, I thought I mentioned it
once before...)

Thanks,
_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Is there a content test available yet?

[Madscientist]

If you wish to have a large number of filters then you may want to look
at Message Sniffer. In addition to the standard rule base you can add a
nearly arbitrary number of additional filter rules of your own. Message
Sniffer's pattern matching engine is capable of applying 1+ pattern
rules to each email message with very little additional system load
(P800 Win NT avg time 40-260ms avg message size from 1K-32K w/ average
system loads).

You can see typical system load statistics (based on actual log data) at
the following url.

http://www.sortmonster.com/MessageSniffer/Performance/CurrentFlowRates.j
sp

_M

Pete McNeil (Madscientist)
Chief SortMonster

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED] On Behalf Of R. 
| Scott Perry
| Sent: Wednesday, April 02, 2003 5:24 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Is there a content test available yet?
| 
| 
| The test is called "filter".  In most cases, you should not 
| notice the 
| extra load.  However, if you have a large number of filters, 
| it is possible 
| that you could see performance degradation.
|-SCott
| 
| At 05:07 PM 4/2/2003, Harry Vanderzand wrote:
| >Thank you
| >
| >What test is it and does it put a lot more load on the system?
| >
| >Harry Vanderzand
| >inTown Internet & Computer Services
| >11 Belmont Ave. W.
| >Kitchener, ON
| >N2M 1L2
| >
| >
| >
| > > -Original Message-
| > > From: [EMAIL PROTECTED]
| > > [mailto:[EMAIL PROTECTED] On Behalf Of R.
| > > Scott Perry
| > > Sent: Wednesday, April 02, 2003 4:50 PM
| > > To: [EMAIL PROTECTED]
| > > Subject: Re: [Declude.JunkMail] Is there a content test 
| available yet?
| > >
| > >
| > >
| > > >Is there a test to can mark an item as spam based on a
| > > string match in
| > > >the message.
| > > >
| > > >There is some spam that repeatedly comes from different hotmail
| > > >addresses but the message is identical.  A content spam
| > > would allow me
| > > >to get rid of it
| > >
| > > Yes -- with Declude JunkMail Pro, you can set up a filter,
| > > that will let
| > > you check various parts of the E-mail (such as the body) for
| > > specific content.
| > > -Scott
| > >
| > > ---
| > > [This E-mail was scanned for viruses by Declude Virus
| >(http://www.declude.com)]
| >
| >---
| >This E-mail came from the Declude.JunkMail mailing list.  To 
| unsubscribe,
| >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
| >Declude.JunkMail".  The archives can be found at
| >http://www.mail-archive.com.
| >
| >---
| >[This E-mail was scanned for viruses by Declude Virus 
| >(http://www.declude.com)]
| >
| >---
| >This E-mail came from the Declude.JunkMail mailing list.  To
| >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
| >type "unsubscribe Declude.JunkMail".  The archives can be found
| >at http://www.mail-archive.com.
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Message Sniffer Demo Updated.

[Madscientist]

Appologies for the confusion. (O/T)

This is an artifact of having dragged the file onto my windows desktop
from a mapped FTP folder. The FTP server is running Linux and Windows
has a habbit of misreading the date/time on those files when mapped this
way. The odd year is harmless.

When I access the file via Samba (Windows Networking) from the same
server the date reads 3/28/2003 as it should.

Thanks for the heads up.
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED] On Behalf Of 
| Grant Griffith
| Sent: Friday, March 28, 2003 4:23 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Message Sniffer Demo Updated.
| 
| 
| Why is the file dated 3/28/2002???  I am talking about the 
| sniffer2.snf file
| in the zip...
| 
| Sincerely,
| Grant Griffith, Vice President
| EI8HT LEGS Web Management Co., Inc.
| http://www.getafreewebsite.com
| 877-483-3393
| 
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] Behalf Of Madscientist
| Sent: Friday, March 28, 2003 3:36 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Message Sniffer Demo Updated.
| 
| 
| For those of you who are evaluating Message Sniffer, the rule base for
| the evaluation version has been updated. You can get the newest
| distribution on our Try-It page at the following URL:
| 
http://www.sortmonster.com/MessageSniffer/Try-It.html

If you have already downloaded the distribution for testing with Declude
you will only need to replace your sniffer2.snf file so that you are
evaluating with the most current rule base file.

Hope this helps,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster, www.SortMonster.com
VOX: 703-406-2016
FAX: 703-406-2017

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Message Sniffer Demo Updated.

[Madscientist]

For those of you who are evaluating Message Sniffer, the rule base for
the evaluation version has been updated. You can get the newest
distribution on our Try-It page at the following URL:

http://www.sortmonster.com/MessageSniffer/Try-It.html

If you have already downloaded the distribution for testing with Declude
you will only need to replace your sniffer2.snf file so that you are
evaluating with the most current rule base file.

Hope this helps,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster, www.SortMonster.com
VOX: 703-406-2016
FAX: 703-406-2017

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Not Failing the comments test

[Madscientist]

The Message Sniffer rule for this is also being adjusted/broadened.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
]Sent: Wednesday, March 26, 2003 9:09 AM
]To: [EMAIL PROTECTED]
]Subject: Re: [Declude.JunkMail] Not Failing the comments test
]
]
]
]>I assume this didn't fail the comments test because it is actually not
]>formatted like a true html comment 

RE: [Declude.JunkMail] Interesting test results

[Madscientist]

| What we are doing is to track the 2000 (user configurable) 
| most recent spammer
| IP addresses. The list is maintained as an MRU style list 
| (sorted with the
| most recent at the top). If incoming messages reach a user 
| defined score, the
| IP address of the spammer is added to the list.



| Here is what we found. After about 3 weeks of data 
| collection, only about 1 in
| 400 incoming spams is identified by a DNS lookup, and NOT on 
| the list of the
| 2000 most recent spammers. Also, of all the spams we receive 
| on all accounts,
| about 43% are on the recent spammer list, meaning that almost 
| half of the
| spams we receive are from senders that have spammed us before.



This is one of the capabilities we're buiding into Message Sniffer v3.
Our testing has shown similar results, however there are some
complexities with these tests particularly where "gray" sources are
found. As a result our implementation will resolve the IP address &
other "network centric" tests first as "features" of the message. These
features then become part of the input stream for the bayesian hinting
engine.

(It should be noted that the "bayesian hinting engine" is really more a
blend of fuzzy logic, neural networks, and naieve baysian learning
techniques... it's just easier to use the current buzz-word to describe
it...)

So far our simulations indicate some profound accuracy imrpovements when
"new" spam arrives, and surprisingly also when non-spam from "gray"
senders arrives. The early analysis indicates that the learning engine
is picking up second and third order patterns associated with these
message features... This has the effect of "gating" the effect of some
heuristics which are ambiguous under other circumstances so that they
only count when they can be accurate.

It seems obvious that as a weighted test, the top "n" most used IPs are
a good bet - similarly a suggestion for research would be to apply a
logarithmic scale to the MRU list position and use that as a weight...
This scheme can be particularly useful if the list is dynamically scaled
because the relative weights of different list positions can be
maintained as the number of entries on the list changes... This is a
similar mechanism to our "Rule Strength" analysis which is used to gate
out rules that are currently inactive. (See
http://www.sortmonster.com/MessageSniffer/Performance/CurrentRuleStrengt
h.jsp)

Another important factor we have found for these kinds of tests is that
there tends to be a periodicity to message rates from some networks...
the result of this is that in a linear MRU paradigm some networks will
appear and dissappear from the list resulting in "late blocking" on the
same period. That is, a batch of unwanted content will come through and
cause the IP to go to the top of the list, but then the flow falls off
and the IP is dropped. Next time unwanted content comes in from that IP
it is let through the filter for a time because the IP is not on the
list... shortly it will be blocked again but during that "build up time"
a significant amount of the content might be delivered.

A counter to this "pulsing" effect is to develop in increasing
"persistence" to the more highly listed IPs so that they tend to stay on
the list through the "down" period. Another important balance for
persistence however is to reduce it's effects based on any ambiguous or
false positive hits... in fact it turns out that this "persistence
reduction" should have a persistence of it's own so that periodic
false-positive indications can be suppressed when there is mixed content
from the source.

Note that periodicity, gating, and persistence mechanisms are useful on
may heuristics - not just IP based tests.

I hope these thoughts spark some new ones the prove helpful...

:-)

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good ISP?

[Madscientist]

Hmmm... just noticed that savvis.net was in the bottom of that list. (I
know it's odd replying to myself - did it to keep the thread...)

I have first hand experience with their zero tollerance policy. I'd be
curious to understand the source of that listing.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED] On Behalf Of Madscientist
| Sent: Tuesday, March 11, 2003 3:18 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Good ISP?
| 
| 
| Recommend switching to Savvis/Bridge. They have been our primary for
| years and they are awesome.
| 
| hth,
| _M
| 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Good ISP?

[Madscientist]

Recommend switching to Savvis/Bridge. They have been our primary for
years and they are awesome.

hth,
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
| Sent: Tuesday, March 11, 2003 2:19 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Good ISP?
| 
| 
| I've decided, for moral and blacklist avoiding reasons to 
| switch from XO, an ISP now friendly to spammers.  Are there 
| many "good" ISP left that I can switch to?  Below are all the 
| ISPs I've confirmed profesional spammers being hosted on with 
| dedicated IPs.  Multiple entries indicate multiple spammers.  
| Below that is Spam Haus' list.  My oppologies for mass 
| mailing so much content, but I think it is valuable to the 
| cause.  Please cut off the lists if replying:
| 
| Thanks!
| Dan
| 
| 
| 
| 
| 186k
| 3 Jane
| 3WCorp
| 3WCorp
| 4q LLC
| Abovenet
| AC_ESS RESOURCE SERVICE
| Aesir
| AGIS
| AIA
| AITT Music Inc
| Alpha-Omega
| Anything Email, Inc
| Aptimus Inc
| Argent Investment
| AT&T WorldNet
| ATLIGHTSPEED
| AVH Communications
| above
| adcnap
| adcnap
| adcnap
| ai
| aibusiness
| aibusiness
| aibusiness
| alchemy
| alchemy
| alchemy
| aleron
| american-telesis
| appliedtheory
| aschwebhosting
| atlantic
| atlightspeed
| att
| att
| att worldnet
| att worldnet
| attcanada.ca
| australia
| avh communications
| avh communications
| avh communications
| avh communications
| Bay Com_uters
| Beanfield Technologies
| Bell Canada
| BestNet
| BestNet
| Broad River Communications
| Broadband Highway
| BroadbandONE
| Broadwing Communications
| barak.il
| bayarea
| bblabs
| bellsouth
| bellsouth
| broadspire
| broadspire
| broadspire
| broadspire
| broadspire
| broadspire
| broadwing
| broadwing
| broadwing
| California Regional Internet
| CBB
| CBB
| CBB
| CBB
| CBB
| CBB IN
| CERFnet
| CERFnet
| Cogent Communications
| Commecial Web Page
| Cube Computer Corporation
| Custom Offers
| CW
| Cyberfuse Technologies
| Cyberfuse Technologies
| c1.ca
| c1.ca
| c1.ca
| c1.ca
| cable & wireless
| cais
| cais
| cais
| cais
| cais
| cavecreek
| cavecreek
| ccom
| ccom
| cerf
| cerf
| chinacomm.cn
| ciberlynx
| ciberlynx
| ciberlynx
| ciberlynx
| ciberlynx
| ciberlynx
| ciberlynx
| ciberlynx
| ciberlyxn
| cisdc
| city-guide
| cogent
| cogentco
| cogentco
| cogentco
| cogentco
| cogentco
| conxion
| covad
| covesoft
| cpus1
| cw
| cw
| cw
| cwie
| cwie
| cybercon
| cybercon
| cybercon
| cybercon
| cybercon
| DE
| DEBT MANAGEMENT ASSOCIATE
| Digital Access Systems
| DSGI
| DST Group Inc
| Durelon Corp
| datapipe
| datapipe
| datapipe
| datapipe
| deltanet
| deltanet
| dialtone
| ECOCOM TELECOMMUNICATIONS
| Edge Connections
| Electronic Network Holding Inc
| Entry Inc.
| Epana Networks
| Epoch Networks
| Euniverse
| EuroBackBone
| Europa Global Investments
| Everyones Internet
| Everyones Internet
| Everyones Internet
| Executive PC, Inc.
| Exodus
| Exodus
| Exodus
| Exodus
| Exodus
| Extra
| e-development
| e.spire Communications, In
| e2 Communications
| eli
| eli
| eli
| eli
| eli
| eli
| eli
| eli
| equiptd
| europaglobal
| europaglobal
| europaglobal
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| exodus
| Family Serv Agcy
| Fastcolo
| FORWARD
| Free Yankee
| fdn
| fdn
| fdn
| fdn
| fishy, range needs more info
| fnsi
| freeyankee
| freeyankee
| Giant Rewards, Inc
| Giant Technologies
| Global Crossing
| Global Crossing
| genuity
| genuity
| genuity
| genuity
| genuity
| genuity
| genuity
| ggn
| gt.ca
| HarvardNet 
| Harvest Marketing
| Highstakes Marketing PL
| Hong Kong
| Hong Kong
| Hooked Inc
| hiflightinternet
| highspeedholdings
| highspeedholdings
| highspeedholdings
| highspeedholdings
| highspeedholdings
| highspeedholdings
| home.eircom
| hooked inc
| hostremote
| hostremote
| ICOnetworks
| INTERBUSINESS
| Inforonics, Inc
| Infracnet
| Interliant
| Interliant
| Interliant
| Internap Network Services
| Internetive
| Interop Show Network
| IRIDES, LLC
| Irvine IDC
| ibm
| idt
| inflow
| inflow
| infolink
| infolink
| infolink
| infolink
| infolink
| infracnct
| integratedmar
| interbusiness.it/
| interbusiness.it/
| interbusiness.it/
| interbusiness.it/
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| internap
| intersatx
| intnet
| iWay Broadband
| JoeTek
| John Mehr
| jtel
| jtel
| Karin Sample
| L&L Importating Services
| Level 3
| Level 3
| Level 3
| Logic Webhosting
| Lynch International
| level 3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| level3
| long shot test
| MECH POST
| Media Unlimited/BAY9
| Membership Management
| Minerva Network System
| Minerva Network Systems
| Mzima Networks
| Mzima Networks
| mach10

RE: [Declude.JunkMail] A Question of Ethics

[Madscientist]

1. We are providing the data as a necessary service - the decisions about
how that data is applied are out of our hands. I would hope that they would
be used in an enlightened way, and in our shop we do that - however the
discretion and the definition of "enlightened" is up to the ultimate "owner"
(see 2) of those facilities.

2. In corporate and similar environments, the facilities provided to
employees are entirely under the domain of the owners (==> those paying the
bills) and therefore they are entitled to monitor anything about those
facilities and how they are used.

My $0.02

_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED] Behalf Of Dan Patnode
]Sent: Wednesday, February 26, 2003 7:20 PM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] A Question of Ethics
]
]
]I realize this is two questions in one day, but its a slow list day, so:
]
]Rather than deleting spam, I forward it tagged or to a shared
]mailbox, clients choice.  I just found out that within a week of
]starting my my anti spam service (delivery choice 2), a company
]fired an employee for receiving tons of porn via email.  They also
]have web monitoring in place so this was the last piece to their
]puzzle, but...
]
]How does everyone feel about our role playing Big Brother against
]employees?
]
]
]Dan
]
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] A new feature idea.

[Madscientist]

Scott,

One of the protocols we're developing for SortMonster includes a waiting
period for messages from untrusted/unknown servers. The idea is that if the
message or it's source are producing malware or other unwanted content then
a delay would give detection systems and filters a chance to adapt.

It seems like it might be possible for Declude to implement a tool like this
without a huge effort. Please correct me if I'm wrong.

The protocol is simple.

Maintain a hash table of previous mail sources.
When a message arrives which is not in the table, move it to a delayed
processing queue.
After a user defined period of time (from a few hours to a few days) the
messages in the delayed processing queue are processed as if they had just
been recieved.

In theory, messages from a spammer moving to a new domain, ip, or routing
would be delayed by this protocal. By the time their messages were processed
the ip4dns lists, content filters, and other tests would have adapted to
their new configuration so their message would be blocked. Any legitimate
content would be untouched with the exception of a delay on the first
message.

Sources for messages that do get blocked for any reason are removed from the
"known/trusted" list so that their content continues to be delayed. A more
sophisitcated implementation would adjust the delay based on the
circumstances.

This protocol is intended to adapt to spammer's increasing practice of
rapidly moving to new domains in order to take advantage of the delay in
ip4dns list detection.

Is this something that would be desired/possible/practical for Declude to
implement?

Thanks,
_M

Pete Mcneil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Message Sniffer Information

[Madscientist]

Title: RE: [Declude.JunkMail] Message Sniffer Information



In 
IMail/Declude, the IMail system has the message in a file. Declude launches 
Message Sniffer as an external test. Message Sniffer reads the file and returns 
an evaluation to Declude. Declude then integrates the result of Message Sniffer 
with all of the other tests to produce a result based on your 
policy.
 
I 
guess this is "you come to the message and scan it"...
 
In 
*nix systems under Postfix, the other scenario is true... that is, the message 
is provided to Message Sniffer, scanned, and then optionally sent back into the 
system.
 
Hope 
this helps,
_M

  -Original Message-From: Keith Johnson 
  [mailto:[EMAIL PROTECTED]]On Behalf Of Keith 
  JohnsonSent: Monday, February 17, 2003 9:23 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Message 
  Sniffer Information
  Thank you for the info and link.  From a transmission standpoint, 
  when the sniffer test is called, does it send you the message, you scan it, 
  and then report back.  Or do you come to the message and scan it and then 
  report back.  Thank you again, for your time.
   
  Keith Johnson
  
-Original Message----- From: Madscientist 
[mailto:[EMAIL PROTECTED]] Sent: Mon 2/17/2003 9:18 AM 
To: [EMAIL PROTECTED] Cc: 
Subject: RE: [Declude.JunkMail] Message Sniffer 
Information
]-Original Message-]From: 
[EMAIL PROTECTED]][mailto:[EMAIL PROTECTED]]On 
Behalf Of Keith Johnson]Sent: Monday, February 17, 2003 9:01 AM]To: 
[EMAIL PROTECTED]]Subject: [Declude.JunkMail] Message Sniffer 
Information]]]I wanted to gain some advise on using message 
sniffer.  It seems]to be (from forum comments) to be an awesome 
product.   Is the]message sniffer database of know spammers 
kept up on their end and]the test within declude checks it?  Is the 
test quick per 10,000]emails?  Thanks for the info.We 
maintain the database continuously and provide multiple updates per 
day.Typical scan times for Message Sniffer are ~140ms per message. 
Some systems/messages are much faster, some are a bit slower. (Ranges 
between 30ms and 300ms depending on CPU speed and message size).You 
can view live statistics on message flow rates at:http://www.sortmonster.com/MessageSniffer/Performance/CurrentFlowRates.jspStrictly 
speaking the database is not for known spammers as much as it is for known 
spam patterns, domains, behaviors, etc...Hope this 
helps,_M---[This E-mail was scanned for viruses 
by Declude Virus (http://www.declude.com)]---This 
E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, 
just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe 
Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.
<>

RE: [Declude.JunkMail] Message Sniffer Information

[Madscientist]

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Keith Johnson
]Sent: Monday, February 17, 2003 9:01 AM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Message Sniffer Information
]
]
]I wanted to gain some advise on using message sniffer.  It seems 
]to be (from forum comments) to be an awesome product.   Is the 
]message sniffer database of know spammers kept up on their end and 
]the test within declude checks it?  Is the test quick per 10,000 
]emails?  Thanks for the info.

We maintain the database continuously and provide multiple updates per day.

Typical scan times for Message Sniffer are ~140ms per message. Some systems/messages 
are much faster, some are a bit slower. (Ranges between 30ms and 300ms depending on 
CPU speed and message size).

You can view live statistics on message flow rates at:

http://www.sortmonster.com/MessageSniffer/Performance/CurrentFlowRates.jsp

Strictly speaking the database is not for known spammers as much as it is for known 
spam patterns, domains, behaviors, etc...

Hope this helps,

_M



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] how much is junk?

[Madscientist]

The average spam/ham ratio for reported logs in Message Sniffer is
70%-75%. That is, 70%-75% of messages on average are spam. This is a
small sample (about 20 systems on average) but it has been a very
consistent range.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of paul
| Sent: Thursday, February 13, 2003 2:37 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] how much is junk?
| 
| 
| Ok guys, what do you see in ratio of junk vs good mail per 
| day? Do you get
| more junk than legit? Here I notice we're killing more than 
| 50% of incoming
| mail. Average messages processed per day range from 13K to 
| 23K. Using the
| log analyzer I found that January we processed 615,082 
| messages, and 53% we
| deleted by Declude, that's alot!
| 
| Granted, near daily updates to my kill file and filters help boost the
| number.
| 
| Paul
| 
| 
| ---
| [This E-mail scanned for viruses by Declude Virus]
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Whitelist Question

[Madscientist]

I've been thinking about this for a while.
Scott... how hard would it be for Declude to split the message when
faced with a conflict like this.

Specifically, if a message fails at the global level, but a domain has
it whitelisted then a copy of the message is created that removes the
other recipientst - so that the message can be delivered to the one
domain where it is desired.

Similarly, if blocked at the domain level and if a single user has the
message white listed then a copy of the message would be created with
the single user as the addressee so that they can receive the message.

I would think that the conflict would be easy to detect, that a new copy
of the message could be created in queue with the appropriate
address(es), and that the original to, cc, & bcc headers could be
aliased with a specail x- header.

This is an analog of a feature on our development list for the
sortmonster mail engine, but I'll be you could implement it in
IMail/Declude without much trouble.

Am I wrong?
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Monday, February 10, 2003 1:43 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Whitelist Question
| 
| 
| 
| >I have some customers that wish to not have their email scanned for 
| >spam.  I started off whitelisting them, but this presents 
| two problems:
| >
| >1.  Some spam gets through to others because of their 
| whitelist.  Ex. 
| >Someone sends spam to [EMAIL PROTECTED], but in the CC, there's 
| >[EMAIL PROTECTED]  [EMAIL PROTECTED] is whitelisted, so the mail gets 
| >delivered to me with a weight of 0 (whitelisted).
| >
| >2.  You can only have 200 whitelist entries.
| >
| >Now, creating a per-user config for the user, and setting 
| all actions to 
| >warn, would that not effectively disable spam filtering?
| 
| A per-user config would likely be the best option in this case.  The 
| problem is that E-mail with Cc:'s or Bcc:'s must be handled 
| the same for 
| each recipient -- so whatever happens for one recipient will 
| happen for the 
| others.  With whitelisting (which takes priority over 
| everything else), it 
| would cause the spam to get through to the other recipients.  
| However, by 
| setting up a per-user configuration that doesn't take any 
| action on E-mail, 
| the E-mail with multiple recipients will still get filtered.  
| The E-mail 
| with multiple recipients is essentially "shared" (the sender 
| *knows* that), 
| so you need to decide how the recipients share it (whether to 
| whitelist it, 
| or block it).
|  -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Dealing with Nasty Spams

[Madscientist]

We added rules to Message Sniffer for this message based on the miss-spelled
phrases and the domain in the link.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Aaron
]Moreau-Cook
]Sent: Saturday, February 08, 2003 1:38 PM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Dealing with Nasty Spams
]
]
]Declude List,
]
]First, let me apologize for the vulgarity of the e-mail I have attached
]below.
]
]Second, has anyone found a effective way to deal with this type of spam?
]This e-mail apparently was under our HOLD limit of 10, so it was forwarded
]onto our client (concealed for his protection). I could add the words below
]to our word filter, but it seems every day we get a new variation of words
]coming through (slutts, sluuts, s!uts, slut5, etc.).
]
]Thanks in advance
]
]
]-Original Message-
]From: Eric Raymonds [mailto:[EMAIL PROTECTED]]
]Sent: Monday, January 06, 2003 9:33 PM
]To: [EMAIL PROTECTED]
]Subject: Enormous diicks riping tight poosies apart
]
]Large penls breaking tight cuunts apart
]
]http://boulealeanu.hardgiants.info/
]
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] copy all inbound/outbound mail

[Madscientist]

You could write a psuedotest for Declude which would handle archiving
all messages fitting a particular profile - or all of them. The utility
would "see" everything and would be integrated just like any other
external test. We've experimented with a few knowledge base training
systems like this using Message Sniffer to categorize the content with a
special rule base. For you purposes I'll bet something simpler could
work great - perhaps even a simple script.

Just a thought,
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Dan 
| Spangenberg
| Sent: Friday, February 07, 2003 5:26 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] copy all inbound/outbound mail
| 
| 
| I know this has been discussed somewhere, either here or in 
| the imail list,
| but I can't seem to find it.
| How can I copy all inbound and outbound email for a specific 
| user or users
| and then possibly for a complete domain?  For incoming mail, 
| I know to use
| the ., in the forward field in imail user admin, but not sure how to
| accomplish it for outgoing. And not sure how to do it for an 
| entire domain.
| 
| Our need is to monitor a couple of specific imail users, and 
| secondly we are
| considering archiving all email for a domain.
| 
| Is there anything in declude to help me with this?
| 
| Thanks
| Dan Spangenberg
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released

[Madscientist]

That's quoted printable stuff.
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan
| Sent: Tuesday, February 04, 2003 10:14 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released
| 
| 
| Hi;
| This Comments filter is already working great.  It is 
| catching the trick
| quite nicely.  Great job..
| 
| Any plan to also add the variation of this trick -- simply:
| 
| =2Ecom=2F
| http=3A=2F=2F
| 
| Or the likes?  These tricks are now causing our URL filters 
| not to be as
| effective.
| 
| Regards,
| Kami
| 
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Tuesday, February 04, 2003 10:00 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Declude JunkMail v1.67 (beta) released
| 
| 
| 
| > > The test is defined in the global.cfg file as follows:
| > >
| > >COMMENTS  comments  5  x  10  0
| > >
| > > where the "5" means that 5 such comments have to be 
| encountered (the 
| > > 10 is the weight that will be added for E-mail that fails 
| the test).  
| > > Alternatively, you can use:
| > >
| > >COMMENTS  comments  weight  x  10  0
| >
| >OK, I must not be thinking correctly.
| >
| >I understand the first example but I'm confused on the 
| second example. 
| >If I wanted to add 5 for every comment line found in a 
| message, and the 
| >weight of the test is 10, wouldn't I put the number 5 where the word 
| >weight is, thereby making the two comment lines identical?
| 
| The formula for the weight that is added to the E-mail is:  b 
| + n, where 
| "b" is the base weight of the test (10 in both examples 
| above), and "b" is 
| either 0 (in the first example) or the number of 
| anti-filtering comments 
| that are found.
| 
| There isn't an option for a multiplier (so that an E-mail 
| with 20 comments 
| would get a weight of 100 and an E-mail with 40 comments 
| would get a weight 
| of 200).  So you can't add 5 for every comment.
|  -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus
| (http://www.declude.com)]
| 
| ---
| This E-mail came from the Declude.JunkMail mailing list.  To 
| unsubscribe,
| just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
| Declude.JunkMail".  The archives can be found at
| http://www.mail-archive.com.
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Message Sniffer holding all mail

[Madscientist]

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Smart Business Lists
| Sent: Tuesday, January 28, 2003 2:36 PM
| To: Bill Newberg
| Subject: Re: [Declude.JunkMail] Message Sniffer holding all mail



| well, that's the error that indicates you are not authorized.
| just  glancing at the web try "xnk05x5vmipeaof7" instead of the zeroes
| and see if that fixes it.  But it should be the string that was in the
| distribution you downloaded.
| 
| usually MadScientist replies pretty quickly on these things.



| Terry Fritts
| 

Sorry I missed the flury of activity - I was working on rule updates and
false positive adjustments - completely heads-down. 

Just to clear things up, you are on the right track. Version 1 did not
pay attention to the authentication string. From version 2 and for now
on the authentication string matches only one specific license - so it
matters very much.

The current demo version is actually a valid license for sniffer2 that
doesn't receive updates as frequently as registered licenses. It has a
specific authentication string... 000 won't work. The reason it
doesn't fail messages in this case is that ERROR_RULE_AUTH is a "fail
safe" error... Since the wrong authentication code was used, Message
Sniffer gave up and passed all messages rather than causing a problem.

For details on error messages and configuration please see:

http://www.sortmonster.com/MessageSniffer/TechnicalDetails.html

The Readme files in the sniffer2 distribution contain the correct
authentication string for the demo. You should cut and paste to avoid
typing errors.

If anyone has problems configuring Message Sniffer please send a note to
[EMAIL PROTECTED] We monitor the Declude list as much as possible
but not always as a top priority.

Sorry about the confusion.

THANKS!
_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude in PCMag

[Madscientist]

No price increase here :-)
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Roger Heath
| Sent: Friday, January 24, 2003 4:52 PM
| To: Madscientist
| Subject: [Declude.JunkMail] Declude in PCMag
| 
| 
| Congratulations, Scott. Declude is mentioned in PCMag,
| latest February 25th Issue, page 95. Sniffer is also in
| the same listing. Suppose we'll see price increases now.
| 
| 
| 
| --
| Roger Heath
| [EMAIL PROTECTED]
| www.rleeheath.com
| 
| --
| ActivatorMail(tm) ver.122102 Scanned for all viruses by 
| www.activatormail.com intelligent anti-virus anti-spam service
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] [Declude.Virus] Mozilla email client

[Madscientist]

The next phase of Message Sniffer development includes a compound
Bayesian hinting algorythm to help modulate the black/white rule set.
Since Message Sniffer works with Declude that's one way this technology
will find it's way into the mix.

Scott's got a good point though - Bayesian filtering (as it has been
implemented) tends to work well at very specific tasks... That is, you
might get it to learn your specific email preferences accuratly - but
once you get to the server level where there are many people involved
the accuracy drops significantly due to the diversity of the message
content and the difficulties in obtaining training data... this is why
we will be implementing a structured differentiation approch.

One direct application that might work for Declude... If you can solve
the training problem you might use a Naieve Bayesian chain rule to
combine the results of the declude tests... Specifically Declude could
maintain a table of rule firings (including white & black lists, white &
black word lists etc) and collect a statistical product on the
combinations of rules that fire.

Then it could interpret that data as a new test which adds or subtracts
a weight given the Bayesian probability of that combination of tests
being spam.

For example, the Bayesian Product test would "learn" that a specific
combination of rule firings has a high probability of being spam on a
given system, while another combination of test firings has a lower or
negative probability (given some threshold). 

Additional "hiting" can be providided by using the external list tests
to match for patterns that may be specific to that system - or shared
between the group.

As Declude integrates a greater number of tests it's simple weighting
scheme will become less effective and difficult to tune - a  Bayesian
approach to combining the test results might bridge the gap.

-- just a thought,
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Thursday, January 23, 2003 3:29 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] [Declude.Virus] Mozilla email client
| 
| 
| 
| >I read about this Bayesian filtering/scanning at some other forum as 
| >well. Is this something that Declude Junkmail does right now 
| or will do 
| >in the
| >(near) future? Would be nice if it were a feature of the 
| scanner on the
| >server in stead of changing all mail client software? ;-)
| 
| There was a very similar feature (the "heuristics" test), but 
| it proved to 
| be too unreliable when it came to mailing list E-mail.
| 
| Although in theory the Bayes Theory should work very well in 
| detecting 
| spam, it does not in reality (for very technical reasons).  
| Using the Bayes 
| Theory for spam testing relies on a number of assumptions 
| that don't hold 
| true -- it's kind of like saying if Sports Team X wins 2 of 
| the first 3 
| games they play, they have a 66% chance of winning the next 
| game.  With the 
| right assumptions, this could be accurate or close to it, but 
| otherwise it 
| just isn't accurate.
| -Scott
| 
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] More & more

[Madscientist]

]Something that we are also considering is a test that checks for more than
]X HTML comments in an E-mail (preferably just counting ones in the middle
]of words, such as "unsubscribe", rather than "to 
]unsubscribe", as the former prevents filtering whereas the latter
]does not).

Based on our research this should be a very good test.

In fact Message Sniffer rule #18545 is the 11th strongest rule in the
system! (That's just one slot out of the top 10).

Testing for html comments with non whitespace on each side is key. Testing
the number of html comments in general DOES NOT work. Much html email is
generated automatically these days with many comments emitted for debugging
purposes etc.

_M



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] More & more

[Madscientist]

Title: Message



Message Sniffer detects this.
Rule 18545: Multiple HTML Comments 
breaking text 
White 
Rule 16120: From MicroNeil 
 
Running this post through our false processor yielded the attached 
log.
 
_M

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On Behalf Of Kami 
  RazvanSent: Thursday, January 16, 2003 4:58 AMTo: 
  [EMAIL PROTECTED]Subject: [Declude.JunkMail] More & 
  more 
  Hi;
  There has to be 
  something that can be done about detecting this...
   
  ==
  Prevent Premature 
  Aging and 
  DiseaseBuild Leaner 
  Muscle 
  MassReduce 
  Body Fat and 
  StressIncrease 
  Energy Levels and Sexual 
  Stamina
  ==
   
  This is becoming 
  almost a regular occurance and more & more spammers are doing this.  
  As if a software is recently introduced that does this and now everyone is 
  buying it.
   
  No longer 
  filters can work on this except if we start filters that are set for every 
  UserID in the system with the html comment brackets around 
  it.
   
  Regards,
  Kami
snf2beta20030116123023  tmp1A34.tmp 391 130 White   16120   0  
 306 374 56
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263135556
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263137356
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263139156
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263141056
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263142856
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263144456
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263146356
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263147756
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263149656
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263151856
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263153456
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263155656
snf2beta20030116123023  tmp1A34.tmp 391 130 Match   18545   63 
 1263157456
snf2beta20030116123023  tmp1A34.tmp 391 130 Final   16120   0  
 306 374 56

RE: [Declude.JunkMail] Mimeserver

[Madscientist]

Something related (perhaps) that I've just seen. Recently there are an
increasing number of X- headers being added... These frequently are
placed between the Mime Encoding header and the start of the message
body.

Could this be causing the trouble with some implementations?

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Sanford Whiteman
| Sent: Friday, January 10, 2003 3:09 PM
| To: John Ecker @ The Park Net
| Subject: Re: [Declude.JunkMail] Mimeserver
| 
| 
| > The  software  apparently  quarantines them as 
| "undetermined" due to 
| > malformed  headers.
| 
| What  headers  are  malformed?  Could  you  post  a sample 
| header of a quarantined message? Have you controlled for MUA errors?
| 
| As  I'm  sure  you  know,  Scott  does not create bad MIME, 
| and adding additional  X-headers is legitimate practice, so 
| it's going to be hard to prove that it's something Declude is doing.
| 
| -Sandy
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc...

[Madscientist]

Agreed here - we've been working on various white-rules for these
domains and each attempt has failed due to the amount of actual spam
sourced from these servers.
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith
| Sent: Thursday, January 09, 2003 11:54 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc...
| 
| 
| I'd stay away from IP's because they can change all of the 
| time. But the problem still is that actual spam comes from those IP's.
| 
| > -Original Message-
| > From: [EMAIL PROTECTED]
| > [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Markus Gufler
| > Sent: Thursday, January 09, 2003 11:48 AM
| > To: [EMAIL PROTECTED]
| > Subject: RE: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc...
| > 
| > 
| > I'm not sure if I'm right with this:
| > Should it be possible to determine a list of IP-ranges from
| > the real outgoung smtp-servers of this popular domains, then 
| > Declude probably can add a new test if this mail (using a 
| > popular from domain) commes from one of this ip-ranges.
| > 
| > Even if this ip-ranges are very wide (Class C or B) a lot of
| > spamming servers forging the recipients adress should be caught.
| > 
| > Markus
| > 
| > 
| > 
| > 
| > > -Original Message-
| > > From: [EMAIL PROTECTED]
| > > [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Mark Smith
| > > Sent: Thursday, January 09, 2003 5:32 PM
| > > To: [EMAIL PROTECTED]
| > > Subject: [Declude.JunkMail] Hotmail, Yahoo, MSN, etc...
| > > 
| > > 
| > > What is everyone doing about Hotmail, Yahoo, Juno and other 
| > > web-based mail systems? It's really a catch-22. Hotmail is so 
| > > frequently listed on RBL's and is a large source of spam but it's 
| > > also a large source of legitimate email.
| > > 
| > > They all seem to fail postmaster and abuse so they're 
| already at 6-8 
| > > points on most peoples Junkmail. You can't whitelist 
| them, and the 
| > > RBL's usually send them over the edge.
| > > 
| > > I use Sniffer so I've thought about adding a rule for hotmail, 
| > > yahoo, etc to subtract the sum of postmaster and abuse and let 
| > > message sniffer do some magic on these sites.
| > > 
| > > Thoughts?
| > > 
| > > ---
| > > [This E-mail scanned for viruses by F-Proto Virus Scanner]
| > > 
| > > ---
| > > [This E-mail was scanned for viruses by Declude Virus
| > (http://www.declude.com)]
| > 
| > ---
| > This E-mail came from the Declude.JunkMail mailing list.  To 
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > "unsubscribe Declude.JunkMail".  The archives can be found at 
| > http://www.mail-archive.com.
| > 
| > ---
| > [This E-mail was scanned for viruses by Declude Virus
| > (http://www.declude.com)]
| > 
| > ---
| > This E-mail came from the
| > Declude.JunkMail mailing list.  To
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
| > type "unsubscribe Declude.JunkMail".  The archives can be found
| > at http://www.mail-archive.com.
| > ---
| > [This E-mail scanned for viruses by F-Proto Virus Scanner]
| > 
| > 
| 
| ---
| [This E-mail scanned for viruses by F-Proto Virus Scanner]
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] External test question

[Madscientist]

Everybody's sysetm is different of course.
I only offer those statistics as additional data.
You might consider that since condtions change over time, and in particular
spam rates for any given system tend to rise over time, you should be
prepared for higher rates in the future.

Hope this helps,
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Markus Gufler
]Sent: Sunday, January 05, 2003 8:32 AM
]To: [EMAIL PROTECTED]
]Subject: RE: [Declude.JunkMail] External test question
]
]
]Hi Madscientist,
]
]As I can understand we have a different situation here.
]I have no statistics about this but after weeks of research in smtp-
]declude- and spamchk-logfiles I'm 100% sure that we will never reach
]such a value.
]
]Assuming that with our current settings (declude + blacklists + spamchk)
]we're catching only 50% of all spams, (I'm sure the real value is
]appreciably higher) you can simply double the values in the
]ratio-diagramm of our spam-report. Then we have a max value of 60%
]during weekends and 20% during workdays.
]
]Markus
]
]
]
]> -Original Message-
]> From: [EMAIL PROTECTED]
]> [mailto:[EMAIL PROTECTED]] On Behalf Of Madscientist
]> Sent: Sunday, January 05, 2003 1:38 AM
]> To: [EMAIL PROTECTED]
]> Subject: RE: [Declude.JunkMail] External test question
]>
]>
]> According to recently collected Message Sniffer logs, on
]> average more than 70% of incoming email is spam. We have an
]> extremely low reported false positive rate.
]>
]> _M
]>
]> ]-Original Message-
]> ]From: [EMAIL PROTECTED]
]> ][mailto:[EMAIL PROTECTED]]On Behalf Of
]> Smart Business ]Lists
]> ]Sent: Saturday, January 04, 2003 4:40 PM
]> ]To: Markus Gufler
]> ]Subject: Re: [Declude.JunkMail] External test question
]> ]
]> ]
]> ]Saturday, January 4, 2003 you wrote:
]> ]MG> A.) With "identified as spam" you mean they reached the
]> hold value? ]MG> B.) With 2430 processed msgs you mean
]> inbound + outbound? ]MG> In this case 39% is a very high
]> value if you've not some spammers ]MG> as client that create
]> outgoing spam. ] ]39% is about what we saw a year ago.  Some
]> days we're as high as 80% ]held.  Our False Positives are
]> usually under 4% of held.  We manually ]inspect. ] ]Our stats
]> for last 7 days (incoming only) ](both messages and spam have
]> been down since 12/24 - ]I guess everyone has taken a bit of
]> a vacation) ]
]> ]DateFpFp%  Held  Total  Held%
]> ]==  ==  =    =  ==
]> ]12/28/2002   5  0.94%   534841  63.50%
]> ]12/29/2002   6  1.39%   432755  57.22%
]> ]12/30/2002  13  2.23%   583  1,474  39.55%
]> ]12/31/2002  10  1.74%   575  1,393  41.28%
]> ]01/01/2003   7  1.59%   441796  55.40%
]> ]01/02/2003  25  4.10%   610  1,546  39.46%
]> ]01/03/2003  16  3.02%   530  1,492  35.52%
]> ]
]> ]
]> ]Terry Fritts
]> ]
]> ]---
]> ][This E-mail was scanned for viruses by Declude Virus
](http://www.declude.com)]
]
]---
]This E-mail came from the Declude.JunkMail mailing list.  To
]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
]"unsubscribe Declude.JunkMail".  The archives can be found at
]http://www.mail-archive.com.
]
]---
][This E-mail was scanned for viruses by Declude Virus
](http://www.declude.com)]
]
]---
]This E-mail came from the Declude.JunkMail mailing list.  To
]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
]"unsubscribe Declude.JunkMail".  The archives can be found at
]http://www.mail-archive.com.
]
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] External test question

[Madscientist]

According to recently collected Message Sniffer logs, on average more than
70% of incoming email is spam. We have an extremely low reported false
positive rate.

_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Smart Business
]Lists
]Sent: Saturday, January 04, 2003 4:40 PM
]To: Markus Gufler
]Subject: Re: [Declude.JunkMail] External test question
]
]
]Saturday, January 4, 2003 you wrote:
]MG> A.) With "identified as spam" you mean they reached the hold value?
]MG> B.) With 2430 processed msgs you mean inbound + outbound?
]MG> In this case 39% is a very high value if you've not some spammers
]MG> as client that create outgoing spam.
]
]39% is about what we saw a year ago.  Some days we're as high as 80%
]held.  Our False Positives are usually under 4% of held.  We manually
]inspect.
]
]Our stats for last 7 days (incoming only)
](both messages and spam have been down since 12/24 -
]I guess everyone has taken a bit of a vacation)
]
]DateFpFp%  Held  Total  Held%
]==  ==  =    =  ==
]12/28/2002   5  0.94%   534841  63.50%
]12/29/2002   6  1.39%   432755  57.22%
]12/30/2002  13  2.23%   583  1,474  39.55%
]12/31/2002  10  1.74%   575  1,393  41.28%
]01/01/2003   7  1.59%   441796  55.40%
]01/02/2003  25  4.10%   610  1,546  39.46%
]01/03/2003  16  3.02%   530  1,492  35.52%
]
]
]Terry Fritts
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] any ideas?

[Madscientist]

You might try .nifty-fun-pages.com
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of paul
| Sent: Tuesday, December 24, 2002 10:01 AM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] any ideas?
| 
| 
| Hey gang,
| First, Merry Christmas, or Happy Holidays, take your pick.
| 
| First:
| One thing that really ticks me off is entries like this:
| @mail46.nifty-fun-pages.com
| @mail212.nifty-fun-pages.com
| @mail125.nifty-fun-pages.com
| 
| Now I could list each of these in my kill file, but if 
| they use mail1 - mail1999 that list would get pretty long.
| I have .nifty-fun-pages.com in my FROMLIST file, but I 
| don't weight any ONE test to delete, and each of these uses a 
| different IP address.
| 
| So the question:
| What's the best approach to kill this crap? My idea was 
| to create a Declude filter that IS set to delete if it fails, 
| and put .nifty-fun-pages.com in it. That would work, but does 
| anyone else do anything differently?
| 
| Paul
| 
| 
| ---
| [This E-mail scanned for viruses by Declude Virus]
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wild card filters?

[Madscientist]

The Message Sniffer rule base already has a number of patterns like
these (I recognize kara) based on common address patterns that are being
used in spam - these seem to be very effictive and are not likely to
cause false posiive (none reported so far). We've also begun adding
patterns to near-random domains used by many heavy spam houses.

Between that and the ability to customize the rules for each system we
should be able to help a lot. You should give the free demo a try and
see how much it helps.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Monday, December 23, 2002 1:45 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Wild card filters?
| 
| 
| 
| >Our domain got hit over several days with different e-mails from 
| >addresses
| >like 
| >kara_311_smith61cj8
[EMAIL PROTECTED], 
>or some variant like 
>[EMAIL PROTECTED]

>these addresses are from the Xdeclude sender field in the headers.  Is 
>there a way (or will there be) a way to add an address like this to a 
>black list in the format kara*@hotmail.com so

>all variants of this will be caught?  I understand that a legitimate
user 
>may have a hotmail address that begins with kara, but I'm willing to 
>chance that.  I can't think of any other way to stop these - the body
of 
>the e-mail didn't have anything I could really filter on.

No, there isn't any way to do that, as it would require special
processing 
(rather than exact string matches).  There have been a number of
requests 
for enhanced filters (such as the ability to use wildcards or regexp),
so 
it is possible that a future release would allow for that.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help

[Madscientist]

There was a bad rule in the system that was blocking his email to us. We
called him immediately when we saw these notes on the declude list and
have solved the problem. The rule is now blocked so that this can't
happen again.

We will be posting "Panic" procedures on our site to solve the contact
problem in future.

In case anyone does need to get our phone number you can find it on the
MicroNeil web site at www.microneil.com. We will also be posting it in
the panic procedures on the SortMonster site.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief Sortmonster (www.sortmonster.com)
VOX: 703-406-2016
FAX: 703-406-2017

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Thursday, December 19, 2002 3:04 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Help
| 
| 
| 
| >Does ANYBODY have a number on this list for SortMonster..I 
| have a major 
| >problem and have been emailing them all week with NO response...If I 
| >dont get to some one there soon I will be doing a charge 
| back for the 
| >$300 they charged me for their softwaretheir support is nothing 
| >compared to Declude's ( which is the best I have ever seen)..
| >
| >Sorry if this is inappropriate on this list but I am desperate
| 
| FWIW, their support is very good from what I have seen.  Have 
| you checked 
| your log file to make sure that the E-mail is actually 
| getting to them, and 
| that their responses aren't getting deleted?  We occasionally 
| have problems 
| with our customers where either the E-mail doesn't make it to 
| us, or E-mail 
| being sent in response gets deleted (typically due to an 
| IMail filter).
|  -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Hex Code URL's...

[Madscientist]

Another good way to differentiate the encoded characters is to trap on
encoding characters that _should_ be normal ascii letters or numbers. In
theory, the only characters that should be encoded would be outside this
range so it's a good bet that encoding normal characters is an
obfuscation attempt.

This will definitely need to be a weighted test though.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Thursday, December 19, 2002 1:32 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hex Code URL's...
| 
| 
| 
| >The problem is searching for http://%@% where % is the wildcard. I 
| >don't think this is possible with the current filters.
| 
| No, that wouldn't be possible with the current filters 
| (although the IMail 
| filters might handle it).
| 
| We will likely add two tests; one that looks for encoded 
| characters within 
| the domain of a URL (IE it would catch 
| "http://www.declud%65.com"; but not 
| 
"http://www.declude.com/sp%61m";), and another that looks for an "@"
within 
the URL.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Hex Code URL's...

[Madscientist]

I might add to this thread that it is fairly common to see Yahoo
Redirects in spam content these days. There are many forms... We also
see redirects through excite, msn, and some unsuspecting corporate sites
- usually referenced by IP.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of John 
| Tolmachoff
| Sent: Thursday, December 19, 2002 12:57 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hex Code URL's...
| 
| 
| > This is a trick to make the user think that they're going 
| to a link on 
| > yahoo. Actually this is redirecting them to IP address:
| > 
| > 0xD5.0xEF.0x8F.0x9A
| > 
| > or 213.239.143.154 and then encode the path.
| 
| Or even worse, it could be coded to access other parts of 
| your computer, such as Code Red virus.
| 
| John Tolmachoff MCSE, CSSA
| IT Manager, Network Engineer
| RelianceSoft, Inc.
| Fullerton, CA  92835
| www.reliancesoft.com
| 
| 
| 
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Hex Code URL's...

[Madscientist]

We've done some research on this and experimented with some rules.
More rule templates are coming, but as it turns out - filtering this is
harder than you might expect - depending upon your system's
requirements. Many supposedly legitimate mail/news systems encode large
segments of URLs or even entire urls after some processing root in order
to track user activity. Many of our first attempts to filter based on
this kind of encoding have since been rejected due to false positive
requests.

One such rule even blocked messages from the IMail list due to an
encoded %40 in the tag line.

One trick that seems to reduce the false positive rate is to define the
root of the URL carefully and to ensure that the pattern match is at the
root of the URL... so, for example, look for the href=" or href= at the
top of the url to avoid the kind of legitimate encoding that might come
later.

Hope this helps,
_M

PS: We do have a number of rules coding for patters like this and they
are very successful - not as successful as we thought they would be, but
still pretty good!

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)


| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Smith
| Sent: Thursday, December 19, 2002 12:32 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Hex Code URL's...
| 
| 
| This is a trick to make the user think that they're going to 
| a link on yahoo. Actually this is redirecting them to IP address:
| 
| 0xD5.0xEF.0x8F.0x9A 
| 
| or 213.239.143.154 and then encode the path.
| 
| I can't see any reason to do this.
| 
| 
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan
| Sent: Thursday, December 19, 2002 12:29 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Hex Code URL's...
| 
| 
| Hi;
| I am seeing more and more URL's that are encoded, like:
| 
http:[EMAIL PROTECTED]/%72%65%64%6C%69%67%68%74%65%6D%
61%69%6C%2F%69%6D%61%67%65%73%2F%30%

I am yet to see anyone with a legitimate eMail use such an approach for
sending their links.

Is there a legitimate reason to do this?

It seems like this could be an easy test to have in JM for the body.  It
is almost like a 100% guarantee that if used this is a spam..

Regards,
Kami

---
[This E-mail scanned for viruses by F-Proto Virus Scanner]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filtering E-Greetings

[Madscientist]

Scott should back me up or correct me on this. I think that you can
configure multiple test lines using Message Sniffer where each line looks
for a specific return value instead of nonzero. Something like the
following...

SNIFFERSPAM external 63 
SNIFFERSCUM external 62 

Note the 63 and 62 take the place of nonzero...

I think there is also an optimization in there that ensures Message Sniffer
is called only once if the same command line is used and that the result
code from the single call will be evaluated against the external test
lines...

I think that's right... It's been a while since I visited with Scott on
this.

Hope this helps,
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Mike Nice
]Sent: Wednesday, December 04, 2002 7:49 PM
]To: [EMAIL PROTECTED]
]Subject: Re: [Declude.JunkMail] Filtering E-Greetings
]
]
]How can we catch symbol 62 differently?  V2 is configured as 'nonzero',
]meaning that all return codes other than zero are logged and treated alike
]by Declude.
]
]- Original Message -
]From: "Madscientist" <[EMAIL PROTECTED]>
]Subject: RE: [Declude.JunkMail] Filtering E-Greetings
]
]
]> Sniffer version 2 is out now. Scumware rules have a special symbol 62.
]> You could look for that specific result code and treat it specially.
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filtering E-Greetings

[Madscientist]

Message Sniffer Version 2 has been officially released.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Sheldon Koehler
| Sent: Wednesday, December 04, 2002 7:01 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Filtering E-Greetings
| 
| 
| > Sniffer version 2 is out now. Scumware rules have a special 
| symbol 62. 
| > You could look for that specific result code and treat it 
| specially. 
| > Currently all other spam rules are coded to the "generic" 
| group with a 
| > symbol of 63.
| 
| Is this still in beta? I will have to take a closer look at 
| it tomorrow then. This is what I have been patiently waiting for!
| 
| Sheldon
| 
| 
| Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
| Ten Forward Communications   360-457-9023
| Nationwide access, neighborhood support!
| 
| "Whenever you find yourself on the side of the majority, it's 
| time to pause and reflect." Mark Twain
| 
| 
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filtering E-Greetings

[Madscientist]

Sniffer version 2 is out now. Scumware rules have a special symbol 62.
You could look for that specific result code and treat it specially.

Currently all other spam rules are coded to the "generic" group with a
symbol of 63.

That should make it simpler.

Hope this helps,
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Sheldon Koehler
| Sent: Wednesday, December 04, 2002 5:51 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Filtering E-Greetings
| 
| 
| Since we have to use Sniffer as a weighted test and these are 
| only failing the Sniffer test, how can I safely block these greetings?
| 
| We have too high of a volume to hold email as it would take a 
| full time staff person to just search the rejects, so we are 
| forced to delete.
| 
| 
| Sheldon
| 
| 
| Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
| Ten Forward Communications   360-457-9023
| Nationwide access, neighborhood support!
| 
| "Whenever you find yourself on the side of the majority, it's 
| time to pause and reflect." Mark Twain
| 
| 
| 
| - Original Message -----
| From: "Madscientist" <[EMAIL PROTECTED]>
| To: <[EMAIL PROTECTED]>
| Sent: Tuesday, December 03, 2002 2:25 PM
| Subject: RE: [Declude.JunkMail] Filtering E-Greetings
| 
| 
| > Junkmail with Message Sniffer will also handle it.
| >
| > All of these and more are included in the Message Sniffer "Scumware 
| > Greetings" rule group (Symbol 62). We are still looking for 
| a reliable 
| > source for additional domains as they arise.
| >
| > This was an experimental group but we have had no false positive 
| > reports on these rules so it looks like it will stay in place.
| >
| > _M
| >
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filtering E-Greetings

[Madscientist]

Junkmail with Message Sniffer will also handle it.

All of these and more are included in the Message Sniffer "Scumware
Greetings" rule group (Symbol 62). We are still looking for a reliable
source for additional domains as they arise.

This was an experimental group but we have had no false positive reports
on these rules so it looks like it will stay in place.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Dan Star
| Sent: Tuesday, December 03, 2002 5:10 PM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Filtering E-Greetings
| 
| 
| You need junkmail pro to filter E-Greetings.  If you have a 
| firewall with http proxy, then block
| 
|  www.friendgreetings.com
|  www.friendgreetings.net
|  www.cool-downloads.net
|  www.cool-downloads.com
|  www.friend-greetings.com
|  www.friend-greetings.net
|  www.friend-cards.net
|  www.friend-greeting.com
|  www.friend-greeting.net
|  www.friend-card.com
|  www.friend-card.net
|  www.friend-cards.com
| 
| Also, desktop av (most) detects E-Greetings as a virus.
| 
|   -- Dan
| 
| 
| Cris Porter wrote:
| 
| > Get JunkMail, then add Sniffer and let them
| > do the filtering for you. My time spent filtering
| > has dropped off dramatically since installing it.
| >
| > Cris Porter
| > JVC America
| >
| > -Original Message-
| > From: [EMAIL PROTECTED]
| > [mailto:[EMAIL PROTECTED]]On Behalf Of David 
| > Delbridge
| > Sent: Tuesday, December 03, 2002 12:01 PM
| > To: [EMAIL PROTECTED]
| > Subject: [Declude.JunkMail] Filtering E-Greetings
| >
| > Hi all,
| >
| > What's the best approach for filtering the e-greetings scumware?  I 
| > run both Declude Virus and JunkMail, and from what I've read in the 
| > forum archives, JunkMail is the tool to use.
| >
| > The options discussed so far don't appear to be conclusive. 
|  Filtering 
| > by phrase in the body will catch legit mail.  Filtering by 
| e-greeting 
| > domains will require frequent updates, and there is no 
| authoritative 
| > source for such a list.
| >
| > What to do?
| >
| > Any advice is greatly appreciated.
| >
| > Dave
| > ---
| > [This E-mail was scanned for viruses by Declude Virus 
| > (http://www.declude.com)]
| >
| > ---
| > This E-mail came from the Declude.JunkMail mailing list.  To 
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > "unsubscribe Declude.JunkMail".  The archives can be found at 
| > http://www.mail-archive.com.
| >
| > ---
| > [This E-mail was scanned for viruses by Declude Virus 
| > (http://www.declude.com)]
| >
| > ---
| > This E-mail came from the Declude.JunkMail mailing list.  To 
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > "unsubscribe Declude.JunkMail".  The archives can be found at 
| > http://www.mail-archive.com.
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Free or Freedom

[Madscientist]

Suggestion: Is it possible to provide a special wildcard character that
matches whitespace and punctuation?

_M

On Fri, 2002-11-29 at 08:23, R. Scott Perry wrote:
> 
> >Can we filter on the word FREE and not hit FREEDOM, or filter SEX and
> >not SEXTET.
> 
> The question is *what* do you want to filter on?
> 
> If you just want to filter on " FREE ", you won't catch "This is FREE!", 
> for example.
> 
> >I know this has been talked about before but I can't recall if any
> >changes are made?
> 
> Not yet.  We are planning on changing it so you can include whitespace in 
> filters, but note that you would still have to decide what to add (" FREE 
> ", " FREE,", " FREE!", ...).  That's just one of the inherent difficulties 
> with filters.
>  -Scott
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] "Greeting" Card EULA Abusers

[Madscientist]

Message Sniffer now has a new experimental rule group "Scumware
Greetings" that contains all of the domains mentioned in the following
message. The new rulesets for this have been published. Version 2 users
will see symbol 62 for this group.

If anybody has a reliable source for the growing list we'd love to know
about it.

Thanks!

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Tom
| Sent: Monday, November 25, 2002 4:40 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] "Greeting" Card EULA Abusers
| 
| 
| 
| In "More Scumware-By-EULA" ( 
| http://www.langa.com/newsletters/2002/2002-11-21.htm#2 ) we 
| discussed how "Friendgreetings" abuses its 
| End-User-License-Agreement by embedding deep within it a 
| clause that says, in effect, that you're allowing them to 
| place scumware on your PC. Alas, they're not the only one 
| doing this, and other, similar vendors keep shifting their 
| domain name to try to stay one step ahead of anti-scumware tools:
| 
|  Below is a list of who is sending that Emailer Hack they
|  "legally" trick people into. To get around the Anti Spam tools
|  they use new names. I don't see how they can afford to do this.
|  Each of the names are real and do have that so called "non-
|  virus" ready for a sucker [to download]. The list grows every
|  day...---Jim Cooke
| 
|  [Note: to make these links unclickable, Jim has replaced the
|  punctuation with the word DOT.}
|  
|  surprise-card DOT net
|  surprise-cards DOT net
|  surprise-greeting DOT net
|  surprise-greetings DOT net
|  surprisecard DOT net
|  surprisecards DOT net
|  surprisegreeting DOT net
|  surprisegreetings DOT net
|  cool-download DOT com
|  cool-download DOT net
|  cool-downloads DOT com
|  cool-downloads DOT net
|  friend-card DOT com
|  friend-card DOT net
|  friend-cards DOT com
|  friend-cards DOT net
|  friend-greeting DOT com
|  friend-greeting DOT net
|  friend-greetings DOT com
|  friend-greetings DOT net
|  friendcard DOT com
|  friendcard DOT net
|  friendcards DOT com
|  friendcards DOT net
|  friendgreeting DOT com
|  friendgreeting DOT net
|  friendgreetings DOT com
|  friendgreetings DOT net
|  surprise-card DOT net
|  surprise-cards DOT net
|  surprise-greeting DOT net
|  surprise-greetings DOT net
|  surprisecard DOT net
|  surprisecards DOT net
|  surprisegreeting DOT net
|  surprisegreetings DOT net
|  
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter bypassed

[Madscientist]

A word of caution from our research.

Some legitimate messages do encode other URLs as parameters. As a result
this kind of filter requires the following constraints (still not
perfect but close):

Be sure your rule fires on the ROOT of the URL so that you are not
capturing parameters that have been encoded. For example,
href="http://%67 etc... but not just http://%67... as in
href=http://legitimate.web.host/somefn.jsp?xyz=http://%67%4D...

Look for encoding of "normal" print characters such as letters and
numbers as these are not normally encoded in legitimate URLs. (_usually_
is important here as some automated link generation systems we've seen
do code everything either as a half-hearted attempt at security or just
because it's easier to "hit every nail with the hammer".)

If you combine these two constraints then the rule can be very
effective.

Hope this helps,
_M

Pete McNeil (Madscientist)
Chief SortMonster (www.sortmonster.com)
VOX: 703-406-2016
FAX: 703-406-2017


| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Mike K
| Sent: Wednesday, November 20, 2002 9:06 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Wordfilter bypassed
| 
| 
| A spam I received yesterday had these comments in it also.
| 
| However one thing I noticed was that the spam had a url that 
| started off with the standard http then was followed by 
| PercentHexHexPercentHexHexPercentHexHexPercentHexHexPercentHex
| Hex and so on.
| 
| This should be very easy to filter on as no legit mailer 
| should be hiding urls like that.
| 
| Mike
| 
| 
| 
| 
| 
| 
| ----- Original Message -
| From: "Madscientist" <[EMAIL PROTECTED]>
| To: <[EMAIL PROTECTED]>
| Sent: Tuesday, November 19, 2002 8:47 PM
| Subject: RE: [Declude.JunkMail] Wordfilter bypassed
| 
| 
| > |
| > | However, that's the way spam control is heading.  As more 
| and more 
| > | people get fed up with spam, more and more of the bozos that are
| > | doing things the
| > | wrong way will need to fix their problems.
| > |
| > | I can understand an HTML E-mail having one or two comments in it, 
| > | but 10 or 20 is just a waste of bandwidth.  That is 
| information the
| > | recipient will
| > | never see.
| > |
| > | -Scott
| >
| > Where we got into trouble was with big corporate iron... (IBM, Sun, 
| > Microsoft, etc...) The comments in those messages were part of the 
| > code base generating the messages and I can imagine (as a web 
| > developer also) that they are pretty vital to the 
| developers in their 
| > ongoing maintenance efforts. It's not uncommon to see quite 
| a few of 
| > them. As we increased the threshold to accommodate the legitimate 
| > messages we were capturing we soon reached a level where legitimate 
| > and non-legitimate were practically indistinguishable. All 
| I'm saying 
| > here is that since HTML email is here to stay, and HTML 
| comments are 
| > legitimate and sometimes required for coding standards, a 
| simple count 
| > of HTML comments will not be a valid spam test in most 
| cases. This has 
| > been our experience - your mileage may/will vary.
| >
| > _M
| >
| > ---
| > [This E-mail was scanned for viruses by Declude Virus
| (http://www.declude.com)]
| >
| > ---
| > This E-mail came from the Declude.JunkMail mailing list.  To 
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > "unsubscribe Declude.JunkMail".  The archives can be found at 
| > http://www.mail-archive.com.
| >
| >
| 
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter bypassed

[Madscientist]

That's a good point. Perhaps we'll do some testing in the new version
for comments bounded by nonwhitespace.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Tuesday, November 19, 2002 10:21 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Wordfilter bypassed
| 
| 
| 
| >  Lots of the content management systems are heavily 
| commented so I
| >  see a lot of comments in html messages to subscribers.
| >
| >  However, they are not commented between words but that's a
| >  difficult parse I think.
| 
| Aha... that could be the key!
| 
| A spammer will use something like "order".  If 
| they use "or 
|  der", it will appear on the screen as "or der", 
| which will 
| confuse people ("Call to or der now!" isn't very readable).  
| Whereas the 
| content management systems likely have the comment on the 
| beginning of a 
| new line, or at least have a space before/after it.
|   -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter bypassed

[Madscientist]

| 
| However, that's the way spam control is heading.  As more and 
| more people 
| get fed up with spam, more and more of the bozos that are 
| doing things the 
| wrong way will need to fix their problems.
| 
| I can understand an HTML E-mail having one or two comments in 
| it, but 10 or 
| 20 is just a waste of bandwidth.  That is information the 
| recipient will 
| never see.
| 
| -Scott

Where we got into trouble was with big corporate iron... (IBM, Sun,
Microsoft, etc...) The comments in those messages were part of the code
base generating the messages and I can imagine (as a web developer also)
that they are pretty vital to the developers in their ongoing
maintenance efforts. It's not uncommon to see quite a few of them. As we
increased the threshold to accommodate the legitimate messages we were
capturing we soon reached a level where legitimate and non-legitimate
were practically indistinguishable. All I'm saying here is that since
HTML email is here to stay, and HTML comments are legitimate and
sometimes required for coding standards, a simple count of HTML comments
will not be a valid spam test in most cases. This has been our
experience - your mileage may/will vary.

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter bypassed

[Madscientist]

We attempted implementing a test that counts the number of html comments
and found that it was impractical as it consistently captured a large
number of legitimate services. (Scott, you indicated that it might catch
some - our experience has been that it captures so many we had to drop
it.) I suspect that most systems will need to weight such a test very
lightly. Hope this helps.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Tuesday, November 19, 2002 8:23 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Wordfilter bypassed
| 
| 
| 
| >The sneaky buggers are at it again. I've been getting more and more 
| >emails
| >that don't fail any tests at all, but should be caught as 
| spam due to 
| >multiple wordfilter hits. I had a look at the message (HTML) 
| source, and 
| >found this:
| >
| >Human Growth Hormone 
| Therapy
| >
| >Scott, is it possible that the wordfilter, when looking at 
| HTML source
| >messages, can be made to disregard HTML comments, as above?
| 
| That likely isn't something that we will be doing, as it will 
| add a lot of 
| extra CPU time (or require writing our own specially designed string 
| matching functions).  However, we are thinking of adding a 
| test that will 
| get triggered if a certain number of comments are found in an 
| E-mail.  Although this would catch the occasionally bandwidth-wasting 
| legitimate bulk mailers (that have real comments), it would 
| also be very 
| useful in detecting spam.
|   -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Two JunkMail questions please...

[Madscientist]

Our test server does not show any significant difference between Declude
alone and Declude w/ Message Sniffer. Performance logs report average
processing times of about 170ms per message - and this includes the time
it takes to load the rule base and the message under test. Our test bed
server sees about 450ms on average - but most of that is IO rather than
CPU and our test server is intentionally underpowered. Our production
Linux gateway running Message Sniffer processes messages in less than
40ms per message consistently.

Hope this helps,
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:Declude.JunkMail-owner@;declude.com] On Behalf Of 
| David Lewis-Waller
| Sent: Monday, November 04, 2002 12:15 PM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Two JunkMail questions please...
| 
| 
| Has anyone found MessageSniffer to add any significant CPU 
| load before/after implementation?
| 
| David
| WiSS Limited
| 
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:Declude.JunkMail-owner@;declude.com] On Behalf Of Uhte, Russ
| Sent: 04 November 2002 17:06
| To: '[EMAIL PROTECTED]'
| Subject: RE: [Declude.JunkMail] Two JunkMail questions please...
| 
| 
| Joe,
| I can't comment for anyone else, but I'd like to give my $.02 
| on question 1. We've recently purchased MessageSniffer, and 
| its results have been outstanding.  We use a weight of 20 as 
| our breaking point on when a message can no longer be 
| delivered.  I've set MessageSniffer with a weight of 17. 
| We've almost completely eliminated spam!!! -Russ
| 
| -Original Message-
| From: Joe Wolf / CompuService [mailto:joe@;csgo.com] 
| Sent: Monday, November 04, 2002 11:54 AM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Two JunkMail questions please...
| 
| 
| First I'm still a newbie to JunkMail so forgive my ignorance. 
|  Two issues to
| cover:
| 
| #1I am basicly using the default settings for JunkMail.  
| I have had
| a
| few valid messages marked as spam, but I still get quite a 
| bit of spam thru that I wish to get rid of.  Does anyone have 
| a template, or suggestion on what settings work the best for 
| JunkMail?  I know that I can customize anything I want, but 
| at the same time I don't want to make it my life to 
| investigate which database is best, etc.  Any help would be 
| appreciated.
| 
| #2My mail server does quite a bit of list serving.  I've noticed
| that
| since I installed JunkMail my server is running further and 
| further behind. I've gone from nearly immediate delivery of 
| messages to nearly an hour behind.  Is the Declude 
| replacement to the Ipswitch mail handler that much more 
| inefficient, or does JunkMail just take alot more processing? 
|  My CPU utilization chart is not too high, but it take so 
| long to process messages.
| 
| Thanks,
| Joe
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]


---
CONFIDENTIALITY NOTICE: This email and any attachments are for the
exclusive and confidential use of the intended recipient. If you are not
the intended recipient, please do not read, distribute or take action in
reliance upon this message. If you have received this in error, please
notify us immediately by return email and promptly delete this message
and its attachments from your computer system.
---
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting article

[Madscientist]

]The anti spam community has a pretty good handle on the IPv4 bank.
] What will IPv6 do to all our collective experience?  All those
]new places to hide will have to be mapped out all over again!
]
]Dan

As the migration to IPv6 progresses one would expect the curent tools to
migrate also. The current network blocking databases would grow
incrementally along with the deployment of IPv6 so there's no cause for
alarm as long as the methods used to populate and maintain these databases
are automated and/or scalable at the same rate.

That said, static network blocking is a "first generation" spam/malware
filtering mechanism which is prone to errors, attacks, and bypasses.
Spammers are already figuring out how to avoid and polute these kinds of
systems. I'm biased, but I believe the future belongs to more advanced
methodologies including collaborative filters, content filtering, and
rapid-adaptive network blocking systems like dynamic squelch propagation.

_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Cheif Sortmonster (www.sortmonster.com)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Catching SPAM when the sender = recipient

[Madscientist]

The test could match any email where from and to are the same but
delivery is not local.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:Declude.JunkMail-owner@;declude.com] On Behalf Of Todd Holt
| Sent: Friday, October 25, 2002 10:47 AM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Catching SPAM when the sender = recipient
| 
| 
| I have noticed that many spammers in recent months have begun 
| to use the recipients email as the senders email.
| 
| Can this be trapped by the current tests or should I request 
| a new test to cover this?
| 
| The only legitimate mail that would pass this test would be 
| users sending mail to themselves and for us it would be worth 
| losing the capability which I don't think is used much.
| 
| Todd
| 
| ---
| [This E-mail scanned for viruses by Declude Virus]
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Unwanted "E-cards" filling email inboxes

[Madscientist]

IMFilter can help with that and it's free.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:Declude.JunkMail-owner@;declude.com]On Behalf Of John Tolmachoff
]Sent: Sunday, October 27, 2002 10:13 PM
]To: [EMAIL PROTECTED]
]Subject: RE: [Declude.JunkMail] Unwanted "E-cards" filling email inboxes
]
]
]>Just use a regular rule in your rules.ima file.
]
]But then I have to copy that to all users, correct?
]
]John Tolmachoff
]IT Manager, Network Engineer
]RelianceSoft, Inc.
]La Habra, CA  90631
]www.reliancesoft.com
]
]
]---
][This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filter Help

[Madscientist]

An Asside -

Watch out for false positives with this one.
We tried a rule that captured all numeric-only web links as they are a
favorite for porn spammers and mortgage folks.

Unfortunately we discovered that a number of legitimate news services
also do this sometimes so we were forced to begin entering specific
numbered web links.

Hope this helps.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Karen Oland
| Sent: Wednesday, October 16, 2002 2:24 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Filter Help
| 
| 
| Is there any way to check for references to web sites that 
| only have domain names?
| 
| I included the rules below, but they never seem to trigger:
| 
| BODY 10 CONTAINS http://1
| BODY 10 CONTAINS http://2
| BODY 10 CONTAINS http://3
| BODY 10 CONTAINS http://4
| BODY 10 CONTAINS http://5
| BODY 10 CONTAINS http://6
| BODY 10 CONTAINS http://7
| BODY 10 CONTAINS http://8
| BODY 10 CONTAINS http://9
| BODY 10 CONTAINS http://0
| 
| I don't want to block using IMAIL, as we have a vendor that 
| sends us email that has a web site with a real name that 
| starts with a "101". However, we do want to have enough 
| weight to this type of a rule, that any other violation will 
| result in the message being sorted into our spam box.
| 
| Karen Oland
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re: [Declude.JunkMail] Spam Mail Statistics

[Madscientist]

That's a bad sign.
None of those ports should be open to the outside world - you risk
having your entire network hijacked. It's good practice to block all
ports that are not required for services you are offering specifically.
But especially block:

135, 137, 138, 139.

Hope this helps,
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Frederick Samarelli
| Sent: Monday, October 14, 2002 2:41 PM
| To: [EMAIL PROTECTED]
| Subject: Re: Re: [Declude.JunkMail] Spam Mail Statistics
| 
| 
| I found by blocking port 135 stops the Messenger Pop-ups.
| 
| 
| - Original Message -
| From: "Dan Horne" <[EMAIL PROTECTED]>
| To: <[EMAIL PROTECTED]>
| Sent: Monday, October 14, 2002 1:38 PM
| Subject: RE: Re: [Declude.JunkMail] Spam Mail Statistics
| 
| 
| > I got this from one of the Lockergnome newsletters that came out 
| > recently.
| >
| > Dan
| >
| > 
| --
| > -
| > Pop-up Spammers
| >
| > I've often wondered how long it would take for the abuse of 
| > Microsoft's Messenger services to begin. This is a network service 
| > that listens for messages, which are displayed on screen when 
| > received. You can use this service to send text messages to other 
| > users on the network ("net send" command from a DOS 
| prompt), provided 
| > they have the services running. As you might expect, this 
| is enabled 
| > by default in Windows NT/2K/XP, and for little reason. I 
| know of very 
| > few people that actually use it, particularly home users. 
| Those of you 
| > that are on broadband connections and are not running a 
| firewall may 
| > have seen a strange little window pop up at you hawking diplomas, 
| > inviting you to visit an explicit website or whatever else our 
| > favorite bunch of Internet low-life can dredge up.
| >
| > I have always been very supportive of a minimalist 
| configuration. Turn 
| > it off by default, then let the user decide if they want it 
| turned on. 
| > As things are, we have all sorts of virtually useless 
| capability built 
| > into Windows and other Microsoft software, and fully enabled by 
| > default. Maybe there's a case to be made for the functionality, but 
| > there is not a case to be made for subjecting the masses to 
| such abuse 
| > when the feature won't be used by the vast majority of 
| users and it's 
| > quite easy to scan the open ports on a workstation to see if the 
| > service is available for abuse. With Windows 2000 and XP 
| seeing much 
| > wider adoption, and port 139 open by default, it was only a 
| matter of 
| > time before it was taken advantage of to pester unsuspecting users.
| >
| > You can disable the Messenger in Windows 2000/XP by right- 
| clicking My 
| > Computer, selecting Manage from the context menu. Expand 
| Services and 
| > Applications and click Services, which will populate the 
| right window 
| > pane with the long list of services installed. scroll down to 
| > Messenger and double-click the item. In the Startup Type 
| dropdown box, 
| > select Disabled, then click the Stop button in the Service Status 
| > section of the window. From now on, your PC will not be 
| subjected to 
| > these pop-up messages.
| >
| > ---
| > [This E-mail scanned for viruses by Declude Virus]
| >
| > ---
| > [This E-mail was scanned for viruses by Declude Virus
| (http://www.declude.com)]
| >
| > ---
| > This E-mail came from the Declude.JunkMail mailing list.  To 
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > "unsubscribe Declude.JunkMail".  The archives can be found at 
| > http://www.mail-archive.com.
| >
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: Re: [Declude.JunkMail] Spam Mail Statistics

[Madscientist]

I can tell you we've had similar experiences. It's not always clear that
the attack was triggered by anything specific - but it sure looks that
way from time to time. We have developed some processes to detect and
block attacking Ips at our border routers... We're hoping to automate
this process but it is difficult.

_M

| Group:
| As a new person to this Junk mail War on Spam. I'm concerned. 
| I have a topic viewpoint I would like to propose to the 
| group, and get some feed back.  How may networks are being 
| attacked? Is this criminal? Or am I just crazy?

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] FYI - "APPENDING" is newest spam fad

[Madscientist]

| Declude probably doesn't need to do anything special - spam 
| is still spam, but this really bothers me that spam 
| technologies like this are starting to become "mainstream" -- 
| Maybe we really do need laws regulating spam as a law would 
| quickly stop all these for-profit, but easily identifiable 
| companies from doing this.

I'm cautious about laws... if you make it illegal then it will go
underground and become more difficult to defend.

For example, here's a nasty trend I hate... Norton Antivirus and Norton
Systemworks being sold by what seems like every spam house in the
world... It's a deluge... If you talk to Symantec they have "nothing to
do with it"... of course... And how can they prevent unauthorized
third/forth parties from reselling product they purchase or steal from
the pipeline? The dark side of me thinks... why would they want to since
it all drives revenue to Symantec in the long run?

My point is, legal or not - legitimate or not - if there's a way to do
this in the name of marketing they will figure out how. There are laws
against cold-calling my phone at home, but it happens every day - glad I
have caller ID so I can do some filtering.

I think we're going to have to beat this one with technology - and I
pray we can get that done before the lawyers come and cause real
trouble.

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Effectiveness

[Madscientist]

We're getting further off-topic for the Declude list I think. 
Apologies again.

| The personal messages are the most difficult and becoming 
| worse.  They are random and infrequent.  They are often among 
| the most important messages.  Individuals have an 
| unbelievable number of private e-mail accounts that they 
| seemingly use with little organized thought.  And some of the 
| messages are SPAM except for the fact that the user intends 
| to send them and the recipient wants them.  A very, very 
| difficult problem.

Thanks for all that... I think you're right on all counts. This last one
is a real bugger - however we have some dynamic systems coming that
should help this somewhat. I believe Scott is thinking of putting some
similar things in place for Declude, or at least that they are on the
wish-list.

Two methodologies -

(1) Legitimate messages contain some "pass code" that can be white-coded
by Message Sniffer, thus allowing them past no matter where they are
sent from. This could be some standard part of the other parties
signature (their name, or phone number for example), or something
special that you gave them. (If you're a Ham Radio fan, this is like a
PL tone for email.)

(2) The system may presume that if you have sent a message to a
particular address that this address is allowed to send messages to you
- with some intervening metrics to avoid abuse - such as recording also
the source and destination networks. This one is probably ok unless the
message comes from a completely random source.

In any case, businesses using spam filtering should have a method for
handling "unwanted lockouts" such as maintaining an unfiltered contact
address that has very limited filtering so that customers/contacts
always have an address they can go to... or a contact form that allows
the contact to send their first query to the company and registers the
sender's email address with the filtering system so that they can be
sure to always get through. If these are links on the company web site,
they can be randomized aliases that are generated daily and then thrown
away. The alias would point to an underlying account that is never
publicly posted. Anyone clicking on the "Contact Us" link will get
through with the "address of the day"... any spammer harvesting that
address has polluted their database with a bad address that, after a
while, can be used to detect spammers (no legitimate contact would use
the address after some reasonable period of time).

Another mechanism like this would be an address on the system where
internal users can BCC or forward a message to/from a new contact such
that the system collects their addresses and gates their email from then
on - allowing them into the "circle of trust". Mechanisms like this can
be easily implemented with only minor procedural changes and can have a
profound impact on spam reduction by allowing for very strict (or even
closed) filtering. 

For example, in a sales organization it is likely that notification of a
new customer or lead would be forwarded to some sales manager. If that
manager's address were an alias the copied the message to the "gating
address" on the system then white listing the new lead would be
transparent and automatic in nearly all cases. 

We plan to offer features with our online database to automate some of
these mechanisms. Many could be implemented now with Declude and a
little bit of programming work to manage white & black lists... within
limits, of course.

_M

PS: Note that the model for (1) is also applicable to a customized
NO-SPAM system which uses computer generated headers (convolution codes)
to authenticate senders and receivers. Sniffer would then gate messages
with legitimate pass-codes while diverting all other traffic. Clients
and MTAs that have been allowed into the "circle of trust" for a
particular organization would produce recognizable one-time codes in
their message headers so that other participating systems in the circle
would not filter them out. Systems outside this circle would take their
chances with the filters or simply not be allowed to send their
messages. Convolution codes are used once and thrown away so that nobody
can catch one and use it to gate their spam or other malware into the
system.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Effectiveness

[Madscientist]

]_M,
]
]Ah, 70% of all mail is spam.  Last time I checked, I was running
]over 60%, both are high numbers compared to others I've seen, in
]the 35-45 range.  The major difference between the domains I've
]seem that would effect this amount is the number of years the
]domains have been live/active.  I understand your concerns ("For
]obvious reasons I cannot disclose how we develop our spam traps"),
]how long (months/years) does it generally take an exposed spamtrap
]to mature into a useful one?

It can take up to a year to get one rolling, and up to 3 for it to
completely mature. Much of this time is dependent upon how hard we are able
to "work" the trap. It's a surprizing amount of effort - and luck.

]>Typically the 8% not captured is made up of multiple copies of new spam in
]>it's early phases of deployment. We have been increasing our
]update rates to
]>compensate as our user base grows to support the extra effort.
]
]Of this 8%, what proportion are pro's needing domain/IP blocks,
]and what proportion are amateurs needing things more like content
]filters?  When I first started, the amateurs (yahoo.com,
]hotmail.com, and the like) were much harder to block but now that
]I've countered most (not all) of their tactics, its the pro's that
]push through with their new domains and IPs.

It's really hard to answer this question lately - the data is increasingly
unclear.

It seems they're getting quite a bit smarter (as expected). The pro's push a
lot of new stuff, but it seems from our experience that even they are using
sites like yahoo, hotmail, and geocities to support their efforts - often
through some automated processes. Some delivery methods that we have seen
are quite sophisticated - often drawing on multiple domains and random
one-off web sites. We've predicted a number of advanced methodologies for
beating filters of all types and we've started to see an accelleration
toward these advanced methods... everything from delivery scattering to new
obfuscation techniques and pseudo-encryption. (We regularly war-game to plan
ahead.)

Since Message Sniffer looks at the whole message we are generally able to
apply filers to IP blocks, content, behaviors, and combinations of these...
Most of the time we find the effective rules are for content - especially
behaviors and "delivery constants" like return addresses and web links. We
find that pro spammers have access to so many networks and alternative
delivery methods that if we concentrate on the message we get a much more
accurate capture result. It's not uncommon to see the same spam message
delivered through many different network blocks. Also, they are getting
smarter about the network blocks they use - often choosing small blocks
interspersed with blocks allocated to legitimate systems... the result is
that it is becoming far more difficult to block networks without introducing
false positives... Network and IP blocking must become much more specific to
avoid collateral damage.


]This reflects
]>what a "tuned" system's false positive rate can be.
]
]Yes, though their simplicity is part of their appeal, its simply a
]way to gather fresh samples and see if the 'old' tests still work.
] My next step in the battle against FPs will be having 2 Declude
]servers, one to build new tests on and weed out FPs using domains
]that can afford them, then another with domains that get less
]monitoring and need a higher level of care.  4 per week is
]amazingly low, but clearly shows what you mean by tuned, may I ask
]how many months/years it took to get there?

It appears that most systems can achieve nearly this level in only a few
weeks. Our filter base was in development for about 2 years before we began
deploying Message Sniffer.


]>The chief error in this metric is that there is no control on how
]many false
]>positives occurr that may not be reported.
]
]How easy is it for your customers to monitor/review what gets caught?

That's really up to them. Message Sniffer only tags the message. The actions
they take after that are up to them... If they place the messages in a
holding bin and then review them there is a good chance they will see any
false positives - as long as the volume on their system will allow it.

Another way to do it is to mark messages as "suspected spam" and allow the
end users to search for false positives... Hopefully the end users can also
be encouraged to report the false positives they find... (often they do so
with some "intensity" and without prompting)

The challenge is that it takes a human being to do this kind of checking and
so it is expensive. Even if the technology were perfect the specifications
change with time and location... different users, different systems/locals,
and different times constantly change the definition of spam/not-spam from
each individual's perspective. Our goal is to leverage any overlap that
exists in this definition while allowing for all of the differences.
Ultimately it takes the people on the receiving 

RE: [Declude.JunkMail] Effectiveness

[Madscientist]

've seen so
far unless you happen to be a unix guru writing your own engine. ;-)

]
]Spam traps are something I have yet to create, whats the best way
]to implement them?  Specifically, do you distribute them across
]domains or does it matter and what are the best ways to infect
]them?  Do you use customer domains and if so, what happens if/when
]they leave your ISP/protection?

Implementing good spamtraps is a difficult, time consuming process that
requires both skill and secrecy. If done badly you will recieve messages
that are not unsolicited and you may have spammers abuse your spamtraps and
mail systems to prevent you using them ... all sorts of ugly things can
happen.

For obvious reasons I cannot disclose how we develop our spam traps nor
where they may be.

A few general things I can tell you in response to your questions.

A good spamtrap must "look" to the world like any real user who never
subscribed to any lists.

It is good to have spamtraps distributed across a wide range of domains -
preferably on networks that are not your own.

As for how to infect them... Think about this: You no doubt have an email
address that recieves a significant amount of spam. What is it that you have
done with this account short of subscribing to lists and services?

A couple of ways that email addresses get picked up that are public domain:

* Posts in news groups and otherwise publicly avaialble message boards.
* Email addresses listed as contact info on web sites.

Another that is obvious but not widely discussed is that you can place your
spam trap in the path of a dictionary attack...

It's a lot like fishing... you have to be quite and in the right place.

Hope this helps,
_M

]
]Thanks
]Dan
]
]
]
]On Saturday, October 5, 2002 19:18, Madscientist
]<[EMAIL PROTECTED]> wrote:
]>Perhaps you misunderstood.
]>More than 70% of ALL traffic is captured on average for reporting systems.
]>The base includes non-spam as well. In terms of a percentage of spam,
]>Declude has published statistics consistently showing 85% or more of all
]>incoming spam. On our system it is closer to 92% counting what comes from
]>all spam traps.
]>
]>Hope this clears things up.
]>_M
]>
]>]-Original Message-
]>]From: [EMAIL PROTECTED]
]>][mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode
]>]Sent: Saturday, October 05, 2002 9:30 PM
]>]To: [EMAIL PROTECTED]
]>]Subject: [Declude.JunkMail] Effectiveness
]>]
]>]
]>]70%?  I believe the spam filter that comes free with Mac OS 10.2
]>]does that well by itself, though I haven't tested it for FPs yet.
]>]Has anyone else tried it?
]>]
]>]Dan
]>]
]>]
]>]On Friday, October 4, 2002 14:02, Madscientist
]>]<[EMAIL PROTECTED]> wrote:
]>]>We have similar circumstances in the email systems that we host. We
]>]>currently trap more than 80% of incoming messages as spam with our
]>]>Message Sniffer software. The average for all reporting systems is
]>]>something just over 70%.
]>]>
]>]>I think Declude w/ Message Sniffer is the way to go if you have an Imail
]>]>server. Of course I am biased - but there are others here who might back
]>]>me up. The demo is free if you want to try it
]>]>(http://www.sortmonster.com).
]>]>
]>]>Biased $0.02
]>]>
]>]>_M
]>]>
]>]>| -Original Message-
]>]>| From: [EMAIL PROTECTED]
]>]>| [mailto:[EMAIL PROTECTED]] On Behalf Of Keith Purtell
]>]>| Sent: Friday, October 04, 2002 3:27 PM
]>]>| To: Declude JunkMail (E-mail)
]>]>| Subject: [Declude.JunkMail] Newbie question about baseline
]>]>
]>]>
]>]>
]>]>| However, when I check the server each morning, the spambox
]>]>| has at least 250 new messages, and one Monday I found 1,000.
]>]>| Bear in mind we only have approx 200 employees nationwide and
]>]>| serve a niche market. I've tried to be aggressive about
]>]>| automatically deleting certain incoming mail, especially
]>]>| using rules.ima. Hence the term "baseline" in my subject. Do
]>]>| more experienced postmasters find this much junk on their
]>]>| server and just delete it manually, or do they make better
]>]>| use of the software to automatically delete spam?
]>]>
]>]>---
]>]>[This E-mail was scanned for viruses by Declude Virus
]>]>(http://www.declude.com)]
]>]>
]>]>---
]>]>This E-mail came from the Declude.JunkMail mailing list.  To
]>]>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
]>]>type "unsubscribe Declude.JunkMail".  The archives can be found
]>]>at http://www.mail-archive.com.
]>]>
]>]
]>]---
]>][This E-mail was scanned for viruses by Declude Virus
]>(http://www.declude.com)]
]>
]>---
]>This E-mail came from the Declude.JunkMail mailin

RE: [Declude.JunkMail] Effectiveness

[Madscientist]

Perhaps you misunderstood.
More than 70% of ALL traffic is captured on average for reporting systems.
The base includes non-spam as well. In terms of a percentage of spam,
Declude has published statistics consistently showing 85% or more of all
incoming spam. On our system it is closer to 92% counting what comes from
all spam traps.

Hope this clears things up.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Dan Patnode
]Sent: Saturday, October 05, 2002 9:30 PM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Effectiveness
]
]
]70%?  I believe the spam filter that comes free with Mac OS 10.2
]does that well by itself, though I haven't tested it for FPs yet.
]Has anyone else tried it?
]
]Dan
]
]
]On Friday, October 4, 2002 14:02, Madscientist
]<[EMAIL PROTECTED]> wrote:
]>We have similar circumstances in the email systems that we host. We
]>currently trap more than 80% of incoming messages as spam with our
]>Message Sniffer software. The average for all reporting systems is
]>something just over 70%.
]>
]>I think Declude w/ Message Sniffer is the way to go if you have an Imail
]>server. Of course I am biased - but there are others here who might back
]>me up. The demo is free if you want to try it
]>(http://www.sortmonster.com).
]>
]>Biased $0.02
]>
]>_M
]>
]>| -Original Message-
]>| From: [EMAIL PROTECTED]
]>| [mailto:[EMAIL PROTECTED]] On Behalf Of Keith Purtell
]>| Sent: Friday, October 04, 2002 3:27 PM
]>| To: Declude JunkMail (E-mail)
]>| Subject: [Declude.JunkMail] Newbie question about baseline
]>
]>
]>
]>| However, when I check the server each morning, the spambox
]>| has at least 250 new messages, and one Monday I found 1,000.
]>| Bear in mind we only have approx 200 employees nationwide and
]>| serve a niche market. I've tried to be aggressive about
]>| automatically deleting certain incoming mail, especially
]>| using rules.ima. Hence the term "baseline" in my subject. Do
]>| more experienced postmasters find this much junk on their
]>| server and just delete it manually, or do they make better
]>| use of the software to automatically delete spam?
]>
]>---
]>[This E-mail was scanned for viruses by Declude Virus
]>(http://www.declude.com)]
]>
]>---
]>This E-mail came from the Declude.JunkMail mailing list.  To
]>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
]>type "unsubscribe Declude.JunkMail".  The archives can be found
]>at http://www.mail-archive.com.
]>
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Newbie question about baseline

[Madscientist]

| 
| Right now, because I am wearing so many hats, I have not had 
| a chance to look at and use programs to delete the held 
| messages after 5 days, which is when I manually delete them.
| 
| I hold all, then after 5 days if no one has complained about 
| where is my e-mail, I manually delete.

Out of sheer volume - we automatically delete after 10 days without a
complaint. If we get a complaint or potential false positive we do a
search for appropriate keywords and adjust the filters if we find
something.

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Newbie question about baseline

[Madscientist]

We have similar circumstances in the email systems that we host. We
currently trap more than 80% of incoming messages as spam with our
Message Sniffer software. The average for all reporting systems is
something just over 70%.

I think Declude w/ Message Sniffer is the way to go if you have an Imail
server. Of course I am biased - but there are others here who might back
me up. The demo is free if you want to try it
(http://www.sortmonster.com).

Biased $0.02

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Keith Purtell
| Sent: Friday, October 04, 2002 3:27 PM
| To: Declude JunkMail (E-mail)
| Subject: [Declude.JunkMail] Newbie question about baseline



| However, when I check the server each morning, the spambox 
| has at least 250 new messages, and one Monday I found 1,000. 
| Bear in mind we only have approx 200 employees nationwide and 
| serve a niche market. I've tried to be aggressive about 
| automatically deleting certain incoming mail, especially 
| using rules.ima. Hence the term "baseline" in my subject. Do 
| more experienced postmasters find this much junk on their 
| server and just delete it manually, or do they make better 
| use of the software to automatically delete spam?

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Filtering question

[Madscientist]

Scott,

Is it possible to enclose phrases in quotes for these filters?

" robert allen "

If not can this be a feature request?

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Thursday, October 03, 2002 10:33 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Filtering question
| 
| 
| 
| >If I want to add two words into a single filter rule how do 
| I do this?
| >
| >For example:
| >
| >BODY10  CONTAINSrobert allen
| >
| >I'm assuming that the space would confuse the rule.
| 
| Actually, that will work (the only problem is that spaces 
| before/after the 
| filter text won't be used, but they will be used if they are 
| in the filter 
| text).
| 
| >Should I add:
| >
| >BODY10  CONTAINSrobert%20allen
| 
| No -- the "%20" format only works in HTML/HTTP.
|  -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP:[SNIFFER Sniffer test failed]Declude.JunkMail and Message Sniffer

[Madscientist]

For now, you will want to whitelist these. The trouble is that many lists
append advertising content to their messages. Sniffer tends to get triggered
by the advertising content.

Next month we plan to release a version that includes compound heuristics.
At that time we will begin adding white-rule to the database to match "well
known" legitimate lists. We expect this will reduce the problem.

Hope this helps,
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Lenny Bauman
]Sent: Thursday, September 26, 2002 8:42 PM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] SPAMCOP:[SNIFFER Sniffer test
]failed]Declude.JunkMail and Message Sniffer
]
]
]Hello all
]
] I have Junkmail running and it has cut down on the spam somewhat   I am
]still getting a lot of spam so I though I would give Message
]Sniffer a try I
]installed it about 24 hours ago and it has catauh a large amount of the
]message that I was getting as spam.  The problem that I am seeing is that I
]am getting a lot of newsletter marked as failing the sniffer test.
]Newsletter from places like  Columbia House, The WWE, ISP World.  Am I
]missing something or do I have to whitelist these site so that my customer
]can continue to receive there newsletter that they subcribed to.
] Below is
]a small list of the site that have been reported to me as failing the
]sniffer test that the customer has requested to receive mail from.   Any
]help you can give me will be greatly appreacted.I like the fact that
]sniffer is catuching what gets through Junkmail I just am not sure how to
]handle the False Positive messages.Thanks in advance for any help you
]can give me.
]
]
]
]Lenny Bauman
]
]
]From: [EMAIL PROTECTED]
]From: "Strive.To Word" <[EMAIL PROTECTED]>
]From: eWEEK News <[EMAIL PROTECTED]>
]From: "ArcaMax" <[EMAIL PROTECTED]>
]From: Just Say Wow <[EMAIL PROTECTED]>
]From:  <[EMAIL PROTECTED]>
]From:  <[EMAIL PROTECTED]>
]From: Webmonkey Frontdoor <[EMAIL PROTECTED]>
]From: "ISPworld" <[EMAIL PROTECTED]>
]From: [EMAIL PROTECTED]
]From: Wired News <[EMAIL PROTECTED]>
]From: <[EMAIL PROTECTED]>
]From: <[EMAIL PROTECTED]>
]From: [EMAIL PROTECTED]
]From: "WWE Newsletter" <[EMAIL PROTECTED]>
]From: "Columbia House DVD Club" <[EMAIL PROTECTED]>
]From: "bizjournals.com Solutions"
]<[EMAIL PROTECTED]>
]From: "ISPworld" <[EMAIL PROTECTED]>
]From: "TESSCO...Your Total Source" <[EMAIL PROTECTED]>
]From: "McAfee.com Services" <[EMAIL PROTECTED]>
]From: [EMAIL PROTECTED]
]
]
]---
][This E-mail scanned for viruses by LRBCG.COM, Inc.]
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] More On Spam, And SpamCop

[Madscientist]

] I have recently been getting spam addressed to a disposable
] address that I have ONLY ever used when submitting spam to
] SpamCop. The address consists of a string of 12 random letters
] at the given domain, so it is not likely from a dictionary
] list. Kinda makes you want to go "Hmmm". --- Glenn Wolf
]
]Hmmm indeed, Glenn. I don't believe that SpamCop is guilty of spamming;
]but no secret name or address can ever be 100% safe--- addresses can be
]guessed or cracked or harvested or stolen or Klez-ed (etc.) or otherwise
]gotten to. That's probably what happened to Glenn's, and it's probably
]happened to SpamCop's own spamtrap addresses, too.

Not to add any weight to this, but it just strikes me funny.
A spam came through the spamtraps yesterday from a spam software developer
and bulk email house. Their big claim to fame was that they have a
partnership with SpamCop and SpamHouse whereby they can use the database to
avoid anti-spammers and make sure your message gets through. Specifically
they talk about delivering "their" Casino ads...

Don't know who "their" is supposed to be, and I don't give spam any
credence - but I read that yesterday and this today - so it connected.

FWIW.

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter in BASE64?

[Madscientist]

I think (not sure) OE does this when it codes the message in RTF format.
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Helpdesk
| Sent: Wednesday, September 25, 2002 10:03 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Wordfilter in BASE64?
| 
| 
| on 9/25/02 9:31 AM, Scott MacLean wrote:
| 
| > That's what I suspected. Has anyone seen HTML Base64 segments that 
| > *weren't* spam?
| 
| Yes. A few at first but more are appearing now.
| 
| > Are there any email clients that actually put out such a thing?
| 
| Every message my brother's in-laws send to their daughter 
| (his wife) are in Base64 for some reason. They are using 
| Outlook Express. I have also seen 5 other addresses who's 
| messages are always in Base64 for some reason.
| 
| The only reliable way to use the Base64 test is with a 
| weighting system and hope the message fails some other tests also.
| 
| I asked Scott if he was going to combine the Base64 test and 
| the Filter test so that we could scan for our own catch 
| phrases in Base64 messages like we can in plain text 
| messages. I was told no.
| 
| Later,
| Greg
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter in BASE64?

[Madscientist]

That's a good call... Currently base64 html segments seem to run close
to 7% of spam content.
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Davidson
| Sent: Wednesday, September 25, 2002 10:02 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Wordfilter in BASE64?
| 
| 
| I weigh base64 heavy enough that if a message failed any 
| other test it will hold it
| 
| Have a great day!
| Rick Davidson
| Buckeye Internet Services
| www.buckeyeweb.com
| 440-953-1900
| -
| - Original Message -
| From: "Scott MacLean" <[EMAIL PROTECTED]>
| To: <[EMAIL PROTECTED]>
| Sent: Wednesday, September 25, 2002 9:31 AM
| Subject: RE: [Declude.JunkMail] Wordfilter in BASE64?
| 
| 
| > That's what I suspected. Has anyone seen HTML Base64 segments that
| > *weren't* spam? Are there any email clients that actually 
| put out such 
| > a
| thing?
| >
| > At 08:14 AM 9/25/2002, Madscientist wrote:
| >
| > >Declude does not decode base64, rather it simply detects 
| html base64 
| > >segments which are highly likely to be spam.
| > >
| > >_M
| > >
| > >]-Original Message-
| > >]From: [EMAIL PROTECTED]
| > >][mailto:[EMAIL PROTECTED]]On Behalf Of Scott 
| > >MacLean
| > >]Sent: Wednesday, September 25, 2002 8:10 AM
| > >]To: [EMAIL PROTECTED]
| > >]Subject: [Declude.JunkMail] Wordfilter in BASE64?
| > >]
| > >]
| > >]I just saw an email that *should* have been caught 
| several times over
| with
| > >]various "BODY CONTAINS" filters, but wasn't - instead, it caught 
| > >BASE64. ]Does Declude decode the BASE64 body and then apply the 
| > >wordfilter?
| Because
| > >]it seems like it might not.
| > >]
| > >]___
| > >]Scott MacLean
| > >][EMAIL PROTECTED]
| > >]ICQ: 9184011
| > >]http://www.nerosoft.com
| > >]
| > >]---
| > >][This E-mail was scanned for viruses by Declude Virus 
| > >(http://www.declude.com)]
| > >
| > >---
| > >This E-mail came from the Declude.JunkMail mailing list.  To 
| > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > >"unsubscribe Declude.JunkMail".  The archives can be found at 
| > >http://www.mail-archive.com.
| > >
| > >---
| > >[This E-mail was scanned for viruses by Declude Virus 
| > >(http://www.declude.com)]
| > >
| > >---
| > >This E-mail came from the Declude.JunkMail mailing list.  To 
| > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > >"unsubscribe Declude.JunkMail".  The archives can be found at 
| > >http://www.mail-archive.com.
| >
| > ___
| > Scott MacLean
| > [EMAIL PROTECTED]
| > ICQ: 9184011
| > http://www.nerosoft.com
| >
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Wordfilter in BASE64?

[Madscientist]

Title: Message



Bingo - I knew there was a big one that had slipped my 
mind.
:-)
_M

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Mark SmithSent: Wednesday, September 25, 2002 
  9:41 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [Declude.JunkMail] Wordfilter in BASE64?
  Yes.
  Dell sends their quotes like this.
   
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Scott 
MacLeanSent: Wednesday, September 25, 2002 9:31 AMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] 
Wordfilter in BASE64?That's what I 
suspected. Has anyone seen HTML Base64 segments that *weren't* spam? Are 
there any email clients that actually put out such a thing?At 08:14 
AM 9/25/2002, Madscientist wrote:
Declude does not decode base64, 
  rather it simply detects html base64segments which are highly likely 
  to be spam._M]-Original Message-]From: 
  [EMAIL PROTECTED]][mailto:[EMAIL PROTECTED]]On Behalf 
  Of Scott MacLean]Sent: Wednesday, September 25, 2002 8:10 AM]To: 
  [EMAIL PROTECTED]]Subject: [Declude.JunkMail] Wordfilter in 
  BASE64?]]]I just saw an email that *should* have been caught 
  several times over with]various "BODY CONTAINS" filters, but wasn't - 
  instead, it caught BASE64.]Does Declude decode the BASE64 body and 
  then apply the wordfilter? Because]it seems like it might 
  not.]]___]Scott 
  MacLean][EMAIL PROTECTED]]ICQ: 9184011]http://www.nerosoft.com]]---][This E-mail 
  was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail 
  came from the Declude.JunkMail mailing list.  Tounsubscribe, just 
  send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe 
  Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.---[This 
  E-mail was scanned for viruses by Declude Virus 
  (http://www.declude.com)]---This E-mail came from the 
  Declude.JunkMail mailing list.  Tounsubscribe, just send an 
  E-mail to [EMAIL PROTECTED], andtype "unsubscribe 
  Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.___Scott MacLean[EMAIL PROTECTED]ICQ: 9184011http://www.nerosoft.com

RE: [Declude.JunkMail] Wordfilter in BASE64?

[Madscientist]

Title: Message



We've had a few, but we didn't keep them around. There are some folks on 
the list hunting for examples - I've got an eye out but I'm not trying hard. 
Statistically it is a very good test.
 
The only trouble with not scanning inside base64 segments is that it 
reduces your ability to categorize the message... so, for example, if 
there's content there that users on your system want to see - but might 
otherwise be seen as spam - you will have to work harder to gate that content 
through.
 
This is why Message Sniffer does open base64 segments to look for 
patterns.
 
_M

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Scott MacLeanSent: Wednesday, September 25, 
  2002 9:31 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [Declude.JunkMail] Wordfilter in BASE64?That's what I suspected. Has anyone seen HTML Base64 segments that 
  *weren't* spam? Are there any email clients that actually put out such a 
  thing?At 08:14 AM 9/25/2002, Madscientist wrote:
  Declude does not decode base64, 
rather it simply detects html base64segments which are highly likely to 
be spam._M]-Original Message-]From: 
[EMAIL PROTECTED]][mailto:[EMAIL PROTECTED]]On Behalf Of 
Scott MacLean]Sent: Wednesday, September 25, 2002 8:10 AM]To: 
[EMAIL PROTECTED]]Subject: [Declude.JunkMail] Wordfilter in 
BASE64?]]]I just saw an email that *should* have been caught 
several times over with]various "BODY CONTAINS" filters, but wasn't - 
instead, it caught BASE64.]Does Declude decode the BASE64 body and then 
apply the wordfilter? Because]it seems like it might 
not.]]___]Scott 
MacLean][EMAIL PROTECTED]]ICQ: 9184011]http://www.nerosoft.com]]---][This E-mail 
was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came 
from the Declude.JunkMail mailing list.  Tounsubscribe, just send 
an E-mail to [EMAIL PROTECTED], andtype "unsubscribe 
Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.---[This E-mail 
was scanned for viruses by Declude Virus 
(http://www.declude.com)]---This E-mail came from the 
Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail 
to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  
The archives can be foundat http://www.mail-archive.com.___Scott MacLean[EMAIL PROTECTED]ICQ: 9184011http://www.nerosoft.com

RE: [Declude.JunkMail] Wordfilter in BASE64?

[Madscientist]

Declude does not decode base64, rather it simply detects html base64
segments which are highly likely to be spam.

_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Scott MacLean
]Sent: Wednesday, September 25, 2002 8:10 AM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Wordfilter in BASE64?
]
]
]I just saw an email that *should* have been caught several times over with
]various "BODY CONTAINS" filters, but wasn't - instead, it caught BASE64.
]Does Declude decode the BASE64 body and then apply the wordfilter? Because
]it seems like it might not.
]
]___
]Scott MacLean
][EMAIL PROTECTED]
]ICQ: 9184011
]http://www.nerosoft.com
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Web Site ?

[Madscientist]

Yup - no joy for quite a bit now.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Kratka
]Sent: Tuesday, September 24, 2002 5:49 PM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Web Site ?
]
]
]Is anyone else having difficulties with the Declude Web Site?
]
]Jeff
]
]*
]TymeWyse Internet
]P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
]tel/fax: (541) 839-6027  -  [EMAIL PROTECTED]
]*
]
]
]---
][This E-mail was scanned for viruses by Declude Virus 
](http://www.declude.com)]
]
]---
]This E-mail came from the Declude.JunkMail mailing list.  To
]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
]type "unsubscribe Declude.JunkMail".  The archives can be found
]at http://www.mail-archive.com.
]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Upgrade to sniffer 1.1

[Madscientist]

This rule 10222 should match only a specific email address... however
the scan index and ended are both z which is not possible.

It is likley you have a corrupted .snf file.

Hope this helps,
_M


| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Marv Gordon
| Sent: Monday, September 23, 2002 1:31 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Upgrade to sniffer 1.1
| 
| 
| Sniffer logfile shows nothing but matches (example below).  
| Have not seen a "clean" entry since the upgrade today.
| 
| 
| 
| 
| sniffer   20020923165941  D4876000800deda6b.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170147  D48f8000900ded796.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170245  D493a00deb0b2.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170307  D494a000b00de183e.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170309  D494c000c00de2165.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170448  D49bd00dea5ce.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170451  D49b2000900dcaeec.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170456  D49b7000a00dcc004.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170531  D49ca000b00dc0b20.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170545  D49e7000c00dc7f12.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170601  D49f7000d00dcbcd7.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170640  D4a1e000e00dc53a5.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923170951  D4add001000dc401a.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923171653  D4c85000300e0b593.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923171700  D4c63000f00de334f.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923171702  D4c8d001000ded45c.SMD   110 
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923171702  D4c8d000400e0d498.SMD   121 
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923171737  D4caf000500e0597b.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923171843  D4c43001200dcb2f6.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172032  D4d5a001500dcf673.SMD   71  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172106  D4d82001600dc90e4.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172112  D4d88001700dca993.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172142  D4da6001800dc1dd6.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172216  D4dc7001900dc9ff2.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172226  D4dd2001a00dccbd6.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172243  D4de3001b00dc0d16.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172251  D4dea001c00dc29b9.SMD   61  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172313  D4e1d00dc7dca.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172329  D4e11001e00dcc072.SMD   70  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172335  D4e16001f00dcd538.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172515  D4e790003011a5901.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172517  D4e7b0004011a6106.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172545  D4e980005011ad1c3.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172626  D4ec1002300dc710e.SMD   60  
| 0 Match
| 10222 46  0   0   5
| sniffer   20020923172702  D4ee4002400dcfa3e.SMD   60  
| 0 Match
| 10222 46  0   0   5
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,

RE: [Declude.JunkMail] Base 64 test

[Madscientist]

Anecdotally this makes a lot of sense. It was primarily porn spam that
caused us to move our filterchain module development forward in the sniffer
program.
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of John Tolmachoff
]Sent: Monday, September 23, 2002 2:02 AM
]To: [EMAIL PROTECTED]
]Subject: [Declude.JunkMail] Base 64 test
]
]
]Since implementing the base 64 test, I am noticing that adult junkmail
]that is in HTML format is getting caught by this.
]
]As I am out of the office this week and working from home, when I have
]time I am going to investigate this further.
]
]Any one else noticing this?
]
]John Tolmachoff
]IT Manager, Network Engineer
]RelianceSoft, Inc.
]Fullerton, CA  92835
]www.reliancesoft.com
]
]
]
]---
][This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Sniffer 1-1 Release

[Madscientist]

Hello Declude folks,

Message Sniffer Version 1-1 has been released.
Details, including new features, are listed on the Message Sniffer site.

http://www.sortmonster.com/MessageSniffer/

Thanks!
_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail

[Madscientist]

This game subverted the entire office. ;-)
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Alexis D. Gutzman
| Sent: Tuesday, September 17, 2002 11:48 AM
| To: [EMAIL PROTECTED]
| Subject: Re: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| Craig,
| 
| I have two paid hotmail accounts. The one for my 5-year old 
| daughter (it's really a test account for spam-filtering) did 
| not get checked. My other account for Elmer Fudd strangely 
| had a birthyear of 1900 and they were checked.
| 
| I thought that when I set these up I said "no sharing." Does 
| anyone know how old these boxes are?
| 
| You all might enjoy playing our new anti-s*pam game (see 
| sig). Just launced today.
| 
| Alexis
| ---
| Alexis D. Gutzman, Managing Editor, Reports
| MarketingSherpa's Knowledge Store 
| http://torturegame4.emailsherpa.com <= Play "Torture a 
| S^pammer" online game
| 
| - Original Message -
| From: "Craig Gittens" <[EMAIL PROTECTED]>
| To: <[EMAIL PROTECTED]>
| Sent: Tuesday, September 17, 2002 8:59 AM
| Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| > Sorry, just getting around to reading my 700 or so unread messages. 
| > Anyone notice Hotmail put in a few new options a while ago 
| and enabled 
| > them for everyone? Click on the options link and choose Personal 
| > Profile and scoll
| to
| > the bottom. You will notice that the two options to 1) 
| Share my email 
| > address and 2) Share my other registration information are checked.
| >
| > Craig.
| >
| > -Original Message-
| > From: [EMAIL PROTECTED]
| > [mailto:[EMAIL PROTECTED]]On Behalf Of Tom
| > Sent: Monday, September 16, 2002 5:21 PM
| > To: [EMAIL PROTECTED]
| > Subject: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| >
| >
| > By OREN ETZIONI of the NY TIMES
| > ---
| >
| > A few days ago I created a new e-mail account, and within 
| 24 hours I 
| > had received over 25 unsolicited commercial e-mail 
| messages, otherwise 
| > known
| as
| > spam. Even though I'm a professor of computer science, I, 
| like so many 
| > others, have failed to protect myself from this daily nuisance. So I
| welcome
| > t
| >
| > ---
| > [This E-mail was scanned for viruses by Declude Virus
| (http://www.declude.com)]
| >
| > ---
| > This E-mail came from the Declude.JunkMail mailing list.  To 
| > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
| > "unsubscribe Declude.JunkMail".  The archives can be found at 
| > http://www.mail-archive.com.
| >
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail

[Madscientist]

The problem with this is that once you subscribe it to anything you've
muddied the waters a bit about whether content to that address is spam
or not. If your specific use is such that you don't discriminate then
you've got a reasonable solution... but for truly pure spam, you need to
find ways for the spammers to pick you up - in their typical ways - but
without your prompting. That takes time and effort - and occasionally
luck. The luckiest you can get is for a dictionary search to hit your
spam trap and pump it into one of the "millions" CDs... Once that
happens a few times you'll start getting good traffic that was truly
never solicited. Another lucky method is to have the address picked off
of a web page when some spammer is trolling...

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan
| Sent: Tuesday, September 17, 2002 11:30 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| I always thought it would make a lot of sense to have an 
| Internal SpamCop address.  
| 
| An address that we can use in Declude so any e-mail that is 
| sent to that address is automatically added to a blacklist 
| address for background deletion.
| 
| If such addresses is then easily advertised on a couple of 
| sites that are willing to give you a million dollars or add 
| to your anatomical parts then effectively we can have a 
| preemptive notice easily.  Since the address is not used 
| elsewhere there is no way a legitimate email comes to it.
| 
| This can be a very fast and almost no CPU processing system & 
| be called SPAMTrap
| 
| Regards,
| Kami
| 
| 
| 
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]] On Behalf Of Madscientist
| Sent: Tuesday, September 17, 2002 11:10 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| I guess that makes sense.
| We've got a few accounts like that out there - we set them 
| up, forward them into our system for evaluation, and never 
| use them for anything else... but there's a definite 'color' 
| to the content - meaning the spam we get there is skewed to a 
| specifi strange attractor - all based on the marketing.
| 
| I'm working on formulating a methodology for setting up 
| spamtraps and tuning them for specific kinds of spam - 
| without opening them to any legitimate email. It's harder 
| than it looks, and takes a lot of time - there's just no 
| rushing it... so far anyway.
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail

[Madscientist]

I guess that makes sense.
We've got a few accounts like that out there - we set them up, forward
them into our system for evaluation, and never use them for anything
else... but there's a definite 'color' to the content - meaning the spam
we get there is skewed to a specifi strange attractor - all based on the
marketing.

I'm working on formulating a methodology for setting up spamtraps and
tuning them for specific kinds of spam - without opening them to any
legitimate email. It's harder than it looks, and takes a lot of time -
there's just no rushing it... so far anyway.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Charles Frolick
| Sent: Tuesday, September 17, 2002 11:01 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| I always figured since my hotmail profile says I'm male and 
| over 21 that's why it gets about 160 spam mails (that don't 
| fail their spam filters) per week.  Don't they do the same 
| thing Juno mail does and pay for the service by selling the 
| address to 'Advertising Partners'? My 17 year old sister in 
| law get no adult spam to her hotmail address at all, and 99% 
| of mine is, that says target marketing to me.  I only have 
| the address as a remote test account, to validate mail 
| routing to my domain hosting customers, and rarely even then. 
| If it were not a free mail account then I would say it would 
| be a lot of work to get it listed, but I know there are only 
| two ways to pay for a service, you pay or the advertisers pay.
| 
| Chuck Frolick
| ArgoNet, Inc.
| 
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
| Sent: Tuesday, September 17, 2002 8:38 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| 
| >Gosh I'd like to know how he made that account and got it spammed so 
| >quickly. That knowledge would be quite a tool.
| 
| By this:
| 
| >| A few days ago I created a new e-mail account, and within 
| 24 hours I 
| >| had received over 25 unsolicited commercial e-mail messages, 
| >| otherwise known as spam.
| 
| He means "A few days ago I created an account on Hotmail that 
| had once existed, but since I just created it, it's a new 
| E-mail account."
| 
| Unless he was extremely active in trying to receive spam, I 
| can't think of any other way that it could have happened.  
| Or, he may have used his "poetic license" to count the number 
| of spams he received.
| -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Toms Kill List

[Madscientist]

The preceeding @ ensures that the match is an email with the example
domain. The preceeding . ensures that the match is the domain used in a
host link like www.example.com and so forth. Without these preceeding
characters the following might also match incorrectly...

legitimatexample.com

Using the preceeding characters prevents this.

HTH
_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of 
| Sharyn Schmidt
| Sent: Tuesday, September 17, 2002 10:24 AM
| To: Declude Junkmail List
| Subject: [Declude.JunkMail] Toms Kill List
| 
| 
| Morning everyone,
| 
| Because all is going so well, I decided I'd screw with things 
| a bit more
| :)
| 
| I have just downloaded Tom's Image FX kill list and I'm 
| looking through it. 
| 
| What I don't understand is, what is the difference between these 2
| entries:
| 
| @example.com and .example.com
| 
| (obviously the difference is the "@" and the ".", but what 
| exactly does this mean?)
| 
| Thanks in advance,
| Sharyn
| 
| PS: Scott, love the addition of the whitelist line in the logs!
| 
| 
| We are the worldwide producer and marketer of the award 
| winning Cruzan Single Barrel Rum, judged "Best in the World" 
| at the annual San Francisco Wine and Spirits Championships, 
| and the artisan tequilas of Porfidio 100% Agave Tequilas, 
| judged "Best Tequila" four years running by the Wine 
| Enthusiast magazine. For more information, please click (go 
| to) http://www.cruzanrums.com";>http://http://www.cruzanrums";>www.cruzanrums.com
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] HELOBOGUS

[Madscientist]

It might be a good test to put into the weights.
Another one would be a test that looks that the sender's (from their
address) and fails if the first MX doesn't match up.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of R. 
| Scott Perry
| Sent: Tuesday, September 17, 2002 10:00 AM
| To: [EMAIL PROTECTED]
| Subject: RE: [Declude.JunkMail] HELOBOGUS
| 
| 
| 
| >I spoke in haste, that all makes sense. I am having a tough 
| time with 
| >spammers using the mailfrom or return address of the recipient and a 
| >wetware problem on the customer end. Is there any way I can 
| stop this? 
| >I know, it seems like a catch 22.
| 
| Unfortunately, there isn't any easy way to stop the E-mail 
| that has the 
| same return address as the recipient's address -- the problem 
| is that quite 
| a few people Cc: themselves on all E-mail, as well as send 
| themselves test 
| messages.
| -Scott
| 
| ---
| [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail

[Madscientist]

Gosh I'd like to know how he made that account and got it spammed so
quickly. That knowledge would be quite a tool.

_M

| -Original Message-
| From: [EMAIL PROTECTED] 
| [mailto:[EMAIL PROTECTED]] On Behalf Of Tom
| Sent: Monday, September 16, 2002 5:21 PM
| To: [EMAIL PROTECTED]
| Subject: [Declude.JunkMail] Fighting the Menace of Unwanted E-Mail
| 
| 
| By OREN ETZIONI of the NY TIMES
| ---
| 
| A few days ago I created a new e-mail account, and within 24 
| hours I had received over 25 unsolicited commercial e-mail 
| messages, otherwise known as spam. Even though I'm a 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Timed weight?

[Madscientist]

Now there's a sophisticated element to the test. You could key the time to
the geographic region of the sender's IP range. Not much more work (since
it's generally hard-coded) but makes the test useful for determining the
time of day at the sender's location -- in theory anyway.

Thoughts?
_M

]-Original Message-
]From: [EMAIL PROTECTED]
][mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
]Sent: Wednesday, September 11, 2002 6:39 PM
]To: [EMAIL PROTECTED]
]Subject: Re: [Declude.JunkMail] Timed weight?
]
]
]
]>Only a suggestion, maybe I'm wrong: Can it be usefull to give a few
]>points for messages delivered in a certain time range?(for example
]>between 10.00 pm and 05.00 am)
]
]That is a good idea, and something that we have been giving some thought
]to.  It would likely only be beneficial to a small group of our customers
](businesses that do business primarily in their own country, as opposed to
]ISPs and schools and such), but would probably work well for them.
] -Scott
]
]---
][This E-mail was scanned for viruses by Declude Virus
](http://www.declude.com)]
]
]---
]This E-mail came from the Declude.JunkMail mailing list.  To
]unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
]type "unsubscribe Declude.JunkMail".  The archives can be found
]at http://www.mail-archive.com.
]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.