RE: [Declude.JunkMail] Return address IP
Good idea, Bill, I hadn't even thought of using ENDSWITH. Bill Thanks for the tip, Bill. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Return address IP
Title: Message Hi; I know this subject was discussed but I can not find it in the archives. We are seeing more and more SPAM that have IP address as return address. I just can't think of a legitimate email that would do that. = X-RBL-Warning: IPNOTINMX: X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100f].X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 8.X-RBL-Warning: WORDFILTERMx: Message failed WORDFILTERMx test (2)X-RBL-Warning: COUNTRY: Message failed COUNTRY test (215)X-Declude-Sender: [12.4.218.17]X-Declude-Spoolname: Db07e004f01f2ba39.SMDX-Note: This E-mail was scanned filtered by Declude [1.66i2] for SPAM virus.X-Spam-Tests-Failed: IPNOTINMX, SPAMHEADERS, SPAMCHK, WORDFILTERMx, COUNTRY, WEIGHT20s, WEIGHT20rX-Weight: 26 = Was there a decision made on how to treat these? Anyway to add weight if return address is an IP? I will keep on searching the archives. Regards, Kami
Re: [Declude.JunkMail] Return address IP
We are seeing more and more SPAM that have IP address as return address. I just can't think of a legitimate email that would do that. Actually, what is happening here: X-Declude-Sender: [12.4.218.17] is that the spammer is using a null return address. In this case, the return address is , which happened to be sent from the IP 12.4.218.17. Was there a decision made on how to treat these? This is what you will see for all bounce messages (and delivery status notifications), which makes it more difficult to handle. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
Title: Nachricht Hi Kami, This are all the X-Declude-Sender lines from over 5000 hold messages on our system without an "@" inside X-Declude-Sender: C:\`Bulk [68.15.65.94]X-Declude-Sender: [216.127.33.23]X-Declude-Sender: [68.35.200.107]X-Declude-Sender: [212.154.34.10]X-Declude-Sender: [62.123.0.57]X-Declude-Sender: [212.41.208.19]X-Declude-Sender: dtcLISA [212.19.66.109]X-Declude-Sender: FREE [61.194.11.2]X-Declude-Sender: [216.127.33.27]X-Declude-Sender: [216.127.33.27]X-Declude-Sender: [216.127.33.28]X-Declude-Sender: [216.127.33.13] Or most of this type of messages passes our filters or there are only around 0,24% of spam messages using no valid sender adress. As I understand a X-Declude-Sender line like this you've posted means that there was nosender in the SMTP-protocol. The IP in [] behind is the sending SMTP-servers adress and are indicated in every X-Declude-Sender line. Scott: Are the "" gathered in any case from the SMTP-Data or are they created from declude if there was no value? Markus -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami RazvanSent: Sunday, January 19, 2003 7:00 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Return address IP Hi; I know this subject was discussed but I can not find it in the archives. We are seeing more and more SPAM that have IP address as return address. I just can't think of a legitimate email that would do that. = X-RBL-Warning: IPNOTINMX: X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100f].X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 8.X-RBL-Warning: WORDFILTERMx: Message failed WORDFILTERMx test (2)X-RBL-Warning: COUNTRY: Message failed COUNTRY test (215)X-Declude-Sender: [12.4.218.17]X-Declude-Spoolname: Db07e004f01f2ba39.SMDX-Note: This E-mail was scanned filtered by Declude [1.66i2] for SPAM virus.X-Spam-Tests-Failed: IPNOTINMX, SPAMHEADERS, SPAMCHK, WORDFILTERMx, COUNTRY, WEIGHT20s, WEIGHT20rX-Weight: 26 = Was there a decision made on how to treat these? Anyway to add weight if return address is an IP? I will keep on searching the archives. Regards, Kami
Re: [Declude.JunkMail] Return address IP
Kami, I believe this can be nailed with: MAILFROM 0 CONTAINS But Scott is correct, this should be used only as a weighted test as it will trigger on every non delivery report and then some. Markus, I would like to expand my search to include some of the types you identified. Any idea how to nail these with a content filter?: X-Declude-Sender: dtcLISA [212.19.66.109] X-Declude-Sender: FREE [61.194.11.2] Dan On Sunday, January 19, 2003 9:59, Kami Razvan [EMAIL PROTECTED] wrote: Message Hi; I know this subject was discussed but I can not find it in the archives. We are seeing more and more SPAM that have IP address as return address. I just can't think of a legitimate email that would do that. = X-RBL-Warning: IPNOTINMX: X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [4000100f]. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 8. X-RBL-Warning: WORDFILTERMx: Message failed WORDFILTERMx test (2) X-RBL-Warning: COUNTRY: Message failed COUNTRY test (215) X-Declude-Sender: [12.4.218.17] X-Declude-Spoolname: Db07e004f01f2ba39.SMD X-Note: This E-mail was scanned filtered by Declude [1.66i2] for SPAM virus. X-Spam-Tests-Failed: IPNOTINMX, SPAMHEADERS, SPAMCHK, WORDFILTERMx, COUNTRY, WEIGHT20s, WEIGHT20r X-Weight: 26 = Was there a decision made on how to treat these? Anyway to add weight if return address is an IP? I will keep on searching the archives. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
Are the gathered in any case from the SMTP-Data or are they created from declude if there was no value? IMail requires that *something* be sent as the MAIL FROM: data, but it could potentially be sent as either or . In either case, Declude will treat it as . -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
Hi; Is it a viable solution to filter the header for: From: Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, January 19, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Are the gathered in any case from the SMTP-Data or are they created from declude if there was no value? IMail requires that *something* be sent as the MAIL FROM: data, but it could potentially be sent as either or . In either case, Declude will treat it as . -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Return address IP
Scott, So you are saying that From: dtcLISA [212.19.66.109] looks the same as From: [212.19.66.109] and both are caught by: MAILFROM 0 CONTAINS ? Thanks Dan On Sunday, January 19, 2003 11:09, R. Scott Perry [EMAIL PROTECTED] wrote: Are the gathered in any case from the SMTP-Data or are they created from declude if there was no value? IMail requires that *something* be sent as the MAIL FROM: data, but it could potentially be sent as either or . In either case, Declude will treat it as . -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
I would like to expand my search to include some of the types you identified. Any idea how to nail these with a content filter?: X-Declude-Sender: dtcLISA [212.19.66.109] X-Declude-Sender: FREE [61.194.11.2] The problem is that there are not very much messages without a valid sender adress. (excluding bounce messages and delivery status notifications) Even if we check all SMTP mailfrom-adresses (= X-Declude-Sender) if there is a @ inside, this concerns only around 0,24 % of all messages on our system. At the moment we make some research for auto-generated mailfrom-adresses using more then 3 consecutive consonants like [EMAIL PROTECTED]. Anyone has suggestions or objections? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
Is it a viable solution to filter the header for: From: No -- a spammer would probably send an E-mail with a return address (MAIL FROM) of , but have a header like From: Youwill berich [EMAIL PROTECTED]. You could filter with something like: MAILFROM2 CONTAINS -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Return address IP
So you are saying that From: dtcLISA [212.19.66.109] looks the same as From: [212.19.66.109] and both are caught by: MAILFROM 0 CONTAINS No. The will only be used if the return address is or , it will not be used under any other conditions. Note that the dtcLISA one will get caught by the MAILFROM test. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Return address IP
Cool, so all the bases are covered! I also use MAILFROM. :) Dan On Sunday, January 19, 2003 11:50, R. Scott Perry [EMAIL PROTECTED] wrote: So you are saying that From: dtcLISA [212.19.66.109] looks the same as From: [212.19.66.109] and both are caught by: MAILFROM 0 CONTAINS No. The will only be used if the return address is or , it will not be used under any other conditions. Note that the dtcLISA one will get caught by the MAILFROM test. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
The only way I can think of to currently block an e-mail address with an IP after the @ symbol would be something like: MAILFROM0 CONTAINS@1 MAILFROM0 CONTAINS@2 However, this would also flag e-mail addresses like: [EMAIL PROTECTED] [EMAIL PROTECTED] I don't see how, with the current implementation of the filter file, that you could check just the extension of the e-mail address (i.e., .net, .com, .org, etc.). Maybe Scott would consider that as a future feature add. :) Maybe: MAILEXTBOGUSextinvalid x x 5 0 Where the e-mail address extension contains anything but valid/approved letter combinations. Or, maybe the MAILFROM (global.cfg) test could include the extension testing, if it is not already doing this. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Sunday, January 19, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Scott.. Thanks.. I guess this still leaves the other variation up for attack.. [EMAIL PROTECTED] We have seen this also.. When they are sending email with userID and IP. I guess one way to decipher this is if the last characters after the last period are not letters. Can that be a filter? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, January 19, 2003 2:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Is it a viable solution to filter the header for: From: No -- a spammer would probably send an E-mail with a return address (MAIL FROM) of , but have a header like From: Youwill berich [EMAIL PROTECTED]. You could filter with something like: MAILFROM2 CONTAINS -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Return address IP
How about this... MAILFROM 0 ENDSWITH 0 MAILFROM 0 ENDSWITH 1 MAILFROM 0 ENDSWITH 2 ...etc -Original Message- From: Bill Landry Sent: Sun, 19 Jan 2003 13:15:57 -0800 Subject: RE: [Declude.JunkMail] Return address IP The only way I can think of to currently block an e-mail address with an IP after the @ symbol would be something like: MAILFROM0 CONTAINS@1 MAILFROM0 CONTAINS@2 However, this would also flag e-mail addresses like: [EMAIL PROTECTED] [EMAIL PROTECTED] I don't see how, with the current implementation of the filter file, that you could check just the extension of the e-mail address (i.e., .net, .com, .org, etc.). Maybe Scott would consider that as a future feature add. :) Maybe: MAILEXTBOGUSextinvalid x x 5 0 Where the e-mail address extension contains anything but valid/approved letter combinations. Or, maybe the MAILFROM (global.cfg) test could include the extension testing, if it is not already doing this. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Sunday, January 19, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Scott.. Thanks.. I guess this still leaves the other variation up for attack.. [EMAIL PROTECTED] We have seen this also.. When they are sending email with userID and IP. I guess one way to decipher this is if the last characters after the last period are not letters. Can that be a filter? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, January 19, 2003 2:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Is it a viable solution to filter the header for: From: No -- a spammer would probably send an E-mail with a return address (MAIL FROM) of , but have a header like From: Youwill berich [EMAIL PROTECTED]. You could filter with something like: MAILFROM2 CONTAINS -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Return address IP
Good idea, Bill, I hadn't even thought of using ENDSWITH. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bill B. Sent: Sunday, January 19, 2003 4:15 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Return address IP How about this... MAILFROM 0 ENDSWITH 0 MAILFROM 0 ENDSWITH 1 MAILFROM 0 ENDSWITH 2 ...etc -Original Message- From: Bill Landry Sent: Sun, 19 Jan 2003 13:15:57 -0800 Subject: RE: [Declude.JunkMail] Return address IP The only way I can think of to currently block an e-mail address with an IP after the @ symbol would be something like: MAILFROM0 CONTAINS@1 MAILFROM0 CONTAINS@2 However, this would also flag e-mail addresses like: [EMAIL PROTECTED] [EMAIL PROTECTED] I don't see how, with the current implementation of the filter file, that you could check just the extension of the e-mail address (i.e., .net, .com, .org, etc.). Maybe Scott would consider that as a future feature add. :) Maybe: MAILEXTBOGUSextinvalid x x 5 0 Where the e-mail address extension contains anything but valid/approved letter combinations. Or, maybe the MAILFROM (global.cfg) test could include the extension testing, if it is not already doing this. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kami Razvan Sent: Sunday, January 19, 2003 12:17 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Scott.. Thanks.. I guess this still leaves the other variation up for attack.. [EMAIL PROTECTED] We have seen this also.. When they are sending email with userID and IP. I guess one way to decipher this is if the last characters after the last period are not letters. Can that be a filter? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Sunday, January 19, 2003 2:50 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Return address IP Is it a viable solution to filter the header for: From: No -- a spammer would probably send an E-mail with a return address (MAIL FROM) of , but have a header like From: Youwill berich [EMAIL PROTECTED]. You could filter with something like: MAILFROM2 CONTAINS -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This e-mail was scanned for viruses by Pointshare's Virus Scanning Service] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
