RE: [Declude.JunkMail] Kodak picture CD and Spam Domains
Hi Bill: Great idea.. You are right. I will change them immediately... Thanks Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Monday, June 23, 2003 7:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Kodak picture CD and Spam Domains Kami, why not use "ENDSWITH" with your RDNS entries instead of "CONTAINS", since any spammer monitoring this list could easily setup something like this in their reverse DNS: junk.yahoo.com.spammer.com or spam.aol.com.junkmail.net and get a nice weight reduction of 20, which would certainly help their spam to get delivered to your users and customers. However, they cannot do anything to take advantage of the "ENDSWITH" attribute since they have no control over the yahoo.com or aol.com domains. Bill - Original Message - From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 3:15 PM Subject: RE: [Declude.JunkMail] Kodak picture CD and Spam Domains > Hi; > > Do you know what the REVDNS is? We are finding good results for > adding negative weight to domains that are like this. We simply have > a negative REVDNS list. > > REVDNS -20 CONTAINS .yahoo.com > REVDNS -20 CONTAINS .aol.com > > The above are two entries in our list. > > Regards, > Kami > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darrell > LaRock > Sent: Monday, June 23, 2003 5:55 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains > > > I have been seeing a lot of mail failing the spam domains test with kodak's > picture cd. It allows users to use their own email address when > sending pictures, but it comes from Kodak's servers. > > Is their any other way around this? Right now I setup a filter to subtract > the spam domains weight if picturecd.kodak.com is found in the > headers. > > Also, not to mention their mail fails the BADHEADERS test for a bogus > time zone. > > Darrell > > > **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE > > IF YOU FEEL THIS MESSAGE IS IN ERROR** > > Received: from picturecd2.kodak.com [192.232.121.246] by > mail1.gannett-tv.com with ESMTP > > (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400 > > Received: from picturecd.kodak.com > (dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71]) > > by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484 > > for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT) > > Message-Id: <[EMAIL PROTECTED]> > > From: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: clouds 2nd try > > Date: 22 Jun 2003 21:42:44 Mountain Standard Time > > Content_Description: > > Content_Description: > > Content_Description: > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; boundary=3_boundary > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Kodak picture CD and Spam Domains
So the following seems to be the reverse test to spamdomains. REVDNS -20 ENDSWITH .yahoo.com REVDNS -20 ENDSWITH .aol.com REVDNS -20 ENDSWITH .kodak.com But this is another test where we have to maintain and update a list. (like spamdomains, countries, ...) Here I prefer tests, which are generally valid, like my suggestion CONSISTFROM (same 2nd-level domain for both sender-domain and revdns-records). I know: This will not solve the problem with kodak's mailserver, but this is also a problem with many other servers. For example webservers sending out emails using the (unchecked) value from a text-field as sender-adress. Most of this mails fails also other basic tests (REVDNS, HELOBOGUS, BADHEADERS, SPAMHEADERS...) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Kodak picture CD and Spam Domains
Kami, Great idea!!! This is much better then using contains on the header (since header forging is easy). Darrell -- Original Message -- From: "Kami Razvan" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Mon, 23 Jun 2003 18:15:06 -0400 >Hi; > >Do you know what the REVDNS is? We are finding good results for adding >negative weight to domains that are like this. We simply have a negative >REVDNS list. > >REVDNS -20 CONTAINS .yahoo.com >REVDNS -20 CONTAINS .aol.com > >The above are two entries in our list. > >Regards, >Kami > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock >Sent: Monday, June 23, 2003 5:55 PM >To: [EMAIL PROTECTED] >Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains > > >I have been seeing a lot of mail failing the spam domains test with kodak's >picture cd. It allows users to use their own email address when sending >pictures, but it comes from Kodak's servers. > >Is their any other way around this? Right now I setup a filter to subtract >the spam domains weight if picturecd.kodak.com is found in the headers. > >Also, not to mention their mail fails the BADHEADERS test for a bogus time >zone. > >Darrell > >> **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF >> YOU FEEL THIS MESSAGE IS IN ERROR** >> Received: from picturecd2.kodak.com [192.232.121.246] by >mail1.gannett-tv.com with ESMTP >> (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400 >> Received: from picturecd.kodak.com >(dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71]) >> by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484 >> for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT) >> Message-Id: <[EMAIL PROTECTED]> >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Subject: clouds 2nd try >> Date: 22 Jun 2003 21:42:44 Mountain Standard Time >> Content_Description: >> Content_Description: >> Content_Description: >> MIME-Version: 1.0 >> Content-Type: multipart/mixed; boundary=3_boundary > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, >just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe >Declude.JunkMail". The archives can be found at >http://www.mail-archive.com. > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Kodak picture CD and Spam Domains
Kami, why not use "ENDSWITH" with your RDNS entries instead of "CONTAINS", since any spammer monitoring this list could easily setup something like this in their reverse DNS: junk.yahoo.com.spammer.com or spam.aol.com.junkmail.net and get a nice weight reduction of 20, which would certainly help their spam to get delivered to your users and customers. However, they cannot do anything to take advantage of the "ENDSWITH" attribute since they have no control over the yahoo.com or aol.com domains. Bill - Original Message - From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 23, 2003 3:15 PM Subject: RE: [Declude.JunkMail] Kodak picture CD and Spam Domains > Hi; > > Do you know what the REVDNS is? We are finding good results for adding > negative weight to domains that are like this. We simply have a negative > REVDNS list. > > REVDNS -20 CONTAINS .yahoo.com > REVDNS -20 CONTAINS .aol.com > > The above are two entries in our list. > > Regards, > Kami > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock > Sent: Monday, June 23, 2003 5:55 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains > > > I have been seeing a lot of mail failing the spam domains test with kodak's > picture cd. It allows users to use their own email address when sending > pictures, but it comes from Kodak's servers. > > Is their any other way around this? Right now I setup a filter to subtract > the spam domains weight if picturecd.kodak.com is found in the headers. > > Also, not to mention their mail fails the BADHEADERS test for a bogus time > zone. > > Darrell > > > **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF > > YOU FEEL THIS MESSAGE IS IN ERROR** > > Received: from picturecd2.kodak.com [192.232.121.246] by > mail1.gannett-tv.com with ESMTP > > (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400 > > Received: from picturecd.kodak.com > (dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71]) > > by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484 > > for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT) > > Message-Id: <[EMAIL PROTECTED]> > > From: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: clouds 2nd try > > Date: 22 Jun 2003 21:42:44 Mountain Standard Time > > Content_Description: > > Content_Description: > > Content_Description: > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; boundary=3_boundary > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Kodak picture CD and Spam Domains
Hi; Do you know what the REVDNS is? We are finding good results for adding negative weight to domains that are like this. We simply have a negative REVDNS list. REVDNS -20 CONTAINS .yahoo.com REVDNS -20 CONTAINS .aol.com The above are two entries in our list. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell LaRock Sent: Monday, June 23, 2003 5:55 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Kodak picture CD and Spam Domains I have been seeing a lot of mail failing the spam domains test with kodak's picture cd. It allows users to use their own email address when sending pictures, but it comes from Kodak's servers. Is their any other way around this? Right now I setup a filter to subtract the spam domains weight if picturecd.kodak.com is found in the headers. Also, not to mention their mail fails the BADHEADERS test for a bogus time zone. Darrell > **COPY OF THE MESSAGES HEADERS - THESE ARE IMPORTANT FOR US TO SEE IF > YOU FEEL THIS MESSAGE IS IN ERROR** > Received: from picturecd2.kodak.com [192.232.121.246] by mail1.gannett-tv.com with ESMTP > (SMTPD32-7.15) id AE6BDC3601D6; Mon, 23 Jun 2003 00:13:31 -0400 > Received: from picturecd.kodak.com (dialup-67.31.149.71.Dial1.Denver1.Level3.net [67.31.149.71]) > by picturecd2.kodak.com (8.11.6/8.11.6) with SMTP id h5N3gPU02484 > for <[EMAIL PROTECTED]>; Sun, 22 Jun 2003 23:42:25 -0400 (EDT) > Message-Id: <[EMAIL PROTECTED]> > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: clouds 2nd try > Date: 22 Jun 2003 21:42:44 Mountain Standard Time > Content_Description: > Content_Description: > Content_Description: > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary=3_boundary --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
