Re: [Declude.JunkMail] chronic junkmail -- "new account"
So when you look at the header, the only information you can trust is the last server before it reaches your server. Is his server address real? I mean, really his? Does he hijack open relays or spam zombies, or use servers outside of the US? I'm just curious how reliable this information is in filtering him out. Just for curiousity, I made a list from his latest New Account spam and found these sources. Ben ** 02.mailmx01.com [207.154.32.2] mx05.curb101.com [64.200.217.41] mx17.curb101.com [64.200.217.53] mx20.curb101.com [64.200.217.56] 134.opnletters.com [65.175.2.134] k.opnletters.com [65.175.2.20] 03.opnletters.com [65.175.2.30] 11.opnletters.com [65.175.2.38] 52.opnletters.com [65.175.2.52] 107.opnstuff.com [66.227.68.107] 224.opnstuff.com [66.227.68.224] 227.opnstuff.com [66.227.68.227] 234.opnstuff.com [66.227.68.234] 234.opnstuff.com [66.227.68.234] 32.opnstuff.com [66.227.68.32] 52.opnstuff.com [66.227.68.52] 55.opnstuff.com [66.227.68.55] 59.opnstuff.com [66.227.68.59] mx18139.tt03.com [69.6.18.139] mx18143.ss03.com [69.6.18.143] mx18180.hh02.com [69.6.18.180] mx18193.pp03.com [69.6.18.193] mx18231.ee02.com [69.6.18.231] mx1886.ff02.com [69.6.18.86] mx1927.tt03.com [69.6.19.27] mx1938.ff02.com [69.6.19.38] mx1982.dd03.com [69.6.19.82] mx20173.aa05.com [69.6.20.173] mx2027.tt03.com [69.6.20.27] mx2081.pp03.com [69.6.20.81] mx2081.pp03.com [69.6.20.81] mx4121.gg02.com [69.6.41.21] mx634.dd03.com [69.6.6.34] 16.asp060.com [69.6.64.116] 28.asp070.com [69.6.65.128] 46.asp070.com [69.6.65.146] 60.asp070.com [69.6.65.160] 66.asp070.com [69.6.65.166] 14.asp010.com [69.6.73.114] 46.asp040.com [69.6.76.146] ** - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Sunday, October 09, 2005 3:58 PM Subject: Re: [Declude.JunkMail] chronic junkmail -- "new account" > This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This > particular block is 65.175.2.0/24. Surprisingly it isn't widely listed, > but I did find it in MAILPOLICE, and if you have URIBL support, it is > also in SURBL presently. > > Matt > > > > IMail Admin wrote: > > > Hi, > > > > For the last few weeks, we've seen an explotion of spam mail with the > > from line as "New Account". The subject and text vary. Some messages > > get caught by our threshold and dumped, but many do not. Sniffer > > seems to spot these pretty effectively, but not always and we don't > > take action on just one test, even one as good as Sniffer. Any > > suggestions? > > > > Ben > > BC Web > > > > Here is the source of one such message: > > > > Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net > > with ESMTP > > (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 > > Received: (from [EMAIL PROTECTED]) > > by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; > > Sun, 9 Oct 2005 14:45:45 -0700 (PDT) > > Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) > > Message-Id: <[EMAIL PROTECTED]> > > From: New Account <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: Get A Free Ringtone [EMAIL PROTECTED] > > MIME-Version: 1.0 > > Content-Type: text/plain; charset="iso-8859-1" > > X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. > > X-Declude-Sender: > > [EMAIL PROTECTED] > > [65.175.2.52] > > X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) > > for spam. > > X-Spam-Tests-Failed: SNIFFER [4] > > X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). > > X-RCPT-TO: <[EMAIL PROTECTED]> > > Status: U > > X-UIDL: 428897057 > > > > Get the Newest Ring Tones! > > > > Download Top Hits to your Cell Phone! > > http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 > > > > http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the > > latest Ringtones, wallpapers, Screensavers, and more! Top ring tones > > include, "Wait" by Ying Yang Twins. First download is FREE! > > > > > > > > You need to visit this link. Take your Pick! > > http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 > > > > > > > > > > > > To unsubscribe, from this Advertisement go to: > > http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r > > > > > > or, send a blank message to: > > mailto:[EMAIL PROTECTED] > > > > New Account List > > 1333 W 120th Ave. Suite 101 > > Westminster, Colorado 80234 > > > > > > > > > > > > --- > > Th
RE: [Declude.JunkMail] chronic junkmail -- "new account"
Interesting thought. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Matt > Sent: Sunday, October 09, 2005 5:45 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] chronic junkmail -- "new account" > > I don't know whether or not I should be proud of that accomplishment :-/ > > Matt > > > > Nick Hayer wrote: > > > You are always on top of this stuff Matt! > > -Nick > > > > Matt wrote: > > > >> This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This > >> particular block is 65.175.2.0/24. Surprisingly it isn't widely > >> listed, but I did find it in MAILPOLICE, and if you have URIBL > >> support, it is also in SURBL presently. > >> > >> Matt > >> > >> > >> > >> IMail Admin wrote: > >> > >>> Hi, > >>> > >>> For the last few weeks, we've seen an explotion of spam mail with > >>> the from line as "New Account". The subject and text vary. Some > >>> messages get caught by our threshold and dumped, but many do not. > >>> Sniffer seems to spot these pretty effectively, but not always and > >>> we don't take action on just one test, even one as good as Sniffer. > >>> Any suggestions? > >>> > >>> Ben > >>> BC Web > >>> > >>> Here is the source of one such message: > >>> > >>> Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net > >>> with ESMTP > >>> (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 > >>> Received: (from [EMAIL PROTECTED]) > >>> by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; > >>> Sun, 9 Oct 2005 14:45:45 -0700 (PDT) > >>> Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) > >>> Message-Id: <[EMAIL PROTECTED]> > >>> From: New Account <[EMAIL PROTECTED]> > >>> To: [EMAIL PROTECTED] > >>> Subject: Get A Free Ringtone [EMAIL PROTECTED] > >>> MIME-Version: 1.0 > >>> Content-Type: text/plain; charset="iso-8859-1" > >>> X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. > >>> X-Declude-Sender: > >>> [EMAIL PROTECTED] > >>> [65.175.2.52] > >>> X-Note: This E-mail was scanned by Declude JunkMail > >>> (www.declude.com) for spam. > >>> X-Spam-Tests-Failed: SNIFFER [4] > >>> X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). > >>> X-RCPT-TO: <[EMAIL PROTECTED]> > >>> Status: U > >>> X-UIDL: 428897057 > >>> > >>> Get the Newest Ring Tones! > >>> > >>> Download Top Hits to your Cell Phone! > >>> http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 > >>> > >>> http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the > >>> latest Ringtones, wallpapers, Screensavers, and more! Top ring tones > >>> include, "Wait" by Ying Yang Twins. First download is FREE! > >>> > >>> > >>> > >>> You need to visit this link. Take your Pick! > >>> http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 > >>> > >>> > >>> > >>> > >>> > >>> To unsubscribe, from this Advertisement go to: > >>> http://52.opnletters.com/remove?r.NewAccounts.0-6037852- > 730b.bcwebhost.net.-ben?r > >>> > >>> > >>> or, send a blank message to: > >>> mailto:[EMAIL PROTECTED] > >>> > >>> > >>> New Account List > >>> 1333 W 120th Ave. Suite 101 > >>> Westminster, Colorado 80234 > >>> > >>> > >>> > >>> > >>> > >>> --- > >>> This E-mail came from the Declude.JunkMail mailing list. To > >>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >>> type "unsubscribe Declude.JunkMail". The archives can be found > >>> at http://www.mail-archive.com. > >>> > >>> > >> --- > >> This E-mail came from the Declude.JunkMail mailing list. To > >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >> type "unsubscribe Declude.JunkMail". The archives can be found > >> at http://www.mail-archive.com. > >> > >> > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] chronic junkmail -- "new account"
I don't know whether or not I should be proud of that accomplishment :-/ Matt Nick Hayer wrote: You are always on top of this stuff Matt! -Nick Matt wrote: This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This particular block is 65.175.2.0/24. Surprisingly it isn't widely listed, but I did find it in MAILPOLICE, and if you have URIBL support, it is also in SURBL presently. Matt IMail Admin wrote: Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as "New Account". The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: <[EMAIL PROTECTED]> From: New Account <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, "Wait" by Ying Yang Twins. First download is FREE! You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] chronic junkmail -- "new account"
I would suggest you look at incorporating a URI type checker like invURIBL as opnletters.com has been in SURBL for a while and I am showing hits back as far as September 1st for that particular domain. uribl-logfile0901.txt:2005-09-01 00:15:22.656 2005-09-01 00:15:22.953 E:\IMAIL\SPOOL\D8058132B024647FB.SMD opnletters.com 127.0.0.82 URI from message body found in multi.surbl.org [82] [Total Weight=15] On average I am seeing about 100-150 of these domains a day out of 100K-150K messages per day processed. Since September 1st this domain has hit on our system 4,700+ times so it has been semi active. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "IMail Admin" <[EMAIL PROTECTED]> To: Sent: Sunday, October 09, 2005 6:34 PM Subject: [Declude.JunkMail] chronic junkmail -- "new account" Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as "New Account". The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: <[EMAIL PROTECTED]> From: New Account <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, "Wait" by Ying Yang Twins. First download is FREE! You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] chronic junkmail -- "new account"
You are always on top of this stuff Matt! -Nick Matt wrote: This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This particular block is 65.175.2.0/24. Surprisingly it isn't widely listed, but I did find it in MAILPOLICE, and if you have URIBL support, it is also in SURBL presently. Matt IMail Admin wrote: Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as "New Account". The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: <[EMAIL PROTECTED]> From: New Account <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, "Wait" by Ying Yang Twins. First download is FREE! You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] chronic junkmail -- "new account"
This is spam from Scott Ricter, Spamhaus's #1 listed spammer. This particular block is 65.175.2.0/24. Surprisingly it isn't widely listed, but I did find it in MAILPOLICE, and if you have URIBL support, it is also in SURBL presently. Matt IMail Admin wrote: Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as "New Account". The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: <[EMAIL PROTECTED]> From: New Account <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, "Wait" by Ying Yang Twins. First download is FREE! You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] chronic junkmail -- "new account"
Hi - Well this is what I do on these - Right off I put the ip space in my ipfile_suspicious_networks 65.175.2.0/24 Viper Hosting If I keep getting spam from then then they go to the ipfile_networks which I score higher. Same for an entry into ipfile_suspicious_hosts I then I would accumulate these to develop a pattern that I can us to punish them without false positives. For me its hard to determine how best to act until I have at least a small sample to work with. The "New Account" is a tipoff but that alone will not help - something else is generally in every email that as a combo you should able to wack the emails with. Not much help but best I can do Sunday eve :) -Nick IMail Admin wrote: Hi, For the last few weeks, we've seen an explotion of spam mail with the from line as "New Account". The subject and text vary. Some messages get caught by our threshold and dumped, but many do not. Sniffer seems to spot these pretty effectively, but not always and we don't take action on just one test, even one as good as Sniffer. Any suggestions? Ben BC Web Here is the source of one such message: Received: from 52.opnletters.com [65.175.2.52] by bcw4.bcwebhost.net with ESMTP (SMTPD32-7.15) id A25813CE00F4; Sun, 09 Oct 2005 14:57:44 -0700 Received: (from [EMAIL PROTECTED]) by 52.opnletters.com (8.8.8/8.8.8) id OAA44895; Sun, 9 Oct 2005 14:45:45 -0700 (PDT) Date: Sun, 9 Oct 2005 14:59:51 -0700 (PDT) Message-Id: <[EMAIL PROTECTED]> From: New Account <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Get A Free Ringtone [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-RBL-Warning: SNIFFER: Message failed SNIFFER: 60. X-Declude-Sender: [EMAIL PROTECTED] [65.175.2.52] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SNIFFER [4] X-Note: This E-mail was sent from 52.opnletters.com ([65.175.2.52]). X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 428897057 Get the Newest Ring Tones! Download Top Hits to your Cell Phone! http://52.opnletters.com/m/l?3xp-e38u-1-aox4-f417 http://52.opnletters.com/m/l?3xp-e38u-2-aox4-f417";>Get the latest Ringtones, wallpapers, Screensavers, and more! Top ring tones include, "Wait" by Ying Yang Twins. First download is FREE! You need to visit this link. Take your Pick! http://52.opnletters.com/m/l?3xp-e38u-3-aox4-f417 To unsubscribe, from this Advertisement go to: http://52.opnletters.com/remove?r.NewAccounts.0-6037852-730b.bcwebhost.net.-ben?r or, send a blank message to: mailto:[EMAIL PROTECTED] New Account List 1333 W 120th Ave. Suite 101 Westminster, Colorado 80234 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.