RE: [Declude.JunkMail] Interesting Spam

[Dave Beckstrom]

Found out that invURIBL wasn't working correctly on my server.  It was
finding the wrong IP address for the DNS server.  Once I fixed that, all of
those spams suddenly ceased from being delivered to our inboxes!  *grin  

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
> Sent: Thursday, September 06, 2007 6:58 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Interesting Spam
> 
> I use a command line tool from www.whoisview.com that works well for both
> domains and IP blocks.
> 
> Occasionally I run into a domain that doesn't resolve, but when that
happens
> I also have trouble from registrar sites like netsol and godaddy.
> www.freewho.com generally works well, though.
> 
> Darin.
> 
> 
> - Original Message -
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, September 06, 2007 7:40 PM
> Subject: RE: [Declude.JunkMail] Interesting Spam
> 
> 
> Well, the easy part is answering your question about the domains.
> 
> Each of the payload domains was registered today, so whatever service
> you're using to look up the registrations is probably using a database
> at least a day behind.
> 
> I use (for example) this site to my satisfaction:
> 
> http://whois.domaintools.com/sdsdm.com
> 
> 
> 
> Andrew.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Dave Beckstrom
> > Sent: Thursday, September 06, 2007 3:07 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Interesting Spam
> >
> > We're getting a rash of spam that doesn't score high enough
> > to be blocked.
> > In the past I've looked up the domain owner of the site
> > listed in the spam
> > and been able to identify sometimes dozens of domains owned
> > by the spammer,
> > then I've put that list into a filter and blocked the domains
> > before they
> > were all used in new spam sent to us.
> >
> > I did a whois on some of the domains and they all show as
> > available and
> > unregistered.  Yet when I go to the domain, it does take me
> > to the spammers
> > site.  How can these domains be functional and show as available to be
> > registered at the same time?
> >
> > Below is a paste of one of the spams.  I added 3 additional
> > domains that
> > have appeared in this same asshole's spam so that you can see
> > the pattern of
> > domains he is using.
> >
> > How do I block these?
> >
> > Dave
> >
> >
> >
> > X-Note: 
> > X-Note: Spam Score: [18]
> > X-Note: Scan Time: 16:47:18 on 06 Sep 2007
> > X-Note: Spool File: 35111367.eml
> > X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
> > X-Note: SMTP Sender: [EMAIL PROTECTED]
> > X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr
> > [88.233.123.242]
> > X-Note: Country Chain: TURKEY->destination
> > X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
> > SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
> > X-Note: 
> >
> >
> > -Original Message-
> > From: Tam Genois [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 06, 2007 1:15 PM
> > Subject: [SPAM]- Score (12)tuile
> >
> > How it is going Genois
> > Do you want to have an average to small penis all of your
> > life? No, you
> > don't
> >
> > dae Hays
> > http://soltepec.com/
> > http://selenan.com/
> > http://www.seriia.com/
> > http://www.sdsdm.com/
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Spam

[Dave Beckstrom]

I used www.betterwhois.com and the whois service at www.netsol.com and
neither showed the domains had been registered.   Guess I'll have to try
your site.  Thanks!

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Colbeck,
> Andrew
> Sent: Thursday, September 06, 2007 6:41 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting Spam
> 
> Well, the easy part is answering your question about the domains.
> 
> Each of the payload domains was registered today, so whatever service
> you're using to look up the registrations is probably using a database
> at least a day behind.
> 
> I use (for example) this site to my satisfaction:
> 
> http://whois.domaintools.com/sdsdm.com
> 
> 
> 
> Andrew.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> > Behalf Of Dave Beckstrom
> > Sent: Thursday, September 06, 2007 3:07 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Interesting Spam
> >
> > We're getting a rash of spam that doesn't score high enough
> > to be blocked.
> > In the past I've looked up the domain owner of the site
> > listed in the spam
> > and been able to identify sometimes dozens of domains owned
> > by the spammer,
> > then I've put that list into a filter and blocked the domains
> > before they
> > were all used in new spam sent to us.
> >
> > I did a whois on some of the domains and they all show as
> > available and
> > unregistered.  Yet when I go to the domain, it does take me
> > to the spammers
> > site.  How can these domains be functional and show as available to be
> > registered at the same time?
> >
> > Below is a paste of one of the spams.  I added 3 additional
> > domains that
> > have appeared in this same asshole's spam so that you can see
> > the pattern of
> > domains he is using.
> >
> > How do I block these?
> >
> > Dave
> >
> >
> >
> > X-Note: 
> > X-Note: Spam Score: [18]
> > X-Note: Scan Time: 16:47:18 on 06 Sep 2007
> > X-Note: Spool File: 35111367.eml
> > X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
> > X-Note: SMTP Sender: [EMAIL PROTECTED]
> > X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr
> > [88.233.123.242]
> > X-Note: Country Chain: TURKEY->destination
> > X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
> > SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
> > X-Note: 
> >
> >
> > -Original Message-
> > From: Tam Genois [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 06, 2007 1:15 PM
> > Subject: [SPAM]- Score (12)tuile
> >
> > How it is going Genois
> > Do you want to have an average to small penis all of your
> > life? No, you
> > don't
> >
> > dae Hays
> > http://soltepec.com/
> > http://selenan.com/
> > http://www.seriia.com/
> > http://www.sdsdm.com/
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> >
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Spam

[Darin Cox]

I use a command line tool from www.whoisview.com that works well for both 
domains and IP blocks.

Occasionally I run into a domain that doesn't resolve, but when that happens 
I also have trouble from registrar sites like netsol and godaddy. 
www.freewho.com generally works well, though.

Darin.


- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, September 06, 2007 7:40 PM
Subject: RE: [Declude.JunkMail] Interesting Spam


Well, the easy part is answering your question about the domains.

Each of the payload domains was registered today, so whatever service
you're using to look up the registrations is probably using a database
at least a day behind.

I use (for example) this site to my satisfaction:

http://whois.domaintools.com/sdsdm.com



Andrew.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Dave Beckstrom
> Sent: Thursday, September 06, 2007 3:07 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Interesting Spam
>
> We're getting a rash of spam that doesn't score high enough
> to be blocked.
> In the past I've looked up the domain owner of the site
> listed in the spam
> and been able to identify sometimes dozens of domains owned
> by the spammer,
> then I've put that list into a filter and blocked the domains
> before they
> were all used in new spam sent to us.
>
> I did a whois on some of the domains and they all show as
> available and
> unregistered.  Yet when I go to the domain, it does take me
> to the spammers
> site.  How can these domains be functional and show as available to be
> registered at the same time?
>
> Below is a paste of one of the spams.  I added 3 additional
> domains that
> have appeared in this same asshole's spam so that you can see
> the pattern of
> domains he is using.
>
> How do I block these?
>
> Dave
>
>
>
> X-Note: 
> X-Note: Spam Score: [18]
> X-Note: Scan Time: 16:47:18 on 06 Sep 2007
> X-Note: Spool File: 35111367.eml
> X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
> X-Note: SMTP Sender: [EMAIL PROTECTED]
> X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr
> [88.233.123.242]
> X-Note: Country Chain: TURKEY->destination
> X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
> SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
> X-Note: 
>
>
> -Original Message-
> From: Tam Genois [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 06, 2007 1:15 PM
> Subject: [SPAM]- Score (12)tuile
>
> How it is going Genois
> Do you want to have an average to small penis all of your
> life? No, you
> don't
>
> dae Hays
> http://soltepec.com/
> http://selenan.com/
> http://www.seriia.com/
> http://www.sdsdm.com/
>
>
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Spam

[Colbeck, Andrew]

Well, the easy part is answering your question about the domains.

Each of the payload domains was registered today, so whatever service
you're using to look up the registrations is probably using a database
at least a day behind.

I use (for example) this site to my satisfaction:

http://whois.domaintools.com/sdsdm.com



Andrew.


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Dave Beckstrom
> Sent: Thursday, September 06, 2007 3:07 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Interesting Spam
> 
> We're getting a rash of spam that doesn't score high enough 
> to be blocked.
> In the past I've looked up the domain owner of the site 
> listed in the spam
> and been able to identify sometimes dozens of domains owned 
> by the spammer,
> then I've put that list into a filter and blocked the domains 
> before they
> were all used in new spam sent to us.
> 
> I did a whois on some of the domains and they all show as 
> available and
> unregistered.  Yet when I go to the domain, it does take me 
> to the spammers
> site.  How can these domains be functional and show as available to be
> registered at the same time?
> 
> Below is a paste of one of the spams.  I added 3 additional 
> domains that
> have appeared in this same asshole's spam so that you can see 
> the pattern of
> domains he is using. 
> 
> How do I block these?
> 
> Dave
> 
> 
> 
> X-Note: 
> X-Note: Spam Score: [18]
> X-Note: Scan Time: 16:47:18 on 06 Sep 2007
> X-Note: Spool File: 35111367.eml
> X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
> X-Note: SMTP Sender: [EMAIL PROTECTED]
> X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr 
> [88.233.123.242]
> X-Note: Country Chain: TURKEY->destination
> X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
> SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
> X-Note: 
> 
> 
> -Original Message-
> From: Tam Genois [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, September 06, 2007 1:15 PM
> Subject: [SPAM]- Score (12)tuile
> 
> How it is going Genois
> Do you want to have an average to small penis all of your 
> life? No, you
> don't
> 
> dae Hays
> http://soltepec.com/
> http://selenan.com/
> http://www.seriia.com/
> http://www.sdsdm.com/
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting Spam

[Dave Beckstrom]

We're getting a rash of spam that doesn't score high enough to be blocked.
In the past I've looked up the domain owner of the site listed in the spam
and been able to identify sometimes dozens of domains owned by the spammer,
then I've put that list into a filter and blocked the domains before they
were all used in new spam sent to us.

I did a whois on some of the domains and they all show as available and
unregistered.  Yet when I go to the domain, it does take me to the spammers
site.  How can these domains be functional and show as available to be
registered at the same time?

Below is a paste of one of the spams.  I added 3 additional domains that
have appeared in this same asshole's spam so that you can see the pattern of
domains he is using. 

How do I block these?

Dave



X-Note: 
X-Note: Spam Score: [18]
X-Note: Scan Time: 16:47:18 on 06 Sep 2007
X-Note: Spool File: 35111367.eml
X-Note: Server Name: dsl88-233-31730.ttnet.net.tr
X-Note: SMTP Sender: [EMAIL PROTECTED]
X-Note: Reverse DNS & IP: dsl88-233-31730.ttnet.net.tr [88.233.123.242]
X-Note: Country Chain: TURKEY->destination
X-Note: Failed Weights: SORBS-WEB [5], FIVETENSRC [4], HELOBOGUS [5],
SPFUNKNOWN [1], Filter_Country [8], WEIGHT10 [10], WEIGHT14 [14]
X-Note: 


-Original Message-
From: Tam Genois [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 06, 2007 1:15 PM
Subject: [SPAM]- Score (12)tuile

How it is going Genois
Do you want to have an average to small penis all of your life? No, you
don't

dae Hays
http://soltepec.com/
http://selenan.com/
http://www.seriia.com/
http://www.sdsdm.com/





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting ORF stats

[John T \(Lists\)]

Now, to be fair, I am only using ORF for very simple blocking and I am only
using the following list of tests, so comparing my ORF stats with Alligate
is not appropriate:

Malformed HELO
HELO matches recipient domain
Valid REVDNS
Sender blacklist, either domain or email address
Attachment blocking policy
Valid recipient
F-Prot scanning 

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay
> Sudowski - Handy Networks LLC
> Sent: Friday, December 15, 2006 9:48 AM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting ORF stats
> 
> Ditto!  95%+ with Alligate.
> 
> -Jay
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick
> Hayer
> Sent: Friday, December 15, 2006 9:42 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Interesting ORF stats
> 
> 
> Hi John,
> 
> John T (Lists) wrote:
> > I have 3 gateway servers running IIS with ORF. These are my MX records
> for
> > all my domains.
> >
> > ORF has identified and blocked 71% of incoming email on my primary
> gateway.
> > ORF has identified and blocked 81% of incoming email on my secondary
> > gateway.
> I see the secondaries get more traffic as well - although I am not sure
> its deliberate or its the zombies do not know better -
> [Regretfully I have abandoned ORF for the Alligate gateway. I am in the
> high nineties  96%+ with Brian's product...]
> 
> -Nick
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting ORF stats

[Jay Sudowski - Handy Networks LLC]

Ditto!  95%+ with Alligate.

-Jay

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick
Hayer
Sent: Friday, December 15, 2006 9:42 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Interesting ORF stats


Hi John,

John T (Lists) wrote:
> I have 3 gateway servers running IIS with ORF. These are my MX records
for
> all my domains.
>
> ORF has identified and blocked 71% of incoming email on my primary
gateway.
> ORF has identified and blocked 81% of incoming email on my secondary
> gateway.
I see the secondaries get more traffic as well - although I am not sure 
its deliberate or its the zombies do not know better -
[Regretfully I have abandoned ORF for the Alligate gateway. I am in the 
high nineties  96%+ with Brian's product...]

-Nick


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting ORF stats

[Nick Hayer]

Hi John,

John T (Lists) wrote:

I have 3 gateway servers running IIS with ORF. These are my MX records for
all my domains.

ORF has identified and blocked 71% of incoming email on my primary gateway.
ORF has identified and blocked 81% of incoming email on my secondary
gateway.
I see the secondaries get more traffic as well - although I am not sure 
its deliberate or its the zombies do not know better -
[Regretfully I have abandoned ORF for the Alligate gateway. I am in the 
high nineties  96%+ with Brian's product...]


-Nick


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting ORF stats

[Darrell \([EMAIL PROTECTED])]

>>Goes to prove spammers are still trying the lowest priority MX record to 
>>get
>>around spam filters.

That is very true.  I think the mindset is that folks don't have access to 
features like IPBYPASS and trust mail coming from their backup mail server 
by default.

Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and ORF. 
Stop spam at the source the spamvertised domain.  More effective than 
traditional RBL's.  Try it today - http://www.invariantsystems.com




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting ORF stats

[John T \(Lists\)]

I have 3 gateway servers running IIS with ORF. These are my MX records for
all my domains.

ORF has identified and blocked 71% of incoming email on my primary gateway.
ORF has identified and blocked 81% of incoming email on my secondary
gateway. (Interesting in that my primary and secondary carry the same value
in their MX records although my primary handles all outgoing as well.)
ORF has identified and blocked 94% of incoming email to my third gateway,
which has a lower value and is on a slow IDSL line.

Goes to prove spammers are still trying the lowest priority MX record to get
around spam filters.

John T
eServices For You

"Life is a succession of lessons which must be lived to be understood."
Ralph Waldo Emerson (1802-1882)






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting SMTP connection patterns

[Matt]

I would suggest not using Blackice to deal with spam issues, and using
an anti-spam gateway that has greylisting, tarpiting, abuse detection
and prevention, and address validation.  Here's a list of products that
have those capabilities that I know of:
Alligate Gateway
MS SMTP/Vamsoft ORF
IMgate (or other open source Linux MTA's with anti-spam connection
handling)

I use Alligate Gateway and I swear by it.  It blocks on average about
92% to 94% of connections to my gateways and the only FP's are caused
by seriously non-compliant senders (not tolerating tarpitting of less
than 1 minute if triggered and not spooling/retrying if greylisting is
triggered).  I'm not aware of Declude Interceptor yet supporting all of
the capabilities that I outlined, but I would imagine that they are at
least looking into these things.

IMO, it is dangerous to block IP's for more than a very short time due
to bad address attempts because there is plenty of this that happens
from legitimate servers and from even one's own clients.  The only time
to place a time based block for an IP should be when a mail bombing
attempt is detected, and these are very rare.  Spammers doing brute
force spam attacks (aka dictionary attacks) almost always do this in a
distributed manner and most don't hit a server more than once per day
for a 1 minute or less period with a particular IP.  So blocking those
IP's does little.  My gateway handles up to 1.1 million connections a
day, and I average around 700 concurrent connections, and the software
averages maybe 5% CPU utilization on my box.  My box also doles out 
about 2/3 of a year worth of tarpit  time every day.  This hampers
spammers so much that many of them now disconnect after a very short
period of being tarpitted.  I have only had to whitelist one host from
these protections in around 6 months of operation, so it takes care of
itself.

Matt



Jay Sudowski - Handy Networks LLC wrote:

  Well, it didn't run for us.  We tried and it caused random BSOD and ISS
wouldn't provide any support.

-Jay


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave
Beckstrom
Sent: Thursday, October 12, 2006 7:38 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns

Blackice runs perfect on Windows 2003 server.  I posted the install
instructions on this list a couple of weeks ago.

Craig -- I believe some email servers will open a secondary connection
as
part of their spam checking.  In that case, you might see 2 connections
which would be legitimate.

What setting did you change in blackice to drop those IPs with multiple
connections?



  
  
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of

  
  Jay
  
  
Sudowski - Handy Networks LLC
Sent: Thursday, October 12, 2006 7:59 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns

Of course, BlackIce does not support Windows 2003.

-Jay

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Craig Edmonds
Sent: Thursday, October 12, 2006 3:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
Importance: High

That's why I now use Blackice Server from IIS.

It can detect multiple smtp connections and close ips down
automatically.

Its pretty slick.

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of

  
  Dave
  
  
Beckstrom
Sent: Thursday, October 12, 2006 11:24 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Interesting SMTP connection patterns

Yesterday I took a snapshot of the SMTP connections active on our
server.  I
then did a reverse IP to find out where they were from.

Below are the results.  You can see someone from Thailand had 5 SMTP
connections active and Spain had 4.  You can also see that only 3 of

  
  the
  
  
IPS
connected were for potentially legitimate email.  We don't get any
legitimate email from other Countries so everything not from the USA
would
be spam.

Any idea why a spammer would open more than one SMTP connection?


202.139.211.241 5	Thailand
88.0.230.26	4	Spain
71.55.71.138	2	USA
87.219.166.9	2	Spain
213.85.39.108	1	Russian Federation
84.77.107.183	1	Spain
83.131.106.234	1	Croatia
84.61.135.61	1	Germany
83.84.74.219	1	Netherlands
90.9.36.180	1	France
83.167.108.79	1	Russian Federation
67.172.162.33	1	USA
84.54.248.96	1	Russian Federation
86.75.242.215	1	France
201.208.171.250	1	Venezuela
88.204.240.177	1	Kazakstan
82.158.0.237	1	Spain
69.30.246.125	1	USA
200.168.86.224	1	Brazil
83.167.108.44	1  Russian Federation
75.41.79.203	1	USA
200.206.252.123	1	Brazil
84.60.109.148	1	Germany





---
This E-mail came from the Declude.Ju

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Jay,

I can tell you why it didn't run for you.  You have to turn DEP (Data
Execution Prevention) off on the server.   That will eliminate the BSOD and
blackice will run flawlessly.



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay
> Sudowski - Handy Networks LLC
> Sent: Thursday, October 12, 2006 8:46 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Well, it didn't run for us.  We tried and it caused random BSOD and ISS
> wouldn't provide any support.
> 
> -Jay
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Thursday, October 12, 2006 7:38 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Blackice runs perfect on Windows 2003 server.  I posted the install
> instructions on this list a couple of weeks ago.
> 
> Craig -- I believe some email servers will open a secondary connection
> as
> part of their spam checking.  In that case, you might see 2 connections
> which would be legitimate.
> 
> What setting did you change in blackice to drop those IPs with multiple
> connections?
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Jay
> > Sudowski - Handy Networks LLC
> > Sent: Thursday, October 12, 2006 7:59 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> >
> > Of course, BlackIce does not support Windows 2003.
> >
> > -Jay
> >
> > -Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> > Craig Edmonds
> > Sent: Thursday, October 12, 2006 3:51 PM
> > To: declude.junkmail@declude.com
> > Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> > Importance: High
> >
> > That's why I now use Blackice Server from IIS.
> >
> > It can detect multiple smtp connections and close ips down
> > automatically.
> >
> > Its pretty slick.
> >
> > Kindest Regards
> > Craig Edmonds
> > 123 Marbella Internet
> > W: www.123marbella.com
> >
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Dave
> > Beckstrom
> > Sent: Thursday, October 12, 2006 11:24 PM
> > To: declude.junkmail@declude.com
> > Subject: [Declude.JunkMail] Interesting SMTP connection patterns
> >
> > Yesterday I took a snapshot of the SMTP connections active on our
> > server.  I
> > then did a reverse IP to find out where they were from.
> >
> > Below are the results.  You can see someone from Thailand had 5 SMTP
> > connections active and Spain had 4.  You can also see that only 3 of
> the
> > IPS
> > connected were for potentially legitimate email.  We don't get any
> > legitimate email from other Countries so everything not from the USA
> > would
> > be spam.
> >
> > Any idea why a spammer would open more than one SMTP connection?
> >
> >
> > 202.139.211.241 5   Thailand
> > 88.0.230.26 4   Spain
> > 71.55.71.1382   USA
> > 87.219.166.92   Spain
> > 213.85.39.108   1   Russian Federation
> > 84.77.107.183   1   Spain
> > 83.131.106.234  1   Croatia
> > 84.61.135.611   Germany
> > 83.84.74.2191   Netherlands
> > 90.9.36.180 1   France
> > 83.167.108.79   1   Russian Federation
> > 67.172.162.33   1   USA
> > 84.54.248.961   Russian Federation
> > 86.75.242.215   1   France
> > 201.208.171.250 1   Venezuela
> > 88.204.240.177  1   Kazakstan
> > 82.158.0.2371   Spain
> > 69.30.246.125   1   USA
> > 200.168.86.224  1   Brazil
> > 83.167.108.44   1  Russian Federation
> > 75.41.79.2031   USA
> > 200.206.252.123 1   Brazil
> > 84.60.109.148   1   Germany
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> > Declude.JunkMail".  The archives can be found at
> > http://www.mail-archive.com.
> >
> >
> >
> >
> > ---
> > This E-mail came from

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Jay Sudowski - Handy Networks LLC]

Well, it didn't run for us.  We tried and it caused random BSOD and ISS
wouldn't provide any support.

-Jay


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Thursday, October 12, 2006 7:38 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns

Blackice runs perfect on Windows 2003 server.  I posted the install
instructions on this list a couple of weeks ago.

Craig -- I believe some email servers will open a secondary connection
as
part of their spam checking.  In that case, you might see 2 connections
which would be legitimate.

What setting did you change in blackice to drop those IPs with multiple
connections?



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jay
> Sudowski - Handy Networks LLC
> Sent: Thursday, October 12, 2006 7:59 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Of course, BlackIce does not support Windows 2003.
> 
> -Jay
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Craig Edmonds
> Sent: Thursday, October 12, 2006 3:51 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> Importance: High
> 
> That's why I now use Blackice Server from IIS.
> 
> It can detect multiple smtp connections and close ips down
> automatically.
> 
> Its pretty slick.
> 
> Kindest Regards
> Craig Edmonds
> 123 Marbella Internet
> W: www.123marbella.com
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Dave
> Beckstrom
> Sent: Thursday, October 12, 2006 11:24 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Yesterday I took a snapshot of the SMTP connections active on our
> server.  I
> then did a reverse IP to find out where they were from.
> 
> Below are the results.  You can see someone from Thailand had 5 SMTP
> connections active and Spain had 4.  You can also see that only 3 of
the
> IPS
> connected were for potentially legitimate email.  We don't get any
> legitimate email from other Countries so everything not from the USA
> would
> be spam.
> 
> Any idea why a spammer would open more than one SMTP connection?
> 
> 
> 202.139.211.241 5 Thailand
> 88.0.230.26   4   Spain
> 71.55.71.138  2   USA
> 87.219.166.9  2   Spain
> 213.85.39.108 1   Russian Federation
> 84.77.107.183 1   Spain
> 83.131.106.2341   Croatia
> 84.61.135.61  1   Germany
> 83.84.74.219  1   Netherlands
> 90.9.36.180   1   France
> 83.167.108.79 1   Russian Federation
> 67.172.162.33 1   USA
> 84.54.248.96  1   Russian Federation
> 86.75.242.215 1   France
> 201.208.171.250   1   Venezuela
> 88.204.240.1771   Kazakstan
> 82.158.0.237  1   Spain
> 69.30.246.125 1   USA
> 200.168.86.2241   Brazil
> 83.167.108.44 1  Russian Federation
> 75.41.79.203  1   USA
> 200.206.252.123   1   Brazil
> 84.60.109.148 1   Germany
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Darrell,

I wondered if that might be the case.  Thanks for the info!

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Darrell
> ([EMAIL PROTECTED])
> Sent: Thursday, October 12, 2006 4:44 PM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Dave,
> 
> That is really not that uncommon.  I see this with very aggressive
spammers
> who are trying to get the most spam through in the least amount of time
and
> have no disregard for crashing the server they are sending spam to...
> 
> Darrell
>  ---
> Check out http://www.invariantsystems.com for utilities for Declude,
Imail,
> mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI
> integration, MRTG Integration, and Log Parsers.
> 
> 
> Dave Beckstrom writes:
> 
> > Yesterday I took a snapshot of the SMTP connections active on our
server.  I
> > then did a reverse IP to find out where they were from.
> >
> > Below are the results.  You can see someone from Thailand had 5 SMTP
> > connections active and Spain had 4.  You can also see that only 3 of the
IPS
> > connected were for potentially legitimate email.  We don't get any
> > legitimate email from other Countries so everything not from the USA
would
> > be spam.
> >
> > Any idea why a spammer would open more than one SMTP connection?
> >
> >
> > 202.139.211.241 5   Thailand
> > 88.0.230.26 4   Spain
> > 71.55.71.1382   USA
> > 87.219.166.92   Spain
> > 213.85.39.108   1   Russian Federation
> > 84.77.107.183   1   Spain
> > 83.131.106.234  1   Croatia
> > 84.61.135.611   Germany
> > 83.84.74.2191   Netherlands
> > 90.9.36.180 1   France
> > 83.167.108.79   1   Russian Federation
> > 67.172.162.33   1   USA
> > 84.54.248.961   Russian Federation
> > 86.75.242.215   1   France
> > 201.208.171.250 1   Venezuela
> > 88.204.240.177  1   Kazakstan
> > 82.158.0.2371   Spain
> > 69.30.246.125   1   USA
> > 200.168.86.224  1   Brazil
> > 83.167.108.44   1  Russian Federation
> > 75.41.79.2031   USA
> > 200.206.252.123 1   Brazil
> > 84.60.109.148   1   Germany
> >
> >
> >
> >
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Blackice runs perfect on Windows 2003 server.  I posted the install
instructions on this list a couple of weeks ago.

Craig -- I believe some email servers will open a secondary connection as
part of their spam checking.  In that case, you might see 2 connections
which would be legitimate.

What setting did you change in blackice to drop those IPs with multiple
connections?



> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay
> Sudowski - Handy Networks LLC
> Sent: Thursday, October 12, 2006 7:59 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Of course, BlackIce does not support Windows 2003.
> 
> -Jay
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Craig Edmonds
> Sent: Thursday, October 12, 2006 3:51 PM
> To: declude.junkmail@declude.com
> Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
> Importance: High
> 
> That's why I now use Blackice Server from IIS.
> 
> It can detect multiple smtp connections and close ips down
> automatically.
> 
> Its pretty slick.
> 
> Kindest Regards
> Craig Edmonds
> 123 Marbella Internet
> W: www.123marbella.com
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
> Beckstrom
> Sent: Thursday, October 12, 2006 11:24 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Interesting SMTP connection patterns
> 
> Yesterday I took a snapshot of the SMTP connections active on our
> server.  I
> then did a reverse IP to find out where they were from.
> 
> Below are the results.  You can see someone from Thailand had 5 SMTP
> connections active and Spain had 4.  You can also see that only 3 of the
> IPS
> connected were for potentially legitimate email.  We don't get any
> legitimate email from other Countries so everything not from the USA
> would
> be spam.
> 
> Any idea why a spammer would open more than one SMTP connection?
> 
> 
> 202.139.211.241 5 Thailand
> 88.0.230.26   4   Spain
> 71.55.71.138  2   USA
> 87.219.166.9  2   Spain
> 213.85.39.108 1   Russian Federation
> 84.77.107.183 1   Spain
> 83.131.106.2341   Croatia
> 84.61.135.61  1   Germany
> 83.84.74.219  1   Netherlands
> 90.9.36.180   1   France
> 83.167.108.79 1   Russian Federation
> 67.172.162.33 1   USA
> 84.54.248.96  1   Russian Federation
> 86.75.242.215 1   France
> 201.208.171.250   1   Venezuela
> 88.204.240.1771   Kazakstan
> 82.158.0.237  1   Spain
> 69.30.246.125 1   USA
> 200.168.86.2241   Brazil
> 83.167.108.44 1  Russian Federation
> 75.41.79.203  1   USA
> 200.206.252.123   1   Brazil
> 84.60.109.148 1   Germany
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.






---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Jay Sudowski - Handy Networks LLC]

Of course, BlackIce does not support Windows 2003.

-Jay

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Craig Edmonds
Sent: Thursday, October 12, 2006 3:51 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Interesting SMTP connection patterns
Importance: High

That's why I now use Blackice Server from IIS.

It can detect multiple smtp connections and close ips down
automatically.

Its pretty slick.

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Thursday, October 12, 2006 11:24 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Interesting SMTP connection patterns

Yesterday I took a snapshot of the SMTP connections active on our
server.  I
then did a reverse IP to find out where they were from.

Below are the results.  You can see someone from Thailand had 5 SMTP
connections active and Spain had 4.  You can also see that only 3 of the
IPS
connected were for potentially legitimate email.  We don't get any
legitimate email from other Countries so everything not from the USA
would
be spam.

Any idea why a spammer would open more than one SMTP connection?  


202.139.211.241 5   Thailand
88.0.230.26 4   Spain
71.55.71.1382   USA
87.219.166.92   Spain
213.85.39.108   1   Russian Federation
84.77.107.183   1   Spain
83.131.106.234  1   Croatia
84.61.135.611   Germany
83.84.74.2191   Netherlands 
90.9.36.180 1   France
83.167.108.79   1   Russian Federation
67.172.162.33   1   USA
84.54.248.961   Russian Federation
86.75.242.215   1   France
201.208.171.250 1   Venezuela
88.204.240.177  1   Kazakstan
82.158.0.2371   Spain
69.30.246.125   1   USA
200.168.86.224  1   Brazil
83.167.108.44   1  Russian Federation
75.41.79.2031   USA
200.206.252.123 1   Brazil
84.60.109.148   1   Germany





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting SMTP connection patterns

[Craig Edmonds]

That's why I now use Blackice Server from IIS.

It can detect multiple smtp connections and close ips down automatically.

Its pretty slick.

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Thursday, October 12, 2006 11:24 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Interesting SMTP connection patterns

Yesterday I took a snapshot of the SMTP connections active on our server.  I
then did a reverse IP to find out where they were from.

Below are the results.  You can see someone from Thailand had 5 SMTP
connections active and Spain had 4.  You can also see that only 3 of the IPS
connected were for potentially legitimate email.  We don't get any
legitimate email from other Countries so everything not from the USA would
be spam.

Any idea why a spammer would open more than one SMTP connection?  


202.139.211.241 5   Thailand
88.0.230.26 4   Spain   
71.55.71.1382   USA
87.219.166.92   Spain
213.85.39.108   1   Russian Federation
84.77.107.183   1   Spain
83.131.106.234  1   Croatia
84.61.135.611   Germany
83.84.74.2191   Netherlands 
90.9.36.180 1   France
83.167.108.79   1   Russian Federation
67.172.162.33   1   USA
84.54.248.961   Russian Federation
86.75.242.215   1   France
201.208.171.250 1   Venezuela
88.204.240.177  1   Kazakstan
82.158.0.2371   Spain
69.30.246.125   1   USA
200.168.86.224  1   Brazil
83.167.108.44   1  Russian Federation
75.41.79.2031   USA
200.206.252.123 1   Brazil
84.60.109.148   1   Germany





---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting SMTP connection patterns

[Darrell \([EMAIL PROTECTED])]

Dave, 

That is really not that uncommon.  I see this with very aggressive spammers 
who are trying to get the most spam through in the least amount of time and 
have no disregard for crashing the server they are sending spam to... 


Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 



Dave Beckstrom writes: 


Yesterday I took a snapshot of the SMTP connections active on our server.  I
then did a reverse IP to find out where they were from. 


Below are the results.  You can see someone from Thailand had 5 SMTP
connections active and Spain had 4.  You can also see that only 3 of the IPS
connected were for potentially legitimate email.  We don't get any
legitimate email from other Countries so everything not from the USA would
be spam. 

Any idea why a spammer would open more than one SMTP connection?   



202.139.211.241 5   Thailand
88.0.230.26 4   Spain   
71.55.71.1382   USA
87.219.166.92   Spain
213.85.39.108   1   Russian Federation
84.77.107.183   1   Spain
83.131.106.234  1   Croatia
84.61.135.611   Germany
83.84.74.219	1	Netherlands 
90.9.36.180	1	France

83.167.108.79   1   Russian Federation
67.172.162.33   1   USA
84.54.248.961   Russian Federation
86.75.242.215   1   France
201.208.171.250 1   Venezuela
88.204.240.177  1   Kazakstan
82.158.0.2371   Spain
69.30.246.125   1   USA
200.168.86.224  1   Brazil
83.167.108.44   1  Russian Federation
75.41.79.2031   USA
200.206.252.123 1   Brazil
84.60.109.148	1	Germany 

 

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com. 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting SMTP connection patterns

[Dave Beckstrom]

Yesterday I took a snapshot of the SMTP connections active on our server.  I
then did a reverse IP to find out where they were from.

Below are the results.  You can see someone from Thailand had 5 SMTP
connections active and Spain had 4.  You can also see that only 3 of the IPS
connected were for potentially legitimate email.  We don't get any
legitimate email from other Countries so everything not from the USA would
be spam.

Any idea why a spammer would open more than one SMTP connection?  


202.139.211.241 5   Thailand
88.0.230.26 4   Spain   
71.55.71.1382   USA
87.219.166.92   Spain
213.85.39.108   1   Russian Federation
84.77.107.183   1   Spain
83.131.106.234  1   Croatia
84.61.135.611   Germany
83.84.74.2191   Netherlands 
90.9.36.180 1   France
83.167.108.79   1   Russian Federation
67.172.162.33   1   USA
84.54.248.961   Russian Federation
86.75.242.215   1   France
201.208.171.250 1   Venezuela
88.204.240.177  1   Kazakstan
82.158.0.2371   Spain
69.30.246.125   1   USA
200.168.86.224  1   Brazil
83.167.108.44   1  Russian Federation
75.41.79.2031   USA
200.206.252.123 1   Brazil
84.60.109.148   1   Germany





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] interesting ...

[Jay Sudowski - Handy Networks LLC]

Interesting:


http://www.declude.com/sppurchase.asp?cat=29



Service Providers are not allowed to take advantage of the Commtouch
functionality due to strict license restrictions.

The good news? Declude will offer you a FREE subscription to Message
Sniffer.

Message Sniffer ties into Declude as an external test. Using advance
pattern matching and artificial intelligence technologies from MicroNeil
Research, Message Sniffer applies thousands of heuristic tests to each
incoming message in just a fraction of a second. Unlike many anti-spam
products that scan for content, Message Sniffer's tests search for
combinations of spam features including message sources, common
obfuscation techniques, Email and url targets and fragments, and even
coding styles.

Any questions contact Kristina ([EMAIL PROTECTED]) today at
978.499.2933 x7011.



I presume this only applies to folks shelling out $1650 a year for
Declude, though.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003
Hosting Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting thought on some tests when a front end gateway is involved.

[Don Brown]

I think SPF worked correctly in your scenario, since SPF is based upon
the envelope sender address and the delivering MTA (forwarding or
originating). The problem here is that the wrong receiving MTA is
doing the SPF check.

|(A) Send MTA|>|(B) Rec MTA|>|(C) Rec MTA|

SPF should be checked by server (B).  I'd expect all SFP checks by
Server (C) to fail when the SPF record in DNS is configured for a hard
fail "-all", unless of course, there is some special coding so that
the IP of (A) is used, instead of the IP of (B), in the SPF check.

WRT your question about SPF, REVDNS and HELOBOGUS, when an inbound
gateway is used, I'd expect HELOBOGUS to be useless, but for SPF and
REVDNS to be functional.  I'd like to know Declude's official response
to your question, though.



Friday, November 4, 2005, 5:09:14 AM, John T (Lists) <[EMAIL PROTECTED]> wrote:
JTL> I sent an e-mail to a software vendor requesting answers to some questions.
JTL> That message was rejected based on a SPF Fail. Yes, I have SPF records 
setup
JTL> for my domains. So how did it fail, bad configuration on the recipient 
side.
JTL> By reviewing the heads and the rejection notice, I found that my server
JTL> handed the message of to the MX record for the recipient server as 
expected.
JTL> However, the server listed in the MX then forwarded to a different e-mail
JTL> address on a different server, mail13.atl.registeredsite.com. In this case,
JTL> the MX record is a Imail 6.06 server. It appears that the Imail 6.06 server
JTL> recorded its own IP address as being mine during the handshake. (Is this a
JTL> known bug in Imail 6.06?) It appears that
JTL> mail13.atl.registeredsite.com then
JTL> tried to hand the message to mx03.csee.siteprotect.com, but that server ran
JTL> a SPF query, found my record, saw that the connecting IP was 216.247.37.27
JTL> which is the IP for mail13.atl.registeredsite.com and correctly saw a SPF
JTL> Fail. The problem is, it should not be looking at that IP since it was a
JTL> forwarded message. Duh. The problem is why are they looking at the wrong 
IP?

JTL> Now, my thought on Declude tests such as SPF, REVDNS, HELOBOGUS. If my
JTL> server which is running those tests is sitting behind other servers of mine
JTL> which are the front door gateway and MX records, and if I have SKIPIP and
JTL> listing the IP of my gateway servers, does that effectively make those 
types
JTL> of tests useless?

JTL> SMTP (3090095d44d9) processing F:\Spool\q3090095d44d9.smd
JTL> SMTP (3090095d44d9) [x] looking up recipientdomain.moc in HOSTS and MX
JTL> SMTP (3090095d44d9) Trying recipientdomain.moc (0)
JTL> SMTP (3090095d44d9) [x] Connecting socket to service  on host
JTL>  using protocol 
JTL> SMTP (3090095d44d9) [x] using source IP for mail.eservicesforyou.net
JTL> [67.94.227.39]
JTL> SMTP (3090095d44d9) Connect recipientdomain.moc [216.25.47.197:25] (1)
JTL> SMTP (3090095d44d9) 220 X1 NT-ESMTP Server mail.recipientdomain.moc
JTL> (IMail 6.06 8010-10)
JTL> SMTP (3090095d44d9) >EHLO mail.eservicesforyou.net
JTL> SMTP (3090095d44d9) 250-mail.recipientdomain.moc says hello
JTL> SMTP (3090095d44d9) 250-SIZE 0
JTL> SMTP (3090095d44d9) 250-8BITMIME
JTL> SMTP (3090095d44d9) 250-DSN
JTL> SMTP (3090095d44d9) 250-ETRN
JTL> SMTP (3090095d44d9) 250 EXPN

JTL> Received: from mail.recipientdomain.moc (mail.recipientdomain.moc
JTL> [216.25.47.197])
JTL> by mail13.atl.registeredsite.com (8.12.11/8.12.11) with ESMTP id
JTL> jA49vpJ2009604
JTL> for <[EMAIL PROTECTED]>; Fri, 4 Nov 2005 04:57:51
JTL> -0500
JTL> Received: from SMTP32-FWD by mail.recipientdomain.moc
JTL>   (SMTP32) id A03AC; Fri,  4 Nov 2005 04:57:50 -0500
JTL> Received: from mail.eservicesforyou.net [216.25.47.197] by
JTL> mail.recipientdomain.moc with ESMTP
JTL>   (SMTPD32-6.06) id A09D5D1300B8; Fri, 04 Nov 2005 04:57:49 -0500
JTL> Received: from wks1 [192.168.16.11] by mail.eservicesforyou.net with ESMTP
JTL>   (SMTPD-8.20) id A09006A0; Fri, 04 Nov 2005 01:57:36 -0800

JTL> John T
JTL> eServices For You



JTL> ---
JTL> This E-mail came from the Declude.JunkMail mailing list.  To
JTL> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
JTL> type "unsubscribe Declude.JunkMail".  The archives can be found
JTL> at http://www.mail-archive.com.




Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]   http://www.inetconcepts.net
(972) 788-2364Fax: (972) 788-5049


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting thought on some tests when a front end gateway is involved.

[John T \(Lists\)]

I sent an e-mail to a software vendor requesting answers to some questions.
That message was rejected based on a SPF Fail. Yes, I have SPF records setup
for my domains. So how did it fail, bad configuration on the recipient side.
By reviewing the heads and the rejection notice, I found that my server
handed the message of to the MX record for the recipient server as expected.
However, the server listed in the MX then forwarded to a different e-mail
address on a different server, mail13.atl.registeredsite.com. In this case,
the MX record is a Imail 6.06 server. It appears that the Imail 6.06 server
recorded its own IP address as being mine during the handshake. (Is this a
known bug in Imail 6.06?) It appears that mail13.atl.registeredsite.com then
tried to hand the message to mx03.csee.siteprotect.com, but that server ran
a SPF query, found my record, saw that the connecting IP was 216.247.37.27
which is the IP for mail13.atl.registeredsite.com and correctly saw a SPF
Fail. The problem is, it should not be looking at that IP since it was a
forwarded message. Duh. The problem is why are they looking at the wrong IP?

Now, my thought on Declude tests such as SPF, REVDNS, HELOBOGUS. If my
server which is running those tests is sitting behind other servers of mine
which are the front door gateway and MX records, and if I have SKIPIP and
listing the IP of my gateway servers, does that effectively make those types
of tests useless?

SMTP (3090095d44d9) processing F:\Spool\q3090095d44d9.smd
SMTP (3090095d44d9) [x] looking up recipientdomain.moc in HOSTS and MX
SMTP (3090095d44d9) Trying recipientdomain.moc (0)
SMTP (3090095d44d9) [x] Connecting socket to service  on host
 using protocol 
SMTP (3090095d44d9) [x] using source IP for mail.eservicesforyou.net
[67.94.227.39]
SMTP (3090095d44d9) Connect recipientdomain.moc [216.25.47.197:25] (1)
SMTP (3090095d44d9) 220 X1 NT-ESMTP Server mail.recipientdomain.moc
(IMail 6.06 8010-10)
SMTP (3090095d44d9) >EHLO mail.eservicesforyou.net
SMTP (3090095d44d9) 250-mail.recipientdomain.moc says hello
SMTP (3090095d44d9) 250-SIZE 0
SMTP (3090095d44d9) 250-8BITMIME
SMTP (3090095d44d9) 250-DSN
SMTP (3090095d44d9) 250-ETRN
SMTP (3090095d44d9) 250 EXPN

Received: from mail.recipientdomain.moc (mail.recipientdomain.moc
[216.25.47.197])
by mail13.atl.registeredsite.com (8.12.11/8.12.11) with ESMTP id
jA49vpJ2009604
for <[EMAIL PROTECTED]>; Fri, 4 Nov 2005 04:57:51
-0500
Received: from SMTP32-FWD by mail.recipientdomain.moc
  (SMTP32) id A03AC; Fri,  4 Nov 2005 04:57:50 -0500
Received: from mail.eservicesforyou.net [216.25.47.197] by
mail.recipientdomain.moc with ESMTP
  (SMTPD32-6.06) id A09D5D1300B8; Fri, 04 Nov 2005 04:57:49 -0500
Received: from wks1 [192.168.16.11] by mail.eservicesforyou.net with ESMTP
  (SMTPD-8.20) id A09006A0; Fri, 04 Nov 2005 01:57:36 -0800

John T
eServices For You



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting spam footer

[Don Brown]

Just kids with more imagination than knowledge


Sunday, September 18, 2005, 6:38:03 PM, Darin Cox <[EMAIL PROTECTED]> wrote:
DC>   
DC>  
DC> Thought this was interesting... a spammer trying to  use fear of
DC> prosecution to stop people from reporting their email as  spam.
DC>  
DC>  
DC>  
DC> The spam was sent to a postmaster address  never used for outgoing mail...
DC>  
DC>  
DC>  
DC> Darin.
DC>  
DC>  
DC>  
DC> =
DC> IMPORTANT INFORMATION  CONCERNING THIS COMMERCIAL MESSAGE
DC> IN COMPLIANCE WITH THE CAN-SPAM ACT OF  2003
DC> This is one of a number of commercial email messages that you,
DC> or  someone using your computer, agreed to receive this message
DC> WARNING!!!
DC> ANY  PERSON REPORTING ALLEGED SPAM TO ANY PERSON, PERSONS, ISPs
DC> OR ENTITIES WITHOUT  PHYSICAL PROOF OF SAID CLAIM IS GUILTY OF
DC> BOTH FRAUD AND A CIVIL CRIME AND WILL  BE PURSUED AND PROSECUTED
DC> TO THE FULLEST EXTENT OF THE LAW. FURTHER, SHOULD SAID  ALLEGATION
DC> RESULT IN ANY INTERRUPTION OF NORMAL BUSINESS ACTIVITY OF THE
DC> COMPANY  AND/OR RESULT IN LOSS OF INCOME AND/OR RESULT IN
DC> UNNECESSARY EXPENSES, A CIVIL  SUIT WILL BE BROUGHT 
DC>  

DC>  
DC>  
DC>  

DC>   



Don Brown - Dallas, Texas USA Internet Concepts, Inc.
[EMAIL PROTECTED]   http://www.inetconcepts.net
(972) 788-2364Fax: (972) 788-5049


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting spam footer

[Dave Doherty]

Well, the website resolves to 
82.96.105.6, so at least they are consistent. It's a Euro IP address. 
Here's what RIPE reports about the 
IP:
 
% This is the RIPE Whois query server #2.% 
The objects are in RPSL format.%% Note: the default output of the RIPE 
Whois server% is changed. Your tools may need to be adjusted. See% 
http://www.ripe.net/db/news/abuse-proposal-20050331.html% for more details.%% Rights restricted by 
copyright.% See http://www.ripe.net/db/copyright.html
 
% Note: This output has been 
filtered.%   To receive output for a 
database update, use the "-B" flag
 
% Information related to '82.96.105.0 - 
82.96.105.255'
 
inetnum:  
82.96.105.0 - 82.96.105.255netname:  
DE-ITelligencedescr:    ITelligence 
sprlcountry:  
DEadmin-c:  
PN357-RIPEtech-c:   
PN357-RIPEstatus:   ASSIGNED 
PAmnt-by:   
PROBE-MNTmnt-lower:    
PROBE-MNTsource:   RIPE # 
Filtered
 
person:   
Philippe Nihouladdress:  ITelligence 
sprl  
47, Place 
Favresse  
La Hulpe,  
1310  
BEphone:    +32 
6551170fax-no:   +32 
6551170e-mail:   [EMAIL PROTECTED]nic-hdl:  
PN357-RIPEmnt-by:   
PROBE-MNTsource:   RIPE # 
Filtered
 
% Information related to 
'82.96.64.0/18AS29686'
 
route:    
82.96.64.0/18descr:    Probe Networks 
european networkorigin:   
AS29686mnt-by:   
PROBE-MNTsource:   RIPE # 
Filtered
 
 
 

  - Original Message - 
  From: 
  Darin Cox 
  To: Declude.JunkMail@declude.com 
  
  Sent: Sunday, September 18, 2005 9:35 
  PM
  Subject: Re: [Declude.JunkMail] 
  Interesting spam footer
  
  The site being advertised was www.ebay-laptop.com.  Silly 
  really.  They're just asking for trouble with that 
statement.
   
  Came in from 82.96.105.2, but with a fake yahoo 
  email address.
  Darin.
   
   
  - Original Message - 
  From: Dave Doherty 

  To: Declude.JunkMail@declude.com 
  
  Sent: Sunday, September 18, 2005 8:54 PM
  Subject: Re: [Declude.JunkMail] Interesting spam 
footer
  
  
  OK, so I guess the point is the 
  recipient has to prove that the message is spam? Sounds like "blame the 
  victim"... And maybe the recipient has to buy what's being offered to avoid 
  running afoul of the "LOSS OF INCOME" claim.
   
  And what was being advertised?  
  Anything useful to the recipient?
   Did this come from a source in the US? Interesting 
  "English" there is the lower-case sentence... Mike, my guess is there's no 
  court with jursidiction. But if it WERE prosecuted in the US, I would 
  love to attend the trial!
   
  -Dave Doherty
   Skywaves, Inc.
  
- Original Message - 
From: 
Darin Cox 
To: IMail_Forum@list.ipswitch.com 
; Declude.JunkMail@declude.com 
    
Sent: Sunday, September 18, 2005 7:38 
PM
Subject: [Declude.JunkMail] Interesting 
spam footer

Thought this was interesting... a spammer 
trying to use fear of prosecution to stop people from reporting 
their email as spam.
 
The spam was sent to a 
postmaster address never used for outgoing mail...
 
Darin.
 
=IMPORTANT INFORMATION 
CONCERNING THIS COMMERCIAL MESSAGEIN COMPLIANCE WITH THE CAN-SPAM ACT OF 
2003This is one of a number of commercial email messages that you,or 
someone using your computer, agreed to receive this 
messageWARNING!!!ANY PERSON REPORTING ALLEGED SPAM TO ANY PERSON, 
PERSONS, ISPs OR ENTITIES WITHOUT PHYSICAL PROOF OF SAID CLAIM IS GUILTY OF 
BOTH FRAUD AND A CIVIL CRIME AND WILL BE PURSUED AND PROSECUTED TO THE 
FULLEST EXTENT OF THE LAW. FURTHER, SHOULD SAID ALLEGATION RESULT IN ANY 
INTERRUPTION OF NORMAL BUSINESS ACTIVITY OF THE COMPANY AND/OR RESULT IN 
LOSS OF INCOME AND/OR RESULT IN UNNECESSARY EXPENSES, A CIVIL SUIT WILL BE 
BROUGHT 
 
 

Re: [Declude.JunkMail] Interesting spam footer

[Darin Cox]

The site being advertised was www.ebay-laptop.com.  Silly 
really.  They're just asking for trouble with that statement.
 
Came in from 82.96.105.2, but with a fake yahoo 
email address.
Darin.
 
 
- Original Message - 
From: Dave Doherty 
To: Declude.JunkMail@declude.com 

Sent: Sunday, September 18, 2005 8:54 PM
Subject: Re: [Declude.JunkMail] Interesting spam footer


OK, so I guess the point is the recipient 
has to prove that the message is spam? Sounds like "blame the victim"... And 
maybe the recipient has to buy what's being offered to avoid running afoul of 
the "LOSS OF INCOME" claim.
 
And what was being advertised?  
Anything useful to the recipient?
 Did this come from a source in the US? Interesting 
"English" there is the lower-case sentence... Mike, my guess is there's no court 
with jursidiction. But if it WERE prosecuted in the US, I would love to 
attend the trial!
 
-Dave Doherty
 Skywaves, Inc.

  - Original Message - 
  From: 
  Darin Cox 
  To: IMail_Forum@list.ipswitch.com 
  ; Declude.JunkMail@declude.com 
  
  Sent: Sunday, September 18, 2005 7:38 
  PM
  Subject: [Declude.JunkMail] Interesting 
  spam footer
  
  Thought this was interesting... a spammer trying 
  to use fear of prosecution to stop people from reporting their email 
  as spam.
   
  The spam was sent to a 
  postmaster address never used for outgoing mail...
   
  Darin.
   
  =IMPORTANT INFORMATION 
  CONCERNING THIS COMMERCIAL MESSAGEIN COMPLIANCE WITH THE CAN-SPAM ACT OF 
  2003This is one of a number of commercial email messages that you,or 
  someone using your computer, agreed to receive this 
  messageWARNING!!!ANY PERSON REPORTING ALLEGED SPAM TO ANY PERSON, 
  PERSONS, ISPs OR ENTITIES WITHOUT PHYSICAL PROOF OF SAID CLAIM IS GUILTY OF 
  BOTH FRAUD AND A CIVIL CRIME AND WILL BE PURSUED AND PROSECUTED TO THE FULLEST 
  EXTENT OF THE LAW. FURTHER, SHOULD SAID ALLEGATION RESULT IN ANY INTERRUPTION 
  OF NORMAL BUSINESS ACTIVITY OF THE COMPANY AND/OR RESULT IN LOSS OF INCOME 
  AND/OR RESULT IN UNNECESSARY EXPENSES, A CIVIL SUIT WILL BE BROUGHT 
  
   
   

Re: [Declude.JunkMail] Interesting spam footer

[Dave Doherty]

OK, so I guess the point is the recipient 
has to prove that the message is spam? Sounds like "blame the victim"... And 
maybe the recipient has to buy what's being offered to avoid running afoul of 
the "LOSS OF INCOME" claim.
 
And what was being advertised?  
Anything useful to the recipient?
 Did this come from a source in the US? Interesting 
"English" there is the lower-case sentence... Mike, my guess is there's no court 
with jursidiction. But if it WERE prosecuted in the US, I would love to 
attend the trial!
 
-Dave Doherty
 Skywaves, Inc.

  - Original Message - 
  From: 
  Darin Cox 
  To: IMail_Forum@list.ipswitch.com 
  ; Declude.JunkMail@declude.com 
  
  Sent: Sunday, September 18, 2005 7:38 
  PM
  Subject: [Declude.JunkMail] Interesting 
  spam footer
  
  Thought this was interesting... a spammer trying 
  to use fear of prosecution to stop people from reporting their email 
  as spam.
   
  The spam was sent to a 
  postmaster address never used for outgoing mail...
   
  Darin.
   
  =IMPORTANT INFORMATION 
  CONCERNING THIS COMMERCIAL MESSAGEIN COMPLIANCE WITH THE CAN-SPAM ACT OF 
  2003This is one of a number of commercial email messages that you,or 
  someone using your computer, agreed to receive this 
  messageWARNING!!!ANY PERSON REPORTING ALLEGED SPAM TO ANY PERSON, 
  PERSONS, ISPs OR ENTITIES WITHOUT PHYSICAL PROOF OF SAID CLAIM IS GUILTY OF 
  BOTH FRAUD AND A CIVIL CRIME AND WILL BE PURSUED AND PROSECUTED TO THE FULLEST 
  EXTENT OF THE LAW. FURTHER, SHOULD SAID ALLEGATION RESULT IN ANY INTERRUPTION 
  OF NORMAL BUSINESS ACTIVITY OF THE COMPANY AND/OR RESULT IN LOSS OF INCOME 
  AND/OR RESULT IN UNNECESSARY EXPENSES, A CIVIL SUIT WILL BE BROUGHT 
  
   
   

RE: [Declude.JunkMail] Interesting spam footer

[Michael Jaworski]

Title: Message



It 
looks like a great opportunity to actually meet a real live spammer in person in 
front of a judge. Sign me up.
 
Mike
 
 
 

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darin CoxSent: Sunday, September 18, 2005 4:38 
PMTo: IMail_Forum@list.ipswitch.com; 
Declude.JunkMail@declude.comSubject: [Declude.JunkMail] Interesting 
spam footer
Thought this was interesting... a spammer trying to 
use fear of prosecution to stop people from reporting their email as 
spam.
 
The spam was sent to a postmaster address 
never used for outgoing mail...
 
Darin.
 
=IMPORTANT INFORMATION 
CONCERNING THIS COMMERCIAL MESSAGEIN COMPLIANCE WITH THE CAN-SPAM ACT OF 
2003This is one of a number of commercial email messages that you,or 
someone using your computer, agreed to receive this messageWARNING!!!ANY 
PERSON REPORTING ALLEGED SPAM TO ANY PERSON, PERSONS, ISPs OR ENTITIES WITHOUT 
PHYSICAL PROOF OF SAID CLAIM IS GUILTY OF BOTH FRAUD AND A CIVIL CRIME AND WILL 
BE PURSUED AND PROSECUTED TO THE FULLEST EXTENT OF THE LAW. FURTHER, SHOULD SAID 
ALLEGATION RESULT IN ANY INTERRUPTION OF NORMAL BUSINESS ACTIVITY OF THE COMPANY 
AND/OR RESULT IN LOSS OF INCOME AND/OR RESULT IN UNNECESSARY EXPENSES, A CIVIL 
SUIT WILL BE BROUGHT 
 
 

[Declude.JunkMail] Interesting spam footer

[Darin Cox]

Thought this was interesting... a spammer trying to 
use fear of prosecution to stop people from reporting their email as 
spam.
 
The spam was sent to a postmaster address 
never used for outgoing mail...
 
Darin.
 
=IMPORTANT INFORMATION 
CONCERNING THIS COMMERCIAL MESSAGEIN COMPLIANCE WITH THE CAN-SPAM ACT OF 
2003This is one of a number of commercial email messages that you,or 
someone using your computer, agreed to receive this messageWARNING!!!ANY 
PERSON REPORTING ALLEGED SPAM TO ANY PERSON, PERSONS, ISPs OR ENTITIES WITHOUT 
PHYSICAL PROOF OF SAID CLAIM IS GUILTY OF BOTH FRAUD AND A CIVIL CRIME AND WILL 
BE PURSUED AND PROSECUTED TO THE FULLEST EXTENT OF THE LAW. FURTHER, SHOULD SAID 
ALLEGATION RESULT IN ANY INTERRUPTION OF NORMAL BUSINESS ACTIVITY OF THE COMPANY 
AND/OR RESULT IN LOSS OF INCOME AND/OR RESULT IN UNNECESSARY EXPENSES, A CIVIL 
SUIT WILL BE BROUGHT 
 
 

RE: [Declude.JunkMail] Interesting Header from a bulk mailer

[Colbeck, Andrew]

The funniest one I've seen is:
 
X-Mailer: Minister Punisher 4
 
Andrew 8)
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Darin 
  CoxSent: Friday, September 16, 2005 10:38 AMTo: 
  IMail_Forum@list.ipswitch.com; Declude.JunkMail@declude.comSubject: 
  [Declude.JunkMail] Interesting Header from a bulk mailer
  
  Saw this header today and thought it was mighty 
  interesting.
   
  X-Mailer: Spamsoft Spammer Bulk 
  Mailer
  That's pretty brazen to advertise that you're a 
  spammer in the headers...
  Darin.
   
   

[Declude.JunkMail] Interesting Header from a bulk mailer

[Darin Cox]

Saw this header today and thought it was mighty 
interesting.
 
X-Mailer: Spamsoft Spammer Bulk 
Mailer
That's pretty brazen to advertise that you're a 
spammer in the headers...
Darin.
 
 

Re: [Declude.JunkMail] interesting

[Sanford Whiteman]

> See attached txt-file with the content of the original spam message.

Can't front on that ASCII art!

Wow,  I  might just have to let these go for old time's sake -- except
that, of course, they're machine-generated.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] interesting

[Markus Gufler]

See attached txt-file with the content of the original spam message.

At least there is even the contact link...

Markus
http://783ytbne.com/nw/?a=ddpTJhNKedKG&q=8zMTAxLWFhYW00MzI1NDc



   k415x8   wvc 
y7z36dw2u 2d4f02  b6p2  290 
   m7k2   np9   t97 
1salrdtp7   gu48l5w59 r24k  5p1 
  89pyi  wqt1v8gvq 6f4 l53  
  2i4gu2 6137e 577  
  v359x  cgi  cmo7020i0m15 w68  
 dazm   90hbnu 912  
  5knf3  5iv 2qm2  dlf1ub4 hz7  
 g12   i61 8eu g5g  
 6q2323271t 6x60830   065 gmpy7ie9  
061   c0e304t  5t52h3   
 h5s7lvt779 095 72i   6t9 guc97q6p  
727   88q9g   48p  f77rv1   
 nzh s166q0 f5a 0e4   4e9 6rp   
r81 1px  gs0sf741wv81   
2ts  u0o05 721 h5d   9k7 hvr
udbx8a   iwxz3c36g   e07
500  gbiip 6409   4ch940 z9r
t39n   3cq  o41d76   5cn
b2o  ndv5t  n4r2fv60 ed25i735u   0k4so3408  
eqqt9528z2 66h 481   9031gntfx  
   1e03mwp23dw7 8i4c4w7f3   5v0k37g7b   
  7m245bg 0v8  17d  i1543p8w0   














  5n1yr79545v  oa3
71z   
  690137o459a  13s2   
h32   
 75h 34827   y4lw08frxg  
827 71c0ec 
  h9389a2qwf ic6   9f0f62l203040hl4   n6659  
k46   o39d5c7l   1z49up56it
  u5q34nw38l tn3  4d5   q2o   fyq   2wq   6s8f8  
vp2   964   g6   91t58q1230
  18zu0sa8  5wq  0x5gp7  08b0rc  cus5428x45 
  1qicie0740hv  
  r58a2453  889  5h5661l9s4  be0k8ofe14  s53e256732 
   3vuygm 34f8zat7  
 d20cv78ew4 sb4  vc39gxvq13  2sq75p0v6q  274 hqi184 
 onmdm   y0b8184ggr 
bwou66w693 k5w  9w7 t2e bh4  1n33s  
   29l  b0t4w0u38i  
   7nt  971336  4w1948  6p6  7m95t  
 7343w  
   xk7   v87gvc1mt   9w6wmk6pz  y7e  g91s0  
 03u43zw2   
  958 i3g4y5  2cv7z8   8ci11w   
 pi4v76 
  



http://783ytbne.com/nw/?a=ddpTJhNKedKG&q=8zMTAxLWFhYW00MzI1NDc

Re: [Declude.JunkMail] Interesting tactic..

[S.J.Stanaitis]

Yea, Dan Rather.

Hah!

Dan Geiser wrote:

  Yes, but Dennis Fisher is a senior editor at eWeek.  Don't they have someone
give these article the once over before printing them?

- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 4:09 PM
Subject: Re: [Declude.JunkMail] Interesting tactic..


  
  
This sounds like an urban legend to me.  Keep in mind that there was
some news release a few weeks ago that indicated AOL was seeing
dramatically less spam traffic.  I think it is likely that AOL has
succeeded in blocking more spam, and the article was rehashed by someone
that didn't understand the topic and assumed that this meant a drop in
spam.  This used to happen all the time, even in industry mags, back
when the Internet was becoming a big deal.  Same thing with spam now.
I'm sure that they mess up articles about medicine, astronomy, etc., and
we just don't know enough to see through the mistakes.

Matt



Dan Geiser wrote:



  I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself
  

  
  with
  
  

  a domain used in a spam mailing?  And from a technical standpoint why
  

  
  would
  
  

  a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..




  
  

http://www.eweek.com/article2/0,1759,1749328,00.asp\

"One troublesome technique finding favor with spammers involves sending



  
  mass


  
  
mailings in the middle of the night from a domain that has not yet been
registered. After the mailings go out, the spammer registers the domain
early the next morning."

H

Kami




  
  
---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus
  

  
  (http://www.declude.com)]
  
  

  ---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




  

-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=



  
  

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
S.J.Stanaitis
Network Administrator, Decorative Product Source
http://www.dpsource.com/

[EMAIL PROTECTED]
(877)-650-8054 x160

Re: [Declude.JunkMail] Interesting tactic..

[Matt]

Title: Message




Andy,

You are right.

I wasn't suggesting that prosecution under Virginia law was incorrect,
clearly they have more qualified people than myself arguing and
deciding such cases and they have concluded that they do.  For what it
matters, I also have no doubt that it is illegal, but no state can
charge a spammer with a crime just for simply spamming because that is
preempted by federal law.  Spammers as I pointed out however almost
always break other laws that are clearly under state jurisdiction.

I was really just sharing some things that I came up with along with a
couple of opinions as to why maybe there isn't more prosecution.  I've
long wondered why the criminal justice system can't track down people
hijacking tens of thousands of computers, hammering our servers with
bad addresses, and all the while leaving an evidence trail back to
themselves by way of the products that they advertise, most of which
are illegal in one form or another.  These people are big time
criminals.

I commented on the general lack of clarity in how these laws are being
applied because I thought that it might help to explain why there isnt'
more prosecution of spammers.  Unlike stealing a car or robbing a bank,
these cases are destined to go on for years in appeals if convicted as
they argue things as basic as proper jurisdiction.  Precedent is also
loopy, evidence of which was the Iowa court that awarded damages of $1
billion to an ISP that was spammed by a guy in Florida.  My thought is
that these things just simply take time for the courts to come up with
standard ways to treat such matters, and that the same thing happened
with crimes involving telephones and computers, and both are still
rather difficult to prosecute based on the complexities and lack of
understanding of technology.

Sorry, I didn't mean to make this into a debate.

Matt


Andy Schmidt wrote:

  
  
  
  Hi:
   
  Draw whatever conclusions you choose for
yourself. I have not taken the bar in any state and am not qualified to
enter into any argument. I reserve the right to base my lay-person opinion on the anecdotal evidence
from the first-hand and personal conversation with active spam
operators who feared AOL due to VA law. 
   
  Not as a point of
argument, but just as a matter of information I provide this relevant
URL for your quiet enjoyment : http://www.spamlaws.com/state/va.html.
   
  a) You may wish to consider, whether "using" a
computer that is located in VA gives VA courts jurisdiction.
   
  b) Note that "using" a computer is defined as
"causing or attempt to cause" a computer to "perform or stop performing
... operations" 
  You may wish to consider whether that helps to
allege an offense that is not limited by CAN-SPAM, e.g. claiming
service disruptions due to spam volume or usability impairments for end
users who have too much Spam in their mailbox.
   
  c) "Uses a
computer or computer network with the intent to falsify or forge
electronic mail transmission information or other routing information
in any manner..." 
(You may wish to consider, whether this goes towards your "exception"
that you cited.)
   
  d) "Knowingly sells, gives, or otherwise
distributes or possesses with the intent to sell, give, or distribute
software that 
  (i) is primarily designed or produced for the
purpose of facilitating or enabling the falsification of electronic
mail transmission information or other routing information; 
  (ii) has only limited commercially significant
purpose or use other than to facilitate or enable the falsification of
electronic mail transmission information or other routing information;
or 
  (iii) is marketed by that person acting alone or
with another for use in facilitating or enabling the falsification of
electronic mail transmission information or other routing information 
  is guilty of a Class 1 misdemeanor."
  (You may wish to consider, whether this defines
offenses that CAN SPAM does not cover/limit.)
   
  I'm not asking or expecting anyone's agreement. 
  
  
  Best Regards
  Andy Schmidt
  
  Phone:  +1 201 934-3414 x20
(Business)
Fax:    +1 201 934-9206 
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 11, 2005 07:00 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Interesting tactic..


Andy,

Yes, there are many different laws that spammers break, most of which
are not covered under CAN-SPAM.  CAN-SPAM does though preempt many
state anti-spam laws, or at least parts of them.  The courts are
working out what is and is not preempted.  For better or worse, some of
these state convictions might be overturned based on jurisdiction as
things progress through the appeal's system.  Having spammers held to
50 different standards for conduct without a good method of ide

RE: [Declude.JunkMail] Interesting tactic..

[Andy Schmidt]

Title: Message



Hi:
 
Draw 
whatever conclusions you choose for yourself. I have not taken the bar in 
any state and am not qualified to enter into any argument. I reserve the 
right to base my lay-person opinion 
on the anecdotal evidence from the first-hand and 
personal conversation with active spam operators who feared AOL due to VA 
law. 
 
Not as a point of argument, but just as a matter of information I 
provide this relevant URL for your quiet enjoyment 
: http://www.spamlaws.com/state/va.html.
 
a) You 
may wish to consider, whether "using" a computer that is located in VA gives VA 
courts jurisdiction.
 
b) Note that "using" a computer is defined as "causing or 
attempt to cause" a computer to "perform or stop performing ... operations" 

You 
may wish to consider whether that helps to allege an offense that is not limited 
by CAN-SPAM, e.g. claiming service disruptions due to spam volume or usability 
impairments for end users who have too much Spam in their 
mailbox.
 
c) "Uses a computer or computer network 
with the intent to falsify or forge electronic mail transmission information or 
other routing information in any manner..." (You may wish to consider, 
whether this goes towards your "exception" that you 
cited.)
 
d) "Knowingly sells, gives, or otherwise distributes or possesses with 
the intent to sell, give, or distribute software that 

(i) is 
primarily designed or produced for the purpose of facilitating or enabling the 
falsification of electronic mail transmission information or other routing 
information; 
(ii) 
has only limited commercially significant purpose or use other than to 
facilitate or enable the falsification of electronic mail transmission 
information or other routing information; or 
(iii) 
is marketed by that person acting alone or with another for use in facilitating 
or enabling the falsification of electronic mail transmission information or 
other routing information 
is 
guilty of a Class 1 misdemeanor."
(You 
may wish to consider, whether this defines offenses that CAN SPAM does not 
cover/limit.)
 
I'm 
not asking or expecting anyone's agreement.  
Best 
RegardsAndy SchmidtPhone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Tuesday, January 11, 2005 07:00 
  PMTo: Declude.JunkMail@declude.comSubject: Re: 
  [Declude.JunkMail] Interesting tactic..Andy,Yes, 
  there are many different laws that spammers break, most of which are not 
  covered under CAN-SPAM.  CAN-SPAM does though preempt many state 
  anti-spam laws, or at least parts of them.  The courts are working out 
  what is and is not preempted.  For better or worse, some of these state 
  convictions might be overturned based on jurisdiction as things progress 
  through the appeal's system.  Having spammers held to 50 different 
  standards for conduct without a good method of identifying who is where is a 
  bit unfair, kind of like expecting an ecommerce site to collect taxes 
  according to every county tax rate in the country.  It all depends on who 
  they are going after of course.  The groups that are dictionary attacking 
  servers all over the place with as many as 3 million random addresses per day 
  are clearly going beyond simple spamming, and other things like fraud and 
  false advertising also extend beyond CAN-SPAM, though have been specified in 
  parts of state anti-spam laws.  CAN-SPAM's state law preemption reads as 
  follows:
  "This Act supersedes any statute, regulation, or rule of a State 
or politicalsubdivision of a State that expressly regulates the use of 
electronic mail to sendcommercial messages, except to the extent that 
any such statute, regulation, orrule prohibits falsity or deception in 
any portion of a commercial electronic mailmessage or information 
attached thereto."The North Carolina residents that were 
  prosecuted under Virginia's spam laws recently were primarily flagged for 
  fraud.  They were advertising scams promoting $75/hour FedEx refund 
  processor software, and received about $400,000 in orders for it.  To 
  quote one Web source, "VA authorities were able to assert long-arm 
  jurisdiction over them since they derived economic benefit and caused tortious 
  harm to Virginia residents as well as Virginia equipment."  (of course I 
  can't vouch for the accuracy of that statement)I personally would like 
  to see clear as day laws governing spam so that authorities wouldn't be 
  apprehensive to go after these people, or turned off by the never-ending 
  appeal process as the vaguest parts of the laws are tested.  Maybe they 
  aren't prosecuting these people for other reasons such as a lack of focus on 
  the problem.  Neither Bill Clinton nor George Bush had an appreci

Re[2]: [Declude.JunkMail] Interesting tactic..

[Sanford Whiteman]

> As  far  as I am concerned, if the From Address domain is not coming
> from  the  MX  for  that  domain, I don't want the mail.

Really? So you HOLD a message on IPNOTINMX? I doubt it.

MXs  are  _inbound_  mail  exchangers.  It's  absurd  to  require that
outbound  mail  come from MXs. Any mail architect knows that you scale
outbound and inbound mail separately as necessary.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Matt]

Title: Message




Andy,

Yes, there are many different laws that spammers break, most of which
are not covered under CAN-SPAM.  CAN-SPAM does though preempt many
state anti-spam laws, or at least parts of them.  The courts are
working out what is and is not preempted.  For better or worse, some of
these state convictions might be overturned based on jurisdiction as
things progress through the appeal's system.  Having spammers held to
50 different standards for conduct without a good method of identifying
who is where is a bit unfair, kind of like expecting an ecommerce site
to collect taxes according to every county tax rate in the country.  It
all depends on who they are going after of course.  The groups that are
dictionary attacking servers all over the place with as many as 3
million random addresses per day are clearly going beyond simple
spamming, and other things like fraud and false advertising also extend
beyond CAN-SPAM, though have been specified in parts of state anti-spam
laws.  CAN-SPAM's state law preemption reads as follows:
"This Act supersedes any statute, regulation, or rule of a
State or political
subdivision of a State that expressly regulates the use of electronic
mail to send
commercial messages, except to the extent that any such statute,
regulation, or
rule prohibits falsity or deception in any portion of a commercial
electronic mail
message or information attached thereto."

The North Carolina residents that were prosecuted under Virginia's spam
laws recently were primarily flagged for fraud.  They were advertising
scams promoting $75/hour FedEx refund processor software, and received
about $400,000 in orders for it.  To quote one Web source, "VA
authorities were able to assert long-arm jurisdiction over them
since they derived economic benefit and caused tortious harm to
Virginia residents as well as Virginia equipment."  (of course I can't
vouch for the accuracy of that statement)

I personally would like to see clear as day laws governing spam so that
authorities wouldn't be apprehensive to go after these people, or
turned off by the never-ending appeal process as the vaguest parts of
the laws are tested.  Maybe they aren't prosecuting these people for
other reasons such as a lack of focus on the problem.  Neither Bill
Clinton nor George Bush had an appreciation for E-mail.  I think that
Bill Clinton was only known to have sent a single E-mail while in
office.  I doubt that most of those in Congress read their own E-mail,
and they aren't likely exposed to the people blocking the spam for them
(why else would they have legalized half of it with a preemptive law?).

I don't believe marketing a legitimate product or service from one's
own servers would constitute a violation of either law.  The trouble
with doing it that way is that anything that is static and comes with
significant volume is generally widely blacklisted within the first
week of activity, often the first 24 hours.  It makes being a static
spammer kind of tough.  I've noted more and more that static spammers
are moving their hosting to other countries and service providers that
don't sub-delegate IP space, and don't require or oversee the reverse
DNS information.  Some even set themselves up as fake hosting
operations and then jump around their IP space with spam blocks
pretending to not be directly associated with the activity.  None of
this seems to constitute breaking the law, though I'm sure that almost
all of them are in other ways (like not honoring opt-outs, subject
tagging themselves, etc.).

Matt



Andy Schmidt wrote:

  
  
  
  The motivation for cleaning was not
black-listing, it was AOLs aggressive pursuit of Spammers supported by
VA state law that is one of the (if not "the") toughest with regards to
computer abuse (including SPAM).  Since many Spammers DO operate out of
the U.S. and/or market goods that are delivered from the U.S., it
doesn't matter much if they were trying to hide behind a China server.
   
  Abusing a computer system in VA is subject to VA
law - even if the other party sits in another state. Has nothing to do
with Interstate commerce.
   
  Heck, I have to file sales tax returns in many
states that I've never set foot in - just as long as THEIR state law
finds some way to define "nexus". 
  
  Best Regards
  Andy Schmidt
  
  H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
  
  Phone:  +1 201 934-3414
x20 (Business)
Fax:    +1 201 934-9206
  
  http://www.HM-Software.com/
  
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 11, 2005 04:42 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Interesting tactic..


Anyone can spam legally under CAN-SPAM, however almost no one follows
the exact letter o

RE: [Declude.JunkMail] Interesting tactic..

[Andy Schmidt]

Title: Message



The 
motivation for cleaning was not black-listing, it was AOLs aggressive pursuit of 
Spammers supported by VA state law that is one of the (if not "the") toughest 
with regards to computer abuse (including SPAM).  Since many Spammers DO 
operate out of the U.S. and/or market goods that are delivered from the U.S., it 
doesn't matter much if they were trying to hide behind a China 
server.
 
Abusing a computer system in VA is subject to VA law - even if the other 
party sits in another state. Has nothing to do with Interstate 
commerce.
 
Heck, 
I have to file sales tax returns in many states that I've never set foot 
in - just as long as THEIR state law finds some way to define "nexus". 

Best 
RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206http://www.HM-Software.com/ 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Tuesday, January 11, 2005 04:42 
  PMTo: Declude.JunkMail@declude.comSubject: Re: 
  [Declude.JunkMail] Interesting tactic..Anyone can spam 
  legally under CAN-SPAM, however almost no one follows the exact letter of the 
  law (for instance adding "ADV" to subject lines).  I'm not sure where 
  federal and state law intersect on this one, but it would seem to be primarily 
  a federal issue since it generally involves interstate commerce.My own 
  personal experience is that the clearly illegal stuff (forging/zombie spam) 
  that CAN-SPAM definitely targets has grown immensely in the last year, and 
  their tactics have become effectively DDOS attacks on mail servers (violating 
  yet other laws).  Spamhaus has pictures of some of these guy's houses 
  even (tape recordings of threats too), yet all we hear about are these 
  occasional civil lawsuits, and a smattering of criminal actions while they 
  keep going with impunity.  The RIAA has been more effective at stopping 
  file sharing than the government has been in stopping spam, and that's not 
  saying much.  In fact the most remarkable thing that the government has 
  done is cave into industry and draft a law called CAN-SPAM that legalizes half 
  of it, and supersedes many state laws that went further.I don't doubt 
  that you were told this however.  Spamming AOL without some form of 
  obfuscation is pretty much going to be useless because they will get 
  blacklisted rather quickly otherwise.MattAndy Schmidt 
  wrote: 
  

Well, I CAN tell you that I have personal contacts with Spammers (who 
keep wanting me to take their business) - and from casual conversations 
about the "industry" I know that several DO clean any AOL 
mailboxes from their lists before doing campaigns out of fear of litigation 
based on VA law. 
Best RegardsAndy SchmidtH&M Systems Software, Inc.600 East 
Crescent Avenue, Suite 203Upper Saddle River, NJ 
07458-1846Phone:  +1 
201 934-3414 x20 (Business)Fax:    +1 201 
934-9206http://www.HM-Software.com/ 

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of MattSent: Tuesday, January 11, 2005 04:10 
  PMTo: Declude.JunkMail@declude.comSubject: 
  Re: [Declude.JunkMail] Interesting tactic..This 
  sounds like an urban legend to me.  Keep in mind that there was some 
  news release a few weeks ago that indicated AOL was seeing dramatically 
  less spam traffic.  I think it is likely that AOL has succeeded in 
  blocking more spam, and the article was rehashed by someone that didn't 
  understand the topic and assumed that this meant a drop in spam.  
  This used to happen all the time, even in industry mags, back when the 
  Internet was becoming a big deal.  Same thing with spam now.  
  I'm sure that they mess up articles about medicine, astronomy, etc., and 
  we just don't know enough to see through the 
  mistakes.MattDan Geiser wrote: 
  I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself with
a domain used in a spam mailing?  And from a technical standpoint why would
a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..


  

http://www.eweek.com/article2/0,1759,1749328,00.asp\

"One troublesome technique finding favor with spammers involves sending
mass
  
mailings in the middle of the night from a domain that has not

Re: [Declude.JunkMail] Interesting tactic..

[Matt]

Title: Message




Anyone can spam legally under CAN-SPAM, however almost no one follows
the exact letter of the law (for instance adding "ADV" to subject
lines).  I'm not sure where federal and state law intersect on this
one, but it would seem to be primarily a federal issue since it
generally involves interstate commerce.

My own personal experience is that the clearly illegal stuff
(forging/zombie spam) that CAN-SPAM definitely targets has grown
immensely in the last year, and their tactics have become effectively
DDOS attacks on mail servers (violating yet other laws).  Spamhaus has
pictures of some of these guy's houses even (tape recordings of threats
too), yet all we hear about are these occasional civil lawsuits, and a
smattering of criminal actions while they keep going with impunity. 
The RIAA has been more effective at stopping file sharing than the
government has been in stopping spam, and that's not saying much.  In
fact the most remarkable thing that the government has done is cave
into industry and draft a law called CAN-SPAM that legalizes half of
it, and supersedes many state laws that went further.

I don't doubt that you were told this however.  Spamming AOL without
some form of obfuscation is pretty much going to be useless because
they will get blacklisted rather quickly otherwise.

Matt



Andy Schmidt wrote:

  
  
  
  Well, I CAN tell you that I have personal
contacts with Spammers (who keep wanting me to take their business) -
and from casual conversations about the "industry" I know
that several DO clean any AOL mailboxes from their lists before doing
campaigns out of fear of litigation based on VA law. 
  
  Best Regards
  Andy Schmidt
  
  H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
  
  Phone:  +1 201 934-3414
x20 (Business)
Fax:    +1 201 934-9206
  
  http://www.HM-Software.com/
  
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 11, 2005 04:10 PM
To: Declude.JunkMail@declude.com
    Subject: Re: [Declude.JunkMail] Interesting tactic..


This sounds like an urban legend to me.  Keep in mind that there was
some news release a few weeks ago that indicated AOL was seeing
dramatically less spam traffic.  I think it is likely that AOL has
succeeded in blocking more spam, and the article was rehashed by
someone that didn't understand the topic and assumed that this meant a
drop in spam.  This used to happen all the time, even in industry mags,
back when the Internet was becoming a big deal.  Same thing with spam
now.  I'm sure that they mess up articles about medicine, astronomy,
etc., and we just don't know enough to see through the mistakes.

Matt



Dan Geiser wrote:

  I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself with
a domain used in a spam mailing?  And from a technical standpoint why would
a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..


  
  

http://www.eweek.com/article2/0,1759,1749328,00.asp\

"One troublesome technique finding favor with spammers involves sending

  
  mass
  
  
mailings in the middle of the night from a domain that has not yet been
registered. After the mailings go out, the spammer registers the domain
early the next morning."

H

Kami


  
  

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Interesting tactic..

[William Stillwell]

Like a US law is gonna stop a spammer located in Hong Kong or
Nigeria..
As far as I am concerned, if the From Address domain is not
coming from the MX for that domain, I don't want the mail. However
not everyone uses there MX for sending out the mail., this was
the whole reason for SPF, but nobody has even set that up.
If the domain doesn't exist, or does exists, dns servers are
taxed probably the same amount.. regardless of domain
existance.


- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 4:24 PM
Subject: Re: [Declude.JunkMail] Interesting tactic..


Yes, but Dennis Fisher is a senior editor at eWeek.  Don't they have 
someone
give these article the once over before printing them?

- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 4:09 PM
Subject: Re: [Declude.JunkMail] Interesting tactic..


This sounds like an urban legend to me.  Keep in mind that there was
some news release a few weeks ago that indicated AOL was seeing
dramatically less spam traffic.  I think it is likely that AOL has
succeeded in blocking more spam, and the article was rehashed by someone
that didn't understand the topic and assumed that this meant a drop in
spam.  This used to happen all the time, even in industry mags, back
when the Internet was becoming a big deal.  Same thing with spam now.
I'm sure that they mess up articles about medicine, astronomy, etc., and
we just don't know enough to see through the mistakes.
Matt

Dan Geiser wrote:
>I don't get this article at all.  How is this any different then sending
>e-mails with using domains that you have no intention of ever using? 
>Why
>would you want to register the domain name and then associated yourself
with
>a domain used in a spam mailing?  And from a technical standpoint why
would
>a distributed DNS system be overloaded by trying to lookup bogus domain
>names?
>
>- Original Message - 
>From: "Kami Razvan" <[EMAIL PROTECTED]>
>To: 
>Sent: Tuesday, January 11, 2005 2:50 PM
>Subject: [Declude.JunkMail] Interesting tactic..
>
>
>
>
>><http://www.eweek.com/article2/0,1759,1749328,00.asp>
>>http://www.eweek.com/article2/0,1759,1749328,00.asp\
>>
>>"One troublesome technique finding favor with spammers involves sending
>>
>>
>mass
>
>
>>mailings in the middle of the night from a domain that has not yet been
>>registered. After the mailings go out, the spammer registers the domain
>>early the next morning."
>>
>>H
>>
>>Kami
>>
>>
>>
>
>
>---
>E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
>
>---
>[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>
>
>
>
--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com

---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Mike Nice]

   The spammer sends out realistic messages that contain a URL flogging the
P I L L S site of the day.   Upon delivery, SpamAssassin etc. check the URL
in the message.  Not finding the URL in and RHSBL, and not able to get any
DNS info (such as DNS hosted by China), SpamAssassin has no information that
would flag the URL as bad.SpamTraps and manual spam reports are the only
thing that can flag this type of URL as spam, but since it is hard to
automatically tag as a spam URL it will likely escape.

  This spam technique makes the assumption that most people get up / into
work the next day and check their messages first thing.  At 6:00 AM the
spammer registers the domains and voila!  A valid web site in China to click
on.

   While I wouldn't necessarily want to associate myself with the spam a
spammer sends out, I can use the same sleazy techniques, minus the stolen
credit card: register with a registrar known to be soft on spam, provide
false contact information, and host it in China.  Put up a web page saying
"do not buy from E-mail ads", etc.   When the spammer goes to register it
the next morning, he will be unable to activate the domain and out of
customers for that spam run.   Long term the spammer still can win that
battle, but this is a great way to irritate someone on the other end for
once.

- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 3:59 PM
Subject: Re: [Declude.JunkMail] Interesting tactic..


> I don't get this article at all.  How is this any different then sending
> e-mails with using domains that you have no intention of ever using?  Why
> would you want to register the domain name and then associated yourself
with
> a domain used in a spam mailing?  And from a technical standpoint why
would
> a distributed DNS system be overloaded by trying to lookup bogus domain
> names?

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Mike Nice]

One area I have seen this used are the 'spamvertized domains' in the body of
the message which would require a SURBL style test on the URL in the message
body.  Message headers, delivery, and MAILFROM are otherwise as valid as any
other spam; sometimes quite authentic.

- Original Message - 
> The problem, though, is that any anti-spam program that does RHSBL tests
> probably does MAILFROM tests as well.  So while the domain won't be listed
> in any RHSBLs yet, it will fail the MAILFROM test, which is likely to be
> weighted higher.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Dan Geiser]

Yes, but Dennis Fisher is a senior editor at eWeek.  Don't they have someone
give these article the once over before printing them?

- Original Message - 
From: "Matt" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 4:09 PM
Subject: Re: [Declude.JunkMail] Interesting tactic..


> This sounds like an urban legend to me.  Keep in mind that there was
> some news release a few weeks ago that indicated AOL was seeing
> dramatically less spam traffic.  I think it is likely that AOL has
> succeeded in blocking more spam, and the article was rehashed by someone
> that didn't understand the topic and assumed that this meant a drop in
> spam.  This used to happen all the time, even in industry mags, back
> when the Internet was becoming a big deal.  Same thing with spam now.
> I'm sure that they mess up articles about medicine, astronomy, etc., and
> we just don't know enough to see through the mistakes.
>
> Matt
>
>
>
> Dan Geiser wrote:
>
> >I don't get this article at all.  How is this any different then sending
> >e-mails with using domains that you have no intention of ever using?  Why
> >would you want to register the domain name and then associated yourself
with
> >a domain used in a spam mailing?  And from a technical standpoint why
would
> >a distributed DNS system be overloaded by trying to lookup bogus domain
> >names?
> >
> >- Original Message - 
> >From: "Kami Razvan" <[EMAIL PROTECTED]>
> >To: 
> >Sent: Tuesday, January 11, 2005 2:50 PM
> >Subject: [Declude.JunkMail] Interesting tactic..
> >
> >
> >
> >
> >><http://www.eweek.com/article2/0,1759,1749328,00.asp>
> >>http://www.eweek.com/article2/0,1759,1749328,00.asp\
> >>
> >>"One troublesome technique finding favor with spammers involves sending
> >>
> >>
> >mass
> >
> >
> >>mailings in the middle of the night from a domain that has not yet been
> >>registered. After the mailings go out, the spammer registers the domain
> >>early the next morning."
> >>
> >>H
> >>
> >>Kami
> >>
> >>
> >>
> >
> >
> >---
> >E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> >
> >
> >
> >
>
> -- 
> =
> MailPure custom filters for Declude JunkMail Pro.
> http://www.mailpure.com/software/
> =
>
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting tactic..

[Andy Schmidt]

Title: Message



Well, 
I CAN tell you that I have personal contacts with Spammers (who keep wanting me 
to take their business) - and from casual conversations about the "industry" I 
know that several DO clean any AOL mailboxes from their lists before 
doing campaigns out of fear of litigation based on VA 
law. 
Best 
RegardsAndy SchmidtH&M Systems Software, Inc.600 East Crescent 
Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone:  +1 201 934-3414 x20 
(Business)Fax:    +1 201 934-9206http://www.HM-Software.com/ 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Tuesday, January 11, 2005 04:10 
  PMTo: Declude.JunkMail@declude.comSubject: Re: 
  [Declude.JunkMail] Interesting tactic..This sounds like 
  an urban legend to me.  Keep in mind that there was some news release a 
  few weeks ago that indicated AOL was seeing dramatically less spam 
  traffic.  I think it is likely that AOL has succeeded in blocking more 
  spam, and the article was rehashed by someone that didn't understand the topic 
  and assumed that this meant a drop in spam.  This used to happen all the 
  time, even in industry mags, back when the Internet was becoming a big 
  deal.  Same thing with spam now.  I'm sure that they mess up 
  articles about medicine, astronomy, etc., and we just don't know enough to see 
  through the mistakes.MattDan Geiser wrote: 
  I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself with
a domain used in a spam mailing?  And from a technical standpoint why would
a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..


  

http://www.eweek.com/article2/0,1759,1749328,00.asp\

"One troublesome technique finding favor with spammers involves sending
mass
  
mailings in the middle of the night from a domain that has not yet been
registered. After the mailings go out, the spammer registers the domain
early the next morning."

H

Kami



---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Interesting tactic..

[Matt]

This sounds like an urban legend to me.  Keep in mind that there was
some news release a few weeks ago that indicated AOL was seeing
dramatically less spam traffic.  I think it is likely that AOL has
succeeded in blocking more spam, and the article was rehashed by
someone that didn't understand the topic and assumed that this meant a
drop in spam.  This used to happen all the time, even in industry mags,
back when the Internet was becoming a big deal.  Same thing with spam
now.  I'm sure that they mess up articles about medicine, astronomy,
etc., and we just don't know enough to see through the mistakes.

Matt



Dan Geiser wrote:

  I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself with
a domain used in a spam mailing?  And from a technical standpoint why would
a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..


  
  

http://www.eweek.com/article2/0,1759,1749328,00.asp\

"One troublesome technique finding favor with spammers involves sending

  
  mass
  
  
mailings in the middle of the night from a domain that has not yet been
registered. After the mailings go out, the spammer registers the domain
early the next morning."

H

Kami


  
  

---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Interesting tactic..

[Dan Geiser]

I don't get this article at all.  How is this any different then sending
e-mails with using domains that you have no intention of ever using?  Why
would you want to register the domain name and then associated yourself with
a domain used in a spam mailing?  And from a technical standpoint why would
a distributed DNS system be overloaded by trying to lookup bogus domain
names?

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, January 11, 2005 2:50 PM
Subject: [Declude.JunkMail] Interesting tactic..


> <http://www.eweek.com/article2/0,1759,1749328,00.asp>
> http://www.eweek.com/article2/0,1759,1749328,00.asp\
>
> "One troublesome technique finding favor with spammers involves sending
mass
> mailings in the middle of the night from a domain that has not yet been
> registered. After the mailings go out, the spammer registers the domain
> early the next morning."
>
> H
>
> Kami
>


---
E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan)

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[R. Scott Perry]

> As far as the technique is concerned, it really seems silly -- I can't
> see what benefit a spammer would have from doing this.
I have never heard of this before but one would suppose the logic is
the domains will not be listed anywhere - yet. So the mail
 gets delivered and then the domains go live.
The problem, though, is that any anti-spam program that does RHSBL tests 
probably does MAILFROM tests as well.  So while the domain won't be listed 
in any RHSBLs yet, it will fail the MAILFROM test, which is likely to be 
weighted higher.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.


This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Mike Nice]

>"One troublesome technique finding favor with
>spammers involves sending mass mailings in the
>middle of the night from a domain that has not
>yet been registered. After the mailings go out,
>the spammer registers the domain early the
>next morning."
>
>H

   Want to tick off some spammers?  Register some of those domains out from
under their noses!!

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[Nick]

On 11 Jan 2005 at 15:15, R. Scott Perry wrote:

> As far as the technique is concerned, it really seems silly -- I can't
> see what benefit a spammer would have from doing this.
I have never heard of this before but one would suppose the logic is 
the domains will not be listed anywhere - yet. So the mail 
 gets delivered and then the domains go live.

-Nick


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting tactic..

[R. Scott Perry]

http://www.eweek.com/article2/0,1759,1749328,00.asp\
"One troublesome technique finding favor with spammers involves sending 
mass mailings in the middle of the night from a domain that has not yet 
been registered. After the mailings go out, the spammer registers the 
domain early the next morning."
Interestingly, the main point of the article (that this technique wreaks 
havoc on DNS) is complete hogwash.  I've informed the author of the 
article, and hope he posts a retraction.

As far as the technique is concerned, it really seems silly -- I can't see 
what benefit a spammer would have from doing this.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.


This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting tactic..

[Kami Razvan]

http://www.eweek.com/article2/0,1759,1749328,00.asp\
 
"One troublesome technique finding favor with 
spammers involves sending mass mailings in the middle of the night from a domain 
that has not yet been registered. After the mailings go out, the spammer 
registers the domain early the next 
morning."
 
H
 
Kami

Re: [Declude.JunkMail] Interesting Spamming Technique

[Dan Geiser]

Hey, Goran,
That is what we ended up doing for this customer.  They can't receive any 
port 25 traffic from any IP addresses except ours now.  I just had never 
seen evidence of spammers caching IP addresses before.

I was thinking though that scanning ranges of IP addresses for responses on 
port 25 and then sending e-mail either from or to @domain.tld, where 
domain.tld is the second-level domain found when you do a lookup on the 
Reverse DNS for any IP addresses found to be responding on port 25, might be 
a good way for spammers to get their messages through.

Thanks, Much!
Dan Geiser
[EMAIL PROTECTED]
- Original Message - 
From: "Goran Jovanovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 18, 2004 1:49 PM
Subject: RE: [Declude.JunkMail] Interesting Spamming Technique

Hi Dan,
What we do for out store and forward customers is to lock down their
firewall to only accept port 25 traffic from our IPs. Instant end to the
end-around problem.
I moved a MX record about a week ago for a domain and I am still seeing
about 1000 messages per day still hitting the old IP address and 98% of
them are WEIGHT10 +

Goran Jovanovic
The LAN Shoppe

-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Thursday, November 18, 2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interesting Spamming Technique
Hello, All,
In addition to doing spam filtering for some of our IMail hosting
customers
we also do Store and Forward filtering for a few domains.  In the past
day
or so I've had complaints from Store and Forward customers about an
increase
in spam.  When I check the headers of the e-mail they are sending to
me I
don't see any indication that they e-mail was routed through us and
NOT
picked up as spam.  Instead it looks like the mail was delivered
directly
to
their e-mail servers and did the end around our Store and Forward.
The
thing is I have no idea how the spammer even knew the direct IP
addresses
of
our customers because those don't show up anywhere in their DNS
records.
Although I guess they could just be running port scans and checking
for
responses on port 25 and attempting delivery of spam that way without
using
DNS lookups.  But part of the IMail Store and Forward documentation
involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their
incoming
e-mail to only accept connections from us but I need to confirm that.
In
the meantime has anyone noticed an increase in this direct delivery
method
which basically ignores the current DNS system?
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology
Group
http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Spamming Technique

[Dave Doherty]

Hi, Dan-
Is the IP of the POP server nowhere to be found in DNS? It seems to me that 
would be unlikely unless the end users are entering IP addresses into their 
mail client software - a very bad idea from a system management perspective.

It is a simple matter to port scan all addresses in a DNS record looking for 
a response on port 25.

Goran's suggestion should be the cure. Block port 25 at the client's 
firewall for all IPs except the store-and-forward server(s), then the only 
way for someone outside the system to deliver mail is through your 
store/forward server(s).

Matt's suggestion to change the IP of the POP server should also work unless 
you publish the IP somewhere in DNS, which you probably do as a convenience 
to the end users.

-d


- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 18, 2004 10:31 AM
Subject: [Declude.JunkMail] Interesting Spamming Technique


Hello, All,
In addition to doing spam filtering for some of our IMail hosting 
customers
we also do Store and Forward filtering for a few domains.  In the past day
or so I've had complaints from Store and Forward customers about an 
increase
in spam.  When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam.  Instead it looks like the mail was delivered directly 
to
their e-mail servers and did the end around our Store and Forward.  The
thing is I have no idea how the spammer even knew the direct IP addresses 
of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without 
using
DNS lookups.  But part of the IMail Store and Forward documentation 
involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that.  In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Spamming Technique

[Goran Jovanovic]

Hi Dan,

What we do for out store and forward customers is to lock down their
firewall to only accept port 25 traffic from our IPs. Instant end to the
end-around problem.

I moved a MX record about a week ago for a domain and I am still seeing
about 1000 messages per day still hitting the old IP address and 98% of
them are WEIGHT10 +

 
 
 
 Goran Jovanovic
 The LAN Shoppe

 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Thursday, November 18, 2004 10:32 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] Interesting Spamming Technique
> 
> Hello, All,
> In addition to doing spam filtering for some of our IMail hosting
> customers
> we also do Store and Forward filtering for a few domains.  In the past
day
> or so I've had complaints from Store and Forward customers about an
> increase
> in spam.  When I check the headers of the e-mail they are sending to
me I
> don't see any indication that they e-mail was routed through us and
NOT
> picked up as spam.  Instead it looks like the mail was delivered
directly
> to
> their e-mail servers and did the end around our Store and Forward.
The
> thing is I have no idea how the spammer even knew the direct IP
addresses
> of
> our customers because those don't show up anywhere in their DNS
records.
> Although I guess they could just be running port scans and checking
for
> responses on port 25 and attempting delivery of spam that way without
> using
> DNS lookups.  But part of the IMail Store and Forward documentation
> involves
> locking down the SMTP server to only accept e-mail of the relaying IP
> address.  I'm 99% sure that we had the customers lock down their
incoming
> e-mail to only accept connections from us but I need to confirm that.
In
> the meantime has anyone noticed an increase in this direct delivery
method
> which basically ignores the current DNS system?
> 
> Thanks In Advance,
> Dan Geiser
> [EMAIL PROTECTED]
> 
> 
>
---
> Sign up for virus-free and spam-free e-mail with Nexus Technology
Group
> http://www.nexustechgroup.com/mailscan
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Spamming Technique

[Matt]

Michael,
If you can't lock down the mail server, just change the IP once all of 
the MX records no longer point to that box.  As far as I can tell, they 
don't cache the MX records, they only cache the IP that the old MX 
records resolved to.  I was concerned about the possibility of spammers 
guessing mail.domain.tld, but I have found only evidence of old IP's 
being cached so far.

Matt

Michael Jaworski wrote:
Absolutely! Once we installed a Postix gateway and updated the mx records
for a particular domain under constant dictionary attacks we dramatically
cut down the network flood of unknown users. However that domain is still
getting a smaller flood of unknown user spam at the old location. We suspect
they are doing a port scan and or just trying mail.domanname.tld which was
the original. Our next step is to get all our customers for that domain to
move to a different domain name SMTP and POP addresses. Would love to bypass
the process of elimination and go to the heart of the spammer bypass.
Michael Jaworski
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Thursday, November 18, 2004 7:32 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interesting Spamming Technique
Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains.  In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam.  When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam.  Instead it looks like the mail was delivered directly to
their e-mail servers and did the end around our Store and Forward.  The
thing is I have no idea how the spammer even knew the direct IP addresses of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without using
DNS lookups.  But part of the IMail Store and Forward documentation involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that.  In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Spamming Technique

[Matt]

I've seen about 4 different spammers, 3 zombie spammers/gangs and one 
static porn spammer, cache old MX records for indefinite periods of 
time.  It appears that they load their machines with a table containing 
the IP of the domain in question, and they don't often refresh such 
records, and maybe not at all.  Locking down port 25 on the router or 
the MTA software on the customer's end to only accept non-AUTHed E-mail 
has worked so far as I can tell.  There's no reason that this shouldn't 
work if done properly.

Try a telnet connection to test send E-mail from your PC and that should 
verify if they are in fact locked down.

Matt

Dan Geiser wrote:
Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains.  In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam.  When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam.  Instead it looks like the mail was delivered directly to
their e-mail servers and did the end around our Store and Forward.  The
thing is I have no idea how the spammer even knew the direct IP addresses of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without using
DNS lookups.  But part of the IMail Store and Forward documentation involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that.  In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?
Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Spamming Technique

[Michael Jaworski]

Absolutely! Once we installed a Postix gateway and updated the mx records
for a particular domain under constant dictionary attacks we dramatically
cut down the network flood of unknown users. However that domain is still
getting a smaller flood of unknown user spam at the old location. We suspect
they are doing a port scan and or just trying mail.domanname.tld which was
the original. Our next step is to get all our customers for that domain to
move to a different domain name SMTP and POP addresses. Would love to bypass
the process of elimination and go to the heart of the spammer bypass.

Michael Jaworski
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Thursday, November 18, 2004 7:32 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interesting Spamming Technique


Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains.  In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam.  When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam.  Instead it looks like the mail was delivered directly to
their e-mail servers and did the end around our Store and Forward.  The
thing is I have no idea how the spammer even knew the direct IP addresses of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without using
DNS lookups.  But part of the IMail Store and Forward documentation involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that.  In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting Spamming Technique

[Dan Geiser]

Hello, All,
In addition to doing spam filtering for some of our IMail hosting customers
we also do Store and Forward filtering for a few domains.  In the past day
or so I've had complaints from Store and Forward customers about an increase
in spam.  When I check the headers of the e-mail they are sending to me I
don't see any indication that they e-mail was routed through us and NOT
picked up as spam.  Instead it looks like the mail was delivered directly to
their e-mail servers and did the end around our Store and Forward.  The
thing is I have no idea how the spammer even knew the direct IP addresses of
our customers because those don't show up anywhere in their DNS records.
Although I guess they could just be running port scans and checking for
responses on port 25 and attempting delivery of spam that way without using
DNS lookups.  But part of the IMail Store and Forward documentation involves
locking down the SMTP server to only accept e-mail of the relaying IP
address.  I'm 99% sure that we had the customers lock down their incoming
e-mail to only accept connections from us but I need to confirm that.  In
the meantime has anyone noticed an increase in this direct delivery method
which basically ignores the current DNS system?

Thanks In Advance,
Dan Geiser
[EMAIL PROTECTED]


---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting Spam Article

[Bridges, Samantha]

Interesting Spam Article

http://www.eweek.com/article2/0,1759,1608663,00.asp?kc=ewnws060904dtx1k0
700599

Samantha Bridges
Communications Technician
Macomb Intermediate School District
44001 Garfield Road
Clinton Township  MI  48038-1100
(586) 228-3300

[EMAIL PROTECTED]
http://www.misd.net


CONFIDENTIALITY NOTICE: This email message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies of the original message.

 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting spam..

[Kami Razvan]

Hi;
Look at the 
following spam..
 
Kami
==
Hello, Thank you 
for registration on our board - http://www.carderportal.c=om
 
Your Login $ 
Password:Login: User129Password: IkS9s1c
 
In our site you 
will find:Spam Hosting - from 20$ per mounth.Fraud Hosting - from 30$ 
per mounth.Stoln Credit Cards, Fake ID, DL's.Spam For free only from 
5.02.2004 to 14.02.2004.
 
Welcome - http://www.carderportal.com
 
---Best Spam Hosting.e-mail: [EMAIL PROTECTED]abuse e-mail: [EMAIL PROTECTED]http://www.netfirms.com
 
---
 

Re: [Declude.JunkMail] Interesting concept..

[Nick Hayer]

Marc,

Would you share your filter? Save me some efforts!

Thanks

-Nick 


From:   "Marc Hilliker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject:    Re: [Declude.JunkMail] Interesting concept..
Date sent:  Tue, 20 Jan 2004 11:42:21 -0500
Organization:   CQ Services, Inc.
Organization:   CQ Services, Inc.
Send reply to:  [EMAIL PROTECTED]

> Kami,
> 
> Maybe you already know this but just in case you or others don't,
> mailserveruser.com is a domain that belongs to Green Horse Corporation
> (aka atriks.com). There is quite a list of domains (60+?) that this
> group of scum own. I made a filter looking for those domains in the
> body of the email and it catches a good number daily.
> 
> For more info see:
> http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495
> 
> 
> - Marc
> 
> - Original Message -
> From: Kami Razvan
> To: [EMAIL PROTECTED]
> Sent: Tuesday, January 20, 2004 7:19 AM
> Subject: [Declude.JunkMail] Interesting concept..
> 
> 
> I guess this qualifies as things that make you go h...
> 
> http://www.mailserveruser.com/email_deployment.html
> 
> 
> Regards,
> Kami
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting concept..

[Matt]

Funny how these companies have 100 different names :)  I think I've 
shared these before, but here's some lines that work on Green Horse 
Corporation:

NOTE: replace $ with a dot (changed not to trip some filters).

# Green Horse Corporation (SBL12495)
BODY28CONTAINS/img/c$0/
BODY28CONTAINS/img/o$0/
BODY28CONTAINS/img/v$0/
BODY3CONTAINShttp://t$
BODY8CONTAINSmailserver$com/
Also, I've done some pattern matching on the banned c-d guy that can't 
sell (also cable, travel and other crud sent from zombies).

# Korean Dictionary Spammer that Can't Spell
HEADERS8CONTAINS.comIP with HTTP;
HEADERS8CONTAINS.netIP with HTTP;
HEADERS8CONTAINS.orgIP with HTTP;
HEADERS5CONTAINSx-mailer: mpop web-mail 2.19
Note that mPOP is a real mailer, however it is Korean made and I've only 
seen legit use in Google searches from Asian and Russian senders, and 
legitimate use is very low.  The header matches are an error in the code 
that appears to be exclusive to his software, though I'm not sure.  This 
should allow you to tag the guy regardless of the domain that he uses 
(which changes every week or so).

Matt



Marc Hilliker wrote:

Kami,

Maybe you already know this but just in case you or others don't,
mailserveruser.com is a domain that belongs to Green Horse Corporation (aka
atriks.com). There is quite a list of domains (60+?) that this group of scum
own. I made a filter looking for those domains in the body of the email and
it catches a good number daily.
For more info see:
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495
- Marc

- Original Message -
From: Kami Razvan
To: [EMAIL PROTECTED]
Sent: Tuesday, January 20, 2004 7:19 AM
Subject: [Declude.JunkMail] Interesting concept..
I guess this qualifies as things that make you go h...

http://www.mailserveruser.com/email_deployment.html

Regards,
Kami
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting concept..

[Marc Hilliker]

Kami,

Maybe you already know this but just in case you or others don't,
mailserveruser.com is a domain that belongs to Green Horse Corporation (aka
atriks.com). There is quite a list of domains (60+?) that this group of scum
own. I made a filter looking for those domains in the body of the email and
it catches a good number daily.

For more info see:
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495


- Marc

- Original Message -
From: Kami Razvan
To: [EMAIL PROTECTED]
Sent: Tuesday, January 20, 2004 7:19 AM
Subject: [Declude.JunkMail] Interesting concept..


I guess this qualifies as things that make you go h...

http://www.mailserveruser.com/email_deployment.html


Regards,
Kami

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting concept..

[Matt]

Throw the following in an ipfile filter and it should take care of the
problem :)

63.254.68.0/22        Virtumundo/vmlocal.com/adknow-net.com (Spam
House) [63.254.68.0 - 63.254.71.255]    01/17/2003
65.164.176.192/26    Virtumundo/vmlocal.com/adknow-net.com (Spam House)
[65.164.176.192 - 65.164.176.255]    01/17/2003
216.21.208.0/20        Virtumundo/vmlocal.com/adknow-net.com (Spam
House) [216.21.208.0 - 216.21.223.255]    01/17/2003
216.212.54.240/29    Virtumundo/vmlocal.com/adknow-net.com (Spam House)
[216.212.54.240 - 216.212.54.247]    01/17/2003

Cyan let me know that they have at least for the time being, pulled
their Bonded Sender status.

Matt



Kami Razvan wrote:

  
  
  I
guess this qualifies as things that make you go h...
   
  http://www.mailserveruser.com/email_deployment.html
   
   
  Regards,
  Kami


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

[S85] RE: [Declude.JunkMail] Interesting concept..

[Markus Gufler]

 
I've collected some information about this 
"concept":

  On http://www.virtualmda.com/services.htm is a "how it works" for their client called 
  "VirtualMDA"
  This 
  about the revenues for VirtualMDA users:"2.Payment. Upon completing the registration procedure, you 
  will be given a unique identification account number ("UID"). You will be 
  paid by SENDMAILS CORPORATION $0.25 for everyCentral Processing Unit Hour 
  ("CPU HOUR") used by the VirtualMDA software locatedon your personal or 
  business computer(s) ..."In other words: 
  You can earn $6 per computer if you keep them online 24hours/day. But as 
  explained later you have to accumulate at least $50. => So a 
  VirtualMDA-user has to keep online his PC for a minimum of 200 hours (=8,3 
  days) to earn something. 
  
  "VirtualMDA" seems to be a known 'problem': 
  

https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg08900.html

http://www.rhyolite.com/anti-spam/unwelcome-v.html (Kami: interesting list of 
domains!)

http://www.river.com/ops/spam/bad-domains.txt (Another 
intersting sender domain list)

http://www.google.de/search?q=cache:rgz9ryMlTRwJ:eyezone.mine.nu/zones/list_nana.txt+virtualmda&hl=de&ie=UTF-8

And here an interesting dialog between Atriks (the 
company behind VirtualMDA) and a Spamfighter with some background 
information about Atriks:http://www.google.de/search?q=cache:TjCpLwXJ03YJ:www.nux.at/newsportal-usenet/article.php/news.admin.net-abuse.email/1599464.html+virtualmda&hl=de&ie=UTF-8

 
 
If spamming is so cheap why not spend some $ to sign up and 
send out a "test spam" containing a special identification 
string?
 
Then - if we can bring up a large community of spam 
fighters - we can filter for this string and so identify a large number of 
their "60,000 individuals" who send out spam for "Sendmails Corporation 
Distributed Email Delivery System"
 
If we collect all this IPs (only the first one in the 
headers mail chain) and merge them to one file we have a good blacklist where we 
can assign an accordingly wheigt. I'm sure, there are also other antispam 
communities and IP blacklist providers, interested in such an action. 

 
Problem: Maybe a large number of this "individuals" connect from 
dynamic IPs but it think it should by possible to process and separate this IPs 
in one list containing fixed and another one with DUL IPs. Then we can give a 
high weight for the fixed IPs and create a "cloud" of suspect DUL IP 
ranges.
 
Todo:

  
  Contact Atriks and ask an offer for 
  "world wide email marketing"
  
  Find enough Spamfighters to a.) 
  bring up the $$ andb.) have online a wide range of Atriks 
  spam-filters.
  
  Prepare a virtual "marketing 
  action"
 
Only an idea... what do you think 
about?

RE: [Declude.JunkMail] Interesting concept..

[Omar K.]

Title: Message



Yeah 
those are definitely tripped out zombie machines.
 
But im 
impressed how they really try to be "polite" when talking to our mail 
servers!

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of marc catuognoSent: Tuesday, January 20, 2004 
  2:48 PMTo: [EMAIL PROTECTED]Subject: RE: 
  [Declude.JunkMail] Interesting concept..
  
  You mean “H this 
  company is using zombies”
   
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kami 
  RazvanSent: Tuesday, January 
  20, 2004 7:19 AMTo: 
  [EMAIL PROTECTED]Subject: [Declude.JunkMail] Interesting 
  concept..
   
  
  I guess this qualifies as things 
  that make you go h...
  
   
  
  http://www.mailserveruser.com/email_deployment.html
  
   
  
   
  
  Regards,
  
  Kami

Re: [Declude.JunkMail] Interesting concept..

[Dave Doherty]

It's a very good way for them to get around IP blacklists. 

I wonder how the headers look. Pretty much legit, I would guess.

"Content is king!"

Now if only I could remember who said that 

I could have been _M, but it wasn't.

-Dave Doherty
 Skywaves, Inc.




- Original Message - 
From: Kami Razvan 
To: [EMAIL PROTECTED] 
Sent: Tuesday, January 20, 2004 7:19 AM
Subject: [Declude.JunkMail] Interesting concept..


I guess this qualifies as things that make you go h...

http://www.mailserveruser.com/email_deployment.html


Regards,
Kami

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting concept..

[Joshua Levitsky]

Guess they have 60,000 very very greedy 
individuals. Of course they also have probably 60,000 people violating their 
Terms of Service so when I report them through SpamCop they are likely to lose 
their DSL / Cable line if they have a respectable ISP.
 
http://www.virtualmda.com/
--Joshua Levitsky, MCSE, 
CISSPSystem EngineerTime Inc. Information Technology[5957 F27C 9C71 
E9A7 274A 0447 C9B9 75A4 9B41 D4D1]

  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, January 20, 2004 7:19 
  AM
  Subject: [Declude.JunkMail] Interesting 
  concept..
  
  I guess this 
  qualifies as things that make you go h...
   
  http://www.mailserveruser.com/email_deployment.html
   
   
  Regards,
  Kami

RE: [Declude.JunkMail] Interesting concept..

[marc catuogno]

You mean “H this company is
using zombies”

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kami Razvan
Sent: Tuesday, January 20, 2004
7:19 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail]
Interesting concept..

 



I guess this qualifies as things
that make you go h...





 





http://www.mailserveruser.com/email_deployment.html





 





 





Regards,





Kami

[Declude.JunkMail] Interesting concept..

[Kami Razvan]

I guess this 
qualifies as things that make you go h...
 
http://www.mailserveruser.com/email_deployment.html
 
 
Regards,
Kami

[Declude.JunkMail] Interesting.. Now PGP is used

[Kami Razvan]

Title: Interesting.. Now PGP is used 






Hi;

Interesting spam…


Now they are using PGP code … 


Just in case you are adding negative weight for PGP - something to keep in mind.


Regards,

Kami





-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Hi,
your request for notification for the ZONE (sites i need to see)of
"pfb2"
has been scheduled.

You will get another notification shortly after your request has been
processed.
If you do not get any further notification during the next 24 hours,
don't hesitate to contact our support team.


She is way too fine for this ugly dude:
http://gnome30.route.antipuff.nom.br/?f=5666/dm_ff.htm


In case of any questions regarding your request please visit our
support area
on http://vju3.com



Best regards,

your qrvn7-Team


- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
p3.com is a division of
The cheese factory
650 N Peko Lane
Arka, TX
65002

https://l8.net
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBP77qAybd4TQRROIjAQICiQP/fnqutz0cwYHBt5cxaQEBusyf+d4tY29S
Q1eFIk1Vv63o7uOkX2TrpZyU64kSM0wtjIBeNMvT1JFZg8vmULRS/bboENAWxqqD
Vq/nJt3Eiax99vL93i9HY8z266SkcZiZFKlQN2puUjEPrUkvJQGOiH1m+G7ySDCN
lPwio5dVVkY=
=ElyI
-END PGP SIGNATURE%


===

RE: [Declude.JunkMail] Interesting.. indeed... long long long spam

[Kami Razvan]

"I've 
gotten two or three like this in the last couple days, but mine are getting 
tagged on with weight 21 or thereabouts.  I delete on weight20."
 
Yes in our 
case it was caught with a weight of 57.  We hold on 20 and delete on 60 so 
this one was almost deleted.
 
BUT -- the 
filters are our most effective tool... and they are not triggered.. that can be 
worrisome..
 
Regards,
Kami
 
 

Re: [Declude.JunkMail] Interesting.. indeed... long long long spam

[Glenn \\ WCNet]

I've gotten two or three like this in the last 
couple days, but mine are getting tagged on with weight 21 or thereabouts.  
I delete on weight20.
 
G.Z.
 

  - Original Message - 
  From: 
  Kami 
  Razvan 
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, October 03, 2003 5:11 
  PM
  Subject: [Declude.JunkMail] Interesting.. 
  indeed... long long long spam
  
  Hi..
   
  Spammers are not 
  as dumb as we think they are...
   
  This spam we 
  received...
   
  
  This is a 
  multi-part message in MIME format.
   
  --=_NextPart_000_58469_01C389A3.18FD3DB0Content-Type: 
  text/plain; charset="Windows-1252"Content-Transfer-Encoding: 
  quoted-printable
   
  Although there 
  are benefits to both legal and illegal enhancers the =risks of illegal 
  enhancers are much higher. "Oral Steroids are very hard =on the liver. 
  Since the steroid doses are so high, the liver cannot keep =up and is 
  overworked. As t..
   
   
   goes on and 
  on and on... it has something like 3 pages of just text - mainly news items.. 
  Stuff like:
   
  1. Background 
  ="">Napster software, launched early in 1999, allows internet users to 
  share =and download MP3 files directly from any computer connected to the 
  =Napster network. The software is used by downloading a client program 
  =from the Napster site and then connecting to the network through this 
  =software, 
   
  ...
   
  Then at the end 
  the spam starts..
   
  So in essence 
  content filtering is out of the door. Filters were 
  triggered:
   
  X-IMAIL-SPAM-DNSBL: 
  (SPAMHAUS,19530360,127.0.0.2)X-IMAIL-SPAM-DNSBL: 
  (NJABL,19530360,127.0.0.4)X-IMAIL-SPAM-DNSBL: 
  (WIREHUB-DNSBL,19530360,127.0.0.2)X-IMAIL-SPAM-VALREVDNS: 
  (19530360)X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No 
  content unique to legitimate E-mail detected.X-RBL-Warning: REVDNS: This 
  E-mail was sent from a MUA/MTA 204.29.185.192 with no reverse DNS 
  entry.X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test 
  (9)X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL 
  test (38)X-Declude-Sender: [EMAIL PROTECTED] 
  [204.29.185.192]X-Declude-Spoolname: 
  Da634012a027877db.SMD
  ---
   
  but none of our 
  content filters were triggered.  It had two URL's listed in our database 
  but none were detected since they are after so many 
  characters..
   
  Scott:  
  What next?
   
  Regards,
  Kami

[Declude.JunkMail] Interesting.. indeed... long long long spam

[Kami Razvan]

Hi..
 
Spammers are not 
as dumb as we think they are...
 
This spam we 
received...
 

This is a 
multi-part message in MIME format.
 
--=_NextPart_000_58469_01C389A3.18FD3DB0Content-Type: 
text/plain; charset="Windows-1252"Content-Transfer-Encoding: 
quoted-printable
 
Although there are 
benefits to both legal and illegal enhancers the =risks of illegal enhancers 
are much higher. "Oral Steroids are very hard =on the liver. Since the 
steroid doses are so high, the liver cannot keep =up and is overworked. As 
t..
 
 
 goes on and 
on and on... it has something like 3 pages of just text - mainly news items.. 
Stuff like:
 
1. Background 
="">Napster software, launched early in 1999, allows internet users to share 
=and download MP3 files directly from any computer connected to the 
=Napster network. The software is used by downloading a client program 
=from the Napster site and then connecting to the network through this 
=software, 
 
...
 
Then at the end 
the spam starts..
 
So in essence 
content filtering is out of the door. Filters were 
triggered:
 
X-IMAIL-SPAM-DNSBL: (SPAMHAUS,19530360,127.0.0.2)X-IMAIL-SPAM-DNSBL: 
(NJABL,19530360,127.0.0.4)X-IMAIL-SPAM-DNSBL: 
(WIREHUB-DNSBL,19530360,127.0.0.2)X-IMAIL-SPAM-VALREVDNS: 
(19530360)X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No 
content unique to legitimate E-mail detected.X-RBL-Warning: REVDNS: This 
E-mail was sent from a MUA/MTA 204.29.185.192 with no reverse DNS 
entry.X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test 
(9)X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL 
test (38)X-Declude-Sender: [EMAIL PROTECTED] 
[204.29.185.192]X-Declude-Spoolname: 
Da634012a027877db.SMD
---
 
but none of our 
content filters were triggered.  It had two URL's listed in our database 
but none were detected since they are after so many 
characters..
 
Scott:  What 
next?
 
Regards,
Kami

RE: [Declude.JunkMail] Interesting headers, but this message was still easily caught

[Keith Anderson]

This looks a lot like the millions that were sent through one of my clients'
WAP.  If this is the case, it's nonroutable because they are sitting behind
a corporate firewall.

-Original Message-
From: Colbeck, Andrew [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: [Declude.JunkMail] Interesting headers, but this message was still
easily caught


Received: from 66.38.133.97 [200.252.69.131] by mail.bentall.com
  (SMTPD32-8.02) id A3E5113000F4; Wed, 17 Sep 2003 10:03:33 -0700
Received: from [73.250.175.174]
by 66.38.133.97 with SMTP
for ; Wed, 17 Sep 2003 06:00:29 +
Message-ID: <[EMAIL PROTECTED]>
From: "Sheldon Barton" <[EMAIL PROTECTED]>
Reply-To: "Sheldon Barton" <[EMAIL PROTECTED]>
To: , , , , , 
Subject: can you please her?
Date: Wed, 17 Sep 03 06:00:29 GMT
X-Mailer: mnhjklop
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="E.F961FB6_.FD28E2.7305.B"
X-Priority: 3
X-MSMail-Priority: Normal

Now that is interesting.  The miscreant address 200.252.69.131 is apparently
an open proxy.  What is interesting about this message is the forgery of the
headers.  The 66.38.133.97 name is bogus, the spammer is using my mail
server's address as their hostname.  The 73.250.175.174 address is either a
deliberate forgery or an internal address of the open proxy, because it is a
non-routable address reserved by IANA.
Also note the bogus X-Mailer name.  The X-MS-Mail-Priority header on the
other hand, either gives away that the source was part of the Microsoft
Outlook family, or is another forgery.
Based on the number of ip4r tests the source address was in, plus the
COUNTRY routing, plus the obfuscation, plus the reply-to address, this
message easily reached my HOLD weight.  Which makes the effort to forge the
headers so remarkable!
Andrew 8)


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting headers, but this message was still easily caught

[Colbeck, Andrew]

Title: Message



Received: from 66.38.133.97 [200.252.69.131] by mail.bentall.com  
(SMTPD32-8.02) id A3E5113000F4; Wed, 17 Sep 2003 10:03:33 -0700Received: 
from [73.250.175.174]    
by 66.38.133.97 with 
SMTP    for ; Wed, 17 Sep 
2003 06:00:29 +Message-ID: 
<[EMAIL PROTECTED]>From: "Sheldon Barton" 
<[EMAIL PROTECTED]>Reply-To: "Sheldon Barton" 
<[EMAIL PROTECTED]>To: , , , 
, , Subject: can you please 
her?Date: Wed, 17 Sep 03 06:00:29 GMTX-Mailer: 
mnhjklopMIME-Version: 1.0Content-Type: 
multipart/alternative;    
boundary="E.F961FB6_.FD28E2.7305.B"X-Priority: 3X-MSMail-Priority: 
NormalNow that is interesting.  The miscreant 
address 200.252.69.131 is apparently an open proxy.  What is interesting 
about this message is the forgery of the headers.  The 66.38.133.97 name is 
bogus, the spammer is using my mail server's address as their 
hostname.  The 73.250.175.174 address is either a deliberate forgery or an 
internal address of the open proxy, because it is a non-routable address 
reserved by IANA.
Also note the bogus X-Mailer name.  The 
X-MS-Mail-Priority header on the other hand, either gives away that the 
source was part of the Microsoft Outlook family, or is another 
forgery.
Based on the number of ip4r tests the source 
address was in, plus the COUNTRY routing, plus the obfuscation, plus the 
reply-to address, this message easily reached my HOLD weight.  Which makes 
the effort to forge the headers so remarkable!
Andrew 8)

[Declude.JunkMail] Interesting spam...

[Kami Razvan]

Title: Message



Hi;
I just saw a spam 
that I think we all need to block... 
 
=
Important notice
We have just charged your credit card for 
money laundry service in amount of $234.65 (because you are either child 
pornography webmaster or deal with dirty money, which require us to layndry them 
and then send to your checking account). 
If you feel this transaction was made by our 
mistake, please press "No".
If you confirm this transaction, please press 
"Yes" and fill in the form below.
 

Enter your credit card number here: 

Enter your credit card expiration date: 
  
Contacts: Phone: +5982 902 5627 Fax: +5982 902 3114 E-mail: 
[EMAIL PROTECTED] ICQ: 156746629 
 
==
 
It should be interesting to see variations of this ..
 
Regards,
Kami
 
 

RE: [Declude.JunkMail] Interesting spam...

[Colbeck, Andrew]

Thanks, Kami.  I've started a new section in one of my JunkMail Pro text
filter files called "Phishing" for similar attempts to garner e-mail
addresses and credit cards numbers.

Andrew 8)

-Original Message-
From: Kami Razvan [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 13, 2003 2:11 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interesting spam...


Hi;
I just saw a spam that I think we all need to block... 

=

Important notice


We have just charged your credit card for money laundry service in amount of
$234.65 (because you are either child pornography webmaster or deal with
dirty money, which require us to layndry them and then send to your checking
account). 
If you feel this transaction was made by our mistake, please press "No".
If you confirm this transaction, please press "Yes" and fill in the form
below.

Enter your credit card number here: 

Enter your credit card expiration date:
 
  
Contacts: 
Phone: +5982 902 5627 
Fax: +5982 902 3114 
E-mail: [EMAIL PROTECTED] 
ICQ: 156746629 

==

It should be interesting to see variations of this ..

Regards,
Kami
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting spam...

[Matt Robertson]

Yes, I got one of those personally.  Incredibly cheeky, but no doubt there are people 
dumb enough to fall for it.  If there weren't, we wouldn't still be getting those 
Nigerian scams.  Got one of those yesterday, too.

Visited their web site (which offers English and Russian language versions) and they 
have a not-too-convincing disclaimer saying they had nothing to do with the spam.

--
---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---

--
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Log Entries

[Robert Forsyth]

>>>So, your internal users are sending out spam with a score of over
150?

I use Imail to store and forward email for another domain we use to
provide email for some of our clients.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Log Entries

[Karen D. Oland]

So, your internal users are sending out spam with a score of over 150?

> -Original Message-
> From:  Robert Forsyth
>
> >>guess would be that this is for outgoing E-mail, in the 
> >>\IMail\Declude\global.cfg file.
> >>
> 
> 
> Found it...forgot to check the Outbound rules in the GLOBAL.
> 
> sorry for not checking there first.
---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Log Entries

[Karen D. Oland]

Although that is possible, it is also (MORE) likely he has someone in the
recipient list whitelisted (like postmaster@) (or the email is from a
whitelisted sender, but no as likely as the recipient).

Karen

> -Original Message-
> From: R. Scott Perry
> >
> >Why two different action results?
>
> That's because Declude JunkMail is very flexible, and has per-user,
> per-domain, incoming, outgoing, and now even sender actions.  So a single
> test may have many different actions.
>
> In this case, you have a configuration file with "WEIGHT150 BOUNCE", and
> another that either has "WEIGHT150 IGNORE" or no line starting with
> "WEIGHT150" to determine the action to take (IGNORE is the default).

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Log Entries

[Robert Forsyth]

>>I would recommend using "LOGLEVEL HIGH" in the \IMail\Declude\global.cfg 
>>file.  When doing so, Declude JunkMail will record in the log file which 
>>configuration file it is using.  That will make it easier to see which 
>>config file has "WEIGHT150 IGNORE" (or no action listed for 
>>WEIGHT150).  My 
>>guess would be that this is for outgoing E-mail, in the 
>>\IMail\Declude\global.cfg file.
>>


Found it...forgot to check the Outbound rules in the GLOBAL.

sorry for not checking there first.

Robert
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Log Entries

[R. Scott Perry]

>>That's because Declude JunkMail is very flexible, and has per-user,
>>per-domain, incoming, outgoing, and now even sender actions.  So a single
>>test may have many different actions.
>>
>>In this case, you have a configuration file with "WEIGHT150 BOUNCE", and
>>another that either has "WEIGHT150 IGNORE" or no line starting with
>>"WEIGHT150" to determine the action to take (IGNORE is the default).
I only use one config set...no per-user configurations.
Declude JunkMail thinks you are using two.

I would recommend using "LOGLEVEL HIGH" in the \IMail\Declude\global.cfg 
file.  When doing so, Declude JunkMail will record in the log file which 
configuration file it is using.  That will make it easier to see which 
config file has "WEIGHT150 IGNORE" (or no action listed for WEIGHT150).  My 
guess would be that this is for outgoing E-mail, in the 
\IMail\Declude\global.cfg file.



   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Log Entries

[Robert Forsyth]

>>That's because Declude JunkMail is very flexible, and has per-user,
>>per-domain, incoming, outgoing, and now even sender actions.  So a single
>>test may have many different actions.
>>
>>In this case, you have a configuration file with "WEIGHT150 BOUNCE", and
>>another that either has "WEIGHT150 IGNORE" or no line starting with
>>"WEIGHT150" to determine the action to take (IGNORE is the default).
>>
>>-Scott

I only use one config set...no per-user configurations.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting Log Entries

[Robert Forsyth]

07/22/2003 15:01:57 Q8a220d1a00b4cc34 Msg failed WEIGHT150 (Weight of 169
reaches or exceeds the limit of 150.). Action=IGNORE.

WEIGHT 150 ACTION SHOULD BOUNCE...WHY DID IT IGNORE?

TWO SECONDS LATER:

07/22/2003 15:01:59 Q8a2314af00a2d099 Msg failed WEIGHT150 (Weight of 193
reaches or exceeds the limit of 150.). Action=BOUNCE.

SAME WEIGHT 150 TEST...ACTION DOES BOUNCE LIKE IT SHOULD


Why two different action results?

Using Declude 1.75 release

Robert



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Log Entries

[R. Scott Perry]

07/22/2003 15:01:57 Q8a220d1a00b4cc34 Msg failed WEIGHT150 (Weight of 169
reaches or exceeds the limit of 150.). Action=IGNORE.
WEIGHT 150 ACTION SHOULD BOUNCE...WHY DID IT IGNORE?

TWO SECONDS LATER:

07/22/2003 15:01:59 Q8a2314af00a2d099 Msg failed WEIGHT150 (Weight of 193
reaches or exceeds the limit of 150.). Action=BOUNCE.
SAME WEIGHT 150 TEST...ACTION DOES BOUNCE LIKE IT SHOULD

Why two different action results?
That's because Declude JunkMail is very flexible, and has per-user, 
per-domain, incoming, outgoing, and now even sender actions.  So a single 
test may have many different actions.

In this case, you have a configuration file with "WEIGHT150 BOUNCE", and 
another that either has "WEIGHT150 IGNORE" or no line starting with 
"WEIGHT150" to determine the action to take (IGNORE is the default).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] interesting idea from a bulk marketer

[Sheldon Koehler]

No, I do not think so with this guy. His web page would be simply for adding
a domain to NOT send to at all. No personal email addresses to be entered.

I would not enter our domain as we are an ISP (and this all started with one
of our users not getting his opt-in stuff). But an business or whatever can
enter their domain name and no email will be sent to email addresses with
that domain name.

I do not know how well this would work in the real world, but at the very
least it was a nice gesture!!!


Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain


- Original Message - 
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 27, 2003 2:14 PM
Subject: RE: [Declude.JunkMail] interesting idea from a bulk marketer


Or is it a ploy to harvest more addresses?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Sheldon Koehler
> Sent: Friday, June 27, 2003 1:25 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] interesting idea from a bulk marketer
>
> Since yesterday I have been in contact with a very helpful mail admin. It
> seems one of my users has an outside email address at bigfoot and was
> forwarding all his email to our server from there. One opt-in list he is
on
> was getting bounced.
>
> In the process of finding out that email sent directly to us was fine and
so
> on, this guy asked if ISP's would be interested in a blacklist at HIS end.
> This idea intrigued me a lot. He is willing to have a web page setup so a
> domain can be entered and no email at all will go to any address on that
> domain. I can see abuse against him though.
>
> Nice to work with a helpful bulk mailer for a change!!!
>
>
> Sheldon
>
>
> Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
> Ten Forward Communications   360-457-9023
> Nationwide access, neighborhood support!
>
> "Whenever you find yourself on the side of the majority, it's time
> to pause and reflect." Mark Twain
>
>
>
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] interesting idea from a bulk marketer

[John Tolmachoff \(Lists\)]

Or is it a ploy to harvest more addresses?

John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Sheldon Koehler
> Sent: Friday, June 27, 2003 1:25 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] interesting idea from a bulk marketer
> 
> Since yesterday I have been in contact with a very helpful mail admin. It
> seems one of my users has an outside email address at bigfoot and was
> forwarding all his email to our server from there. One opt-in list he is
on
> was getting bounced.
> 
> In the process of finding out that email sent directly to us was fine and
so
> on, this guy asked if ISP's would be interested in a blacklist at HIS end.
> This idea intrigued me a lot. He is willing to have a web page setup so a
> domain can be entered and no email at all will go to any address on that
> domain. I can see abuse against him though.
> 
> Nice to work with a helpful bulk mailer for a change!!!
> 
> 
> Sheldon
> 
> 
> Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
> Ten Forward Communications   360-457-9023
> Nationwide access, neighborhood support!
> 
> "Whenever you find yourself on the side of the majority, it's time
> to pause and reflect." Mark Twain
> 
> 
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] interesting idea from a bulk marketer

[Sheldon Koehler]

Since yesterday I have been in contact with a very helpful mail admin. It
seems one of my users has an outside email address at bigfoot and was
forwarding all his email to our server from there. One opt-in list he is on
was getting bounced.

In the process of finding out that email sent directly to us was fine and so
on, this guy asked if ISP's would be interested in a blacklist at HIS end.
This idea intrigued me a lot. He is willing to have a web page setup so a
domain can be entered and no email at all will go to any address on that
domain. I can see abuse against him though.

Nice to work with a helpful bulk mailer for a change!!!


Sheldon


Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward Communications   360-457-9023
Nationwide access, neighborhood support!

"Whenever you find yourself on the side of the majority, it's time
to pause and reflect." Mark Twain




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting article on SPAM

[Charles Frolick]

Here is an interesting article on spam from the "legitimate" marketer's
perspective.

http://sanjose.bizjournals.com/sanjose/stories/2003/03/31/story4.html

Thanks,
Chuck Frolick
ArgoNet, Inc.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting test results

[Madscientist]

| What we are doing is to track the 2000 (user configurable) 
| most recent spammer
| IP addresses. The list is maintained as an MRU style list 
| (sorted with the
| most recent at the top). If incoming messages reach a user 
| defined score, the
| IP address of the spammer is added to the list.



| Here is what we found. After about 3 weeks of data 
| collection, only about 1 in
| 400 incoming spams is identified by a DNS lookup, and NOT on 
| the list of the
| 2000 most recent spammers. Also, of all the spams we receive 
| on all accounts,
| about 43% are on the recent spammer list, meaning that almost 
| half of the
| spams we receive are from senders that have spammed us before.



This is one of the capabilities we're buiding into Message Sniffer v3.
Our testing has shown similar results, however there are some
complexities with these tests particularly where "gray" sources are
found. As a result our implementation will resolve the IP address &
other "network centric" tests first as "features" of the message. These
features then become part of the input stream for the bayesian hinting
engine.

(It should be noted that the "bayesian hinting engine" is really more a
blend of fuzzy logic, neural networks, and naieve baysian learning
techniques... it's just easier to use the current buzz-word to describe
it...)

So far our simulations indicate some profound accuracy imrpovements when
"new" spam arrives, and surprisingly also when non-spam from "gray"
senders arrives. The early analysis indicates that the learning engine
is picking up second and third order patterns associated with these
message features... This has the effect of "gating" the effect of some
heuristics which are ambiguous under other circumstances so that they
only count when they can be accurate.

It seems obvious that as a weighted test, the top "n" most used IPs are
a good bet - similarly a suggestion for research would be to apply a
logarithmic scale to the MRU list position and use that as a weight...
This scheme can be particularly useful if the list is dynamically scaled
because the relative weights of different list positions can be
maintained as the number of entries on the list changes... This is a
similar mechanism to our "Rule Strength" analysis which is used to gate
out rules that are currently inactive. (See
http://www.sortmonster.com/MessageSniffer/Performance/CurrentRuleStrengt
h.jsp)

Another important factor we have found for these kinds of tests is that
there tends to be a periodicity to message rates from some networks...
the result of this is that in a linear MRU paradigm some networks will
appear and dissappear from the list resulting in "late blocking" on the
same period. That is, a batch of unwanted content will come through and
cause the IP to go to the top of the list, but then the flow falls off
and the IP is dropped. Next time unwanted content comes in from that IP
it is let through the filter for a time because the IP is not on the
list... shortly it will be blocked again but during that "build up time"
a significant amount of the content might be delivered.

A counter to this "pulsing" effect is to develop in increasing
"persistence" to the more highly listed IPs so that they tend to stay on
the list through the "down" period. Another important balance for
persistence however is to reduce it's effects based on any ambiguous or
false positive hits... in fact it turns out that this "persistence
reduction" should have a persistence of it's own so that periodic
false-positive indications can be suppressed when there is mixed content
from the source.

Note that periodicity, gating, and persistence mechanisms are useful on
may heuristics - not just IP based tests.

I hope these thoughts spark some new ones the prove helpful...

:-)

_M

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting test results

[R. Scott Perry]

SP>That sounds like an excellent idea -- I'm going to investigate to see
SP>whether this may be possible or not.  Circumventing the DNS lookups would
SP>be very useful.
Mr. Obvious here... the same technique could be used in the negative to pass
through frequent mail from *low* scoring servers.
That may mean that a server from which we receive a lot of mail, which
suddenly finds itself or its subnet on numerous RBLs, may still deliver its
mail successfully to us, based on it's previous "good behaviour".
That sounds like it would work very well as well.  :)
-Scott
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting test results

[Colbeck, Andrew]

>>I was thinking that it would probably be a relatively simple matter to add
>>such a test in a future version of declude. If an incoming message reached
a
>>certain weight, it could be added to a recent spammer list. This list
could be
>>checked along with other internal tests _before_ DNS tests are performed,
and
>>this could push a weighting up high enough that external DNS lookups could
be
>>skipped.
>>
>>The effect of this is that by using a individualized IP address scheme,
>>processing time per message could be greatly reduced resulting in less
>>resource problems, and faster delivery times.

SP>That sounds like an excellent idea -- I'm going to investigate to see 
SP>whether this may be possible or not.  Circumventing the DNS lookups would

SP>be very useful.
SP> -Scott

Mr. Obvious here... the same technique could be used in the negative to pass
through frequent mail from *low* scoring servers.

That may mean that a server from which we receive a lot of mail, which
suddenly finds itself or its subnet on numerous RBLs, may still deliver its
mail successfully to us, based on it's previous "good behaviour".

Andrew.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting test results

[R. Scott Perry]

Here is what we found. After about 3 weeks of data collection, only about 1 in
400 incoming spams is identified by a DNS lookup, and NOT on the list of the
2000 most recent spammers.
That is quite impressive.

I was thinking that it would probably be a relatively simple matter to add
such a test in a future version of declude. If an incoming message reached a
certain weight, it could be added to a recent spammer list. This list could be
checked along with other internal tests _before_ DNS tests are performed, and
this could push a weighting up high enough that external DNS lookups could be
skipped.
The effect of this is that by using a individualized IP address scheme,
processing time per message could be greatly reduced resulting in less
resource problems, and faster delivery times.
That sounds like an excellent idea -- I'm going to investigate to see 
whether this may be possible or not.  Circumventing the DNS lookups would 
be very useful.
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Interesting test results

[brian]

Hi Scott and all,

We added a test to SpamManager that has produced some really interesting
results.

What we are doing is to track the 2000 (user configurable) most recent spammer
IP addresses. The list is maintained as an MRU style list (sorted with the
most recent at the top). If incoming messages reach a user defined score, the
IP address of the spammer is added to the list.

As part of our testing procedure for our own lists, we validate the results of
our spam trap accounts and internal email accounts against most of the public
DNS lookup databases and the 3 we subscribe to mostly to determine their
weighting.

Prior to implementing this test, roughly 40% of spam we received also got hits
from one or more of the DNS lookup databases with SpamCop having the best
results (false positives ignored).

Here is what we found. After about 3 weeks of data collection, only about 1 in
400 incoming spams is identified by a DNS lookup, and NOT on the list of the
2000 most recent spammers. Also, of all the spams we receive on all accounts,
about 43% are on the recent spammer list, meaning that almost half of the
spams we receive are from senders that have spammed us before.

In analyzing this data, we found that spam trap accounts that were set up at
the same time, and use the same methods, have a totally different mailing list
distribution after a couple of months. This analysis supports our supposition
that a locally maintained list of spammers is going to be a lot more accurate
than some centrally maintained DNS lookup database. Also we routinely get lots
of spam reported to us that we have never seen, also indicating that spam
mailing lists evolve into lists that tend to be very unique, and that a few
originators are responsible for a majority of spam for each account.

I was thinking that it would probably be a relatively simple matter to add
such a test in a future version of declude. If an incoming message reached a
certain weight, it could be added to a recent spammer list. This list could be
checked along with other internal tests _before_ DNS tests are performed, and
this could push a weighting up high enough that external DNS lookups could be
skipped. 

The effect of this is that by using a individualized IP address scheme,
processing time per message could be greatly reduced resulting in less
resource problems, and faster delivery times.

Anyway, I thought this would make an interesting topic for discussion.

Brian Milburn

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Question

[David Delbridge]

Right.  So, when it's not there, your weight has been reduced.  When it
is there, your weight is unchanged.  Granted, the logic is kinda
backwards, but it does answer your question without having to dissect
the logs.

Am I missing something?

Dave

Charles Frolick wrote:
> 
> Not when it passes, which is when it has an effect on weight.
> 
> Chuck Frolick
> ArgoNet, Inc.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Delbridge
> Sent: Tuesday, February 25, 2003 3:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Interesting Question
> 
> Shows up in MY %FAILEDTESTS% just fine:
> 
> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail
> client [802c].
> X-RBL-Warning: HELOBOGUS: Domain S1001EXM01.macromedia.com has no MX or
> A records.
> X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 63.109.193.64
> with no reverse DNS entry.
> X-Declude-Sender: [EMAIL PROTECTED] [63.109.193.64]
> X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com)
> for spam.
> X-Spam-Weight: 20
> X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, REVDNS, WEIGHT05,
> WEIGHT10, WEIGHT15, WEIGHT20
> 
> Dave
> 
> Charles Frolick wrote:
> >
> > Scott,
> >
> > Since IPNOTINMX only has use when it passes, there is no way to add a
> > header using WARN, and it doesn't show up in %FAILEDTESTS%
> (obviously),
> > so the problem is, it adjusts the weight but unless you go to the log
> > file, you don't know for shure it did.  Is there a way to make it show
> > up in the headers when it passes? I added it today and a message eeked
> > through that normally would have been caught.
> >
> > Thanks,
> > Chuck Frolick
> > ArgoNet, Inc.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> 
> --
> 
> David M. Delbridge
> President & CEO
> Circa 3000
> ColdFusion Hosting
> http://www.circa3k.com
> 775-832-2445
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

-- 

David M. Delbridge
President & CEO
Circa 3000
ColdFusion Hosting
http://www.circa3k.com
775-832-2445
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Interesting Question

[Charles Frolick]

Not when it passes, which is when it has an effect on weight.

Chuck Frolick
ArgoNet, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Delbridge
Sent: Tuesday, February 25, 2003 3:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Interesting Question


Shows up in MY %FAILEDTESTS% just fine:

X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail
client [802c].
X-RBL-Warning: HELOBOGUS: Domain S1001EXM01.macromedia.com has no MX or
A records.
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 63.109.193.64
with no reverse DNS entry.
X-Declude-Sender: [EMAIL PROTECTED] [63.109.193.64]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com)
for spam.
X-Spam-Weight: 20
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, REVDNS, WEIGHT05,
WEIGHT10, WEIGHT15, WEIGHT20

Dave


Charles Frolick wrote:
> 
> Scott,
> 
> Since IPNOTINMX only has use when it passes, there is no way to add a
> header using WARN, and it doesn't show up in %FAILEDTESTS%
(obviously),
> so the problem is, it adjusts the weight but unless you go to the log
> file, you don't know for shure it did.  Is there a way to make it show
> up in the headers when it passes? I added it today and a message eeked
> through that normally would have been caught.
> 
> Thanks,
> Chuck Frolick
> ArgoNet, Inc.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

-- 

David M. Delbridge
President & CEO
Circa 3000
ColdFusion Hosting
http://www.circa3k.com
775-832-2445
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Question

[David Delbridge]

Shows up in MY %FAILEDTESTS% just fine:

X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail
client [802c].
X-RBL-Warning: HELOBOGUS: Domain S1001EXM01.macromedia.com has no MX or
A records.
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 63.109.193.64
with no reverse DNS entry.
X-Declude-Sender: [EMAIL PROTECTED] [63.109.193.64]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com)
for spam.
X-Spam-Weight: 20
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, REVDNS, WEIGHT05,
WEIGHT10, WEIGHT15, WEIGHT20

Dave


Charles Frolick wrote:
> 
> Scott,
> 
> Since IPNOTINMX only has use when it passes, there is no way to add a
> header using WARN, and it doesn't show up in %FAILEDTESTS% (obviously),
> so the problem is, it adjusts the weight but unless you go to the log
> file, you don't know for shure it did.  Is there a way to make it show
> up in the headers when it passes? I added it today and a message eeked
> through that normally would have been caught.
> 
> Thanks,
> Chuck Frolick
> ArgoNet, Inc.
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

-- 

David M. Delbridge
President & CEO
Circa 3000
ColdFusion Hosting
http://www.circa3k.com
775-832-2445
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Interesting Question

[R. Scott Perry]

Since IPNOTINMX only has use when it passes, there is no way to add a
header using WARN, and it doesn't show up in %FAILEDTESTS% (obviously),
so the problem is, it adjusts the weight but unless you go to the log
file, you don't know for shure it did.  Is there a way to make it show
up in the headers when it passes? I added it today and a message eeked
through that normally would have been caught.
I'll take a look to see if there is any way that we can get that 
information into the headers.
   -Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.