Re: greeting card malware?
Hello, imho the Spam problem could be controlled much better, if the guys, who are in charge of mailservers would configure these boxes better. Bad mails (unauthorized senders, bad headers, infected mails etc) should be bounced already by the mail server, before accepting it. Most mailservers have good tools to do so and RBLs are also very powerful. Example, I'm running a couple of domains on a server i manage and receive 1 - 2 spams from there per day. I have one mail address running on another server and it receives some 100 spams/day. To catch that stuff on the mail client can be only the last step. For me SpamSieve works excellent, I'd say 99.9% hits are correct. all the best Matthias Am/On Mon, 29 Jan 2007 12:28:05 -0500 schrieb/wrote Mark Gerber: Thanks for all the responses. For the several weeks this has been happening I've been assuming this worm was a Windows problem and that my address was being spoofed. But then I came across a message that had been returned from a client's domain. Granted this is a huge company with any number of people and several websites--but I was alarmed at the coincidence (at least, I hope it was a coincidence). So I wondered if some malware out there had finally found it's way to OS X in spite of no mention of both it and Macintosh on the security sites I check when something like this comes up. I appreciate those familiar with these problems answering so quickly. It sounds like I have to endure these things until someone(s?), somewhere takes care of it on their own computer(s) and there's nothing I can do about it unless I want to track down the advertised ISPs and contact them to put a stop to it. And there is no way I can determine who's computer it was that snatched my domain for it's own use. In the meantime, I'll check out ClamXav and HenWen to see what they offer in terms of peace of mind. Mark Mark Gerber GERBER STUDIO/Tradigital Illustration http://www.gerberstudio.com http://www.theispot.com/artist/mgerber All the best Matthias --- Admilon Consulting GmbH http://www.admilon.com Tel. +81-736-56-3905 ---
Re: greeting card malware?
On Jan 29, 2007, at 7:39 PM, Frank Mitchell wrote: But then why do spammers send messages full of random words? It seems pointless to me. The random words do help, to varying extents, against different types of filters. And there's very little downside to including them. On Jan 29, 2007, at 11:38 PM, Michael Lewis wrote: I probably didn't communicate that well. As an example, this was in my log: Predicted: Good (27) Trained: Good (Auto) So, it was predicting this as good, and training it as good (auto). I think that's the Learning function under Training preferences kicking in? Yes, this is normal. The auto-training feature thought that this was an interesting message because it was borderline (score of 27, with 50 being spam), so it decided to learn from it. Then I'd click Mark as Spam and this would show up in the log: Trained: Spam (Manual) Mistake: False Negative But this time it was wrong, so with your help it corrected the training and recognized that it had made a mistake. -- Michael Tsai http://c-command.com
greeting card malware?
This isn't specific to PowerMail, but I'm hoping someone can point me in the right direction to solve this problem. For the past several weeks I've been getting a lot of e-mail dumped into my Spam folder with the subject indicating delivery failed. They are from addresses I don't know and are responding to an e-mail from my domain (using a random name, for instance: hpbxx @ gerberstudio.com). There is often an attachement named something like Greeting Card.exe involved. As far as I've been able to find out I seem to have been infected with the Happy New Year worm, but I haven't found a solution for OS X. Does anyone know where I can get more information? Thanks. Mark Mark Gerber GERBER STUDIO/Tradigital Illustration http://www.gerberstudio.com http://www.theispot.com/artist/mgerber
Re: greeting card malware?
[Mark Gerber [EMAIL PROTECTED] schrieb am 29.1.2007 um 9:04 Uhr:] Greeting Card.exe Happy New Year OS X ??? How can you be infected with a worm which is an .exe-file on Mac OS? That is impossible. Sounds to me as if someone else (using Windows) is infected and the worm uses your domainname to send mails to (sometimes non existing) mailboxes. -- http://www.subhash.at
Re: greeting card malware?
Greeting Card.exe Happy New Year OS X ??? How can you be infected with a worm which is an .exe-file on Mac OS? That is impossible. Sounds to me as if someone else (using Windows) is infected and the worm uses your domainname to send mails to (sometimes non existing) mailboxes. You beat me to it. ;-) Spam in general seems to be way up recently. One day last week I had 399 spam messages, then two days later it was 350. It's gotten to a point that real mail is less than 2% of all my emails. :-( Wayne
Re: greeting card malware?
Am/On Mon, 29 Jan 2007 09:04:00 -0500 schrieb/wrote Mark Gerber: This isn't specific to PowerMail, but I'm hoping someone can point me in the right direction to solve this problem. I think that's a misconfigured mailserver which is rejecting (infected virus) mail instead of bouncing it. For the past several weeks I've been getting a lot of e-mail dumped into my Spam folder with the subject indicating delivery failed. They are from addresses I don't know and are responding to an e-mail from my domain (using a random name, for instance: hpbxx @ gerberstudio.com). There is often an attachement named something like Greeting Card.exe involved. As far as I've been able to find out I seem to have been infected with the Happy New Year worm, but I haven't found a solution for OS X. Does anyone know where I can get more information? the worm affects only Windoze But if you're afraid of viruses on the Mac, install ClamXav, works great. Another nice thing is snort, the installation for OS X is called HenWen. All the best Matthias --- Admilon Consulting GmbH http://www.admilon.com Tel. +81-736-56-3905 ---
Re: greeting card malware?
Look through the headers. Look for a Lookup warning. It may show that it is from someone else: X-Lookup-Warning: MAIL lookup on [EMAIL PROTECTED] does not match 201.69.126.198 If your server doesn't perform Lookups, look for the originating IP and see if it is from your domain: Return-path: [EMAIL PROTECTED] Received: from smtp.-snip-.com (201-69-126-198.dial-up.telesp.net.br [201.69.126.198]) I would guess that it is NOT coming from your network. Justin On Jan 29, 2007, at 8:04 AM, Mark Gerber wrote: This isn't specific to PowerMail, but I'm hoping someone can point me in the right direction to solve this problem. For the past several weeks I've been getting a lot of e-mail dumped into my Spam folder with the subject indicating delivery failed. They are from addresses I don't know and are responding to an e-mail from my domain (using a random name, for instance: hpbxx @ gerberstudio.com). There is often an attachement named something like Greeting Card.exe involved. As far as I've been able to find out I seem to have been infected with the Happy New Year worm, but I haven't found a solution for OS X. Does anyone know where I can get more information? Thanks. Mark Mark Gerber GERBER STUDIO/Tradigital Illustration http://www.gerberstudio.com http://www.theispot.com/artist/mgerber
Re: greeting card malware?
Your email address has been spoofed. I have 2 domains that have NO outgoing email server at all and I get returns all the time. I just ignore them. There is absolutely nothing you can do about this. Most email servers can catch a fraudulent email address and bounce it. Am/On Mon, 29 Jan 2007 09:04:00 -0500 schrieb/wrote Mark Gerber: This isn't specific to PowerMail, but I'm hoping someone can point me in the right direction to solve this problem. I think that's a misconfigured mailserver which is rejecting (infected virus) mail instead of bouncing it. For the past several weeks I've been getting a lot of e-mail dumped into my Spam folder with the subject indicating delivery failed. They are from addresses I don't know and are responding to an e-mail from my domain (using a random name, for instance: hpbxx @ gerberstudio.com). There is often an attachement named something like Greeting Card.exe involved. As far as I've been able to find out I seem to have been infected with the Happy New Year worm, but I haven't found a solution for OS X. Does anyone know where I can get more information? the worm affects only Windoze But if you're afraid of viruses on the Mac, install ClamXav, works great. Another nice thing is snort, the installation for OS X is called HenWen. All the best Matthias --- Admilon Consulting GmbH http://www.admilon.com Tel. +81-736-56-3905 ---
Re: greeting card malware?
Wayne Brissette sez: Spam in general seems to be way up recently. One day last week I had 399 spam messages, then two days later it was 350. It's gotten to a point that real mail is less than 2% of all my emails. :-( Sadly this is true for me as well. SpamSieve isn't even catching a lot of it, particularly the ones that are filled with random sentences from works of literature. It also was missing a bunch of things that said loan request in it despite me marking them spam, until I went in and blacklisted anything with loan request in it. Maybe I need to recalibrate SpamSieve, but I generally delete all my spam and don't remember I should be saving it until I think about recalibrating. :) DOH! -- Michael Lewis Off Balance Productions [EMAIL PROTECTED] www.offbalance.com
Re: greeting card malware?
[EMAIL PROTECTED] sez: Your email address has been spoofed. I have 2 domains that have NO outgoing email server at all and I get returns all the time. I just ignore them. There is absolutely nothing you can do about this. Most email servers can catch a fraudulent email address and bounce it. There is one thing that can be done, at least if the emails are advertising something. Once when my domain was spoofed and I had to deal with around 20,000 bouncebacks over the course of a week, I was able to use WhoIs to track down the ISP of the pharmaceutical site being advertised. Don't go after the spammer -- you can probably never find it; go after the advertiser. They have to have some place for a person to contact in order to make their money -- so hit them there. Once I had the internet provider of the advertiser, I sent a nicely worded cease-and-desist letter claiming if they did not shut down the site, I would have to contact my lawyers to complete papers filing for fraudulent use of my corporate identity. Yeah, I don't know if such a thing exists, but pad it out with some legal mumbo jumbo and it sounded good. :) They shut down the advertiser's site. I still got bouncebacks for a while, but I was much more satisfied. :) -- Michael Lewis Off Balance Productions [EMAIL PROTECTED] www.offbalance.com
Re: greeting card malware?
Thanks for all the responses. For the several weeks this has been happening I've been assuming this worm was a Windows problem and that my address was being spoofed. But then I came across a message that had been returned from a client's domain. Granted this is a huge company with any number of people and several websites--but I was alarmed at the coincidence (at least, I hope it was a coincidence). So I wondered if some malware out there had finally found it's way to OS X in spite of no mention of both it and Macintosh on the security sites I check when something like this comes up. I appreciate those familiar with these problems answering so quickly. It sounds like I have to endure these things until someone(s?), somewhere takes care of it on their own computer(s) and there's nothing I can do about it unless I want to track down the advertised ISPs and contact them to put a stop to it. And there is no way I can determine who's computer it was that snatched my domain for it's own use. In the meantime, I'll check out ClamXav and HenWen to see what they offer in terms of peace of mind. Mark Mark Gerber GERBER STUDIO/Tradigital Illustration http://www.gerberstudio.com http://www.theispot.com/artist/mgerber
Re: greeting card malware?
Hello Michael Spam in general seems to be way up recently. One day last week I had 399 spam messages, then two days later it was 350. It's gotten to a point that real mail is less than 2% of all my emails. :-( Sadly this is true for me as well. SpamSieve isn't even catching a lot of it, particularly the ones that are filled with random sentences from works of literature. I suspect these are intended to overload programs which work like SpamSieve with millions of random 'good' words. If there are enough of them they could eventually render SS ineffective. Your experience seems to confirm this. For this reason, I simply delete such random word messages rather than do a Mark as Spam. That's my theory anyway 8^) Frank -- Frank Mitchell, Scottsdale, Arizona
Re: greeting card malware?
Frank Mitchell sez: I suspect these are intended to overload programs which work like SpamSieve with millions of random 'good' words. If there are enough of them they could eventually render SS ineffective. Your experience seems to confirm this. For this reason, I simply delete such random word messages rather than do a Mark as Spam. That's my theory anyway 8^) That was my theory, too. I went to the SpamSieve website and checked forums, and the general consensus there was to continue to mark even these kinds of messages as spam. So I have. On the plus side, more messages like that get caught by SpamSieve. On the minus side there are so many of them, I don't think I notice a difference until I do actual counts. :) I'll bite the bullet and begin saving up spam messages soon and then remake SpamSieve's corpus. It should take about 9-10 days for me to get 1000 spams to index. Ugh. Now, if I could only find a way to automatically trash all the political mail my father sends to me but save his good messages. :) -- Michael Lewis Off Balance Productions [EMAIL PROTECTED] www.offbalance.com
Re: greeting card malware?
I DON'T use spamsieve. I simply open my mailbox using webmail (squirrelmail) and select all the messages. Then I scroll down, unchecking the ones I want to keep. Then I click delete. Then I download. This gives me visual control all the time and it is very fast to do. I can skim through 100 messages in about 2 minutes and pick out the 1 or 2 that I want to read. I have squirrel mail set up to move them to a trash file first before they are gone forever, so if I oops all is not lost. Frank Mitchell sez: I suspect these are intended to overload programs which work like SpamSieve with millions of random 'good' words. If there are enough of them they could eventually render SS ineffective. Your experience seems to confirm this. For this reason, I simply delete such random word messages rather than do a Mark as Spam. That's my theory anyway 8^) That was my theory, too. I went to the SpamSieve website and checked forums, and the general consensus there was to continue to mark even these kinds of messages as spam. So I have. On the plus side, more messages like that get caught by SpamSieve. On the minus side there are so many of them, I don't think I notice a difference until I do actual counts. :) I'll bite the bullet and begin saving up spam messages soon and then remake SpamSieve's corpus. It should take about 9-10 days for me to get 1000 spams to index. Ugh. Now, if I could only find a way to automatically trash all the political mail my father sends to me but save his good messages. :) -- Michael Lewis Off Balance Productions [EMAIL PROTECTED] www.offbalance.com
Re: greeting card malware?
On Jan 29, 2007, at 10:38 AM, Michael Lewis wrote: SpamSieve isn't even catching a lot of it, particularly the ones that are filled with random sentences from works of literature. I'm not aware of any spam types that consistently get through SpamSieve, when it's properly configured and trained. If certain kinds of messages keep ending up in your inbox, please report them: http://c-command.com/spamsieve/manual-ah/what-information-should so that I can see if in fact they got through SpamSieve, and what can be done about it. On Jan 29, 2007, at 1:36 PM, Frank Mitchell wrote: For this reason, I simply delete such random word messages rather than do a Mark as Spam. I don't recommend doing that. Not correcting SpamSieve's mistakes is a sure way to make more spam get through, and in certain cases is equivalent to telling SpamSieve that you think the deleted messages are good: http://c-command.com/blog/2006/11/11/tell-spamsieve-the-truth/ -- Michael Tsai http://c-command.com
Re: greeting card malware?
Michael Tsai sez: I'm not aware of any spam types that consistently get through SpamSieve, when it's properly configured and trained. If certain kinds of messages keep ending up in your inbox, please report them: http://c-command.com/spamsieve/manual-ah/what-information-should so that I can see if in fact they got through SpamSieve, and what can be done about it. Thanks for the pointer, Michael. I also followed the link on that page to Why is SpamSieve not catching my spam? tutorial. My filter was set to only operate if the From,Sender or Reply To: address was not in my addressbook. I noticed that some of the spam not making it through was being marked Good automatically in the log for various reasons or possibly not being evaluated, so I've changed the filter setting to Always as suggested on the Why...? page. Initial tests look promising, and I'm sure SpamSieve will quickly pick up on my common email correspondents. I turned on the false negative message saving in case it doesn't work out, so I can report more. One interesting thing: The Why...? page says: To test that the rule works, select a spam message in your mail program. Use the Train Spam (Apple Mail or Entourage) or Mark as Spam (PowerMail) command to tell SpamSieve that it is spam. Drag this message to your inbox and select it again. Then manually apply the rule [Spam: Evaluate]. However, every time I drag the spam to reapply the rule from the Filter menu, the log shows that I am manually choosing to make it NOT spam again. There is a setting in PowerMail to manually mark as good any mail dragged out of the Spam folder, so that could be a bit confusing. Once I found that setting, I figured I was fine, so I'll wait to see if it gets a real false positive now before I drag-and-drop from the Spam folder. You might need to update the page to note the setting and tell people to uncheck it to apply this test. I've begun using Mail a lot for another account and have read SpamSieve can handle both mail clients at once. I may set that up soon. SpamSieve is a great product surpassed only by not having to download the junk in the first place. :) Thanks again! -- Michael Lewis Off Balance Productions [EMAIL PROTECTED] www.offbalance.com
Re: greeting card malware?
On Jan 29, 2007, at 4:26 PM, Michael Lewis wrote: My filter was set to only operate if the From,Sender or Reply To: address was not in my addressbook. I noticed that some of the spam not making it through was being marked Good automatically in the log for various reasons or possibly not being evaluated Yes, using those criteria could cause some messages not to be evaluated (in which case there would be no Predicted entries in the log for them). I'm not sure what you mean about messages being marked as good automatically. However, every time I drag the spam to reapply the rule from the Filter menu, the log shows that I am manually choosing to make it NOT spam again. There is a setting in PowerMail to manually mark as good any mail dragged out of the Spam folder, so that could be a bit confusing. Thanks for mentioning that. I'll clarify it in the next revision of the documentation. On Jan 29, 2007, at 5:16 PM, Geoff Roynon wrote: I filter GIF and JPG spam before it reaches the Spamsieve filter so they don't pollute the Spamsieve corpus. In my filters, my first filter is called Spam-gif and has two conditions: From is not in address book Attachment ends with .gif I don't think one needs to worry about polluting the corpus, and SpamSieve should be able to catch these image spams. If this kind of manual filter works well for you, that's great, but I don't recommend it in general because there are legitimate reasons for non-spammers who aren't in the address book to be sending GIFs. -- Michael Tsai http://c-command.com
Re: greeting card malware?
Hello Michael For this reason, I simply delete such random word messages rather than do a Mark as Spam. I don't recommend doing that. Not correcting SpamSieve's mistakes is a sure way to make more spam get through, and in certain cases is equivalent to telling SpamSieve that you think the deleted messages are good: That makes sense. But then why do spammers send messages full of random words? It seems pointless to me. Frank -- Frank Mitchell, Scottsdale, Arizona
Re: greeting card malware?
Michael Tsai sez: Yes, using those criteria could cause some messages not to be evaluated (in which case there would be no Predicted entries in the log for them). I'm not sure what you mean about messages being marked as good automatically. I probably didn't communicate that well. As an example, this was in my log: = Predicted: Good (27) Subject: dark side reap revenge From: side [EMAIL PROTECTED] Identifier: khgtBI64xZPSBNTAr+Nhqw== Reason: P(spam)=0.000[0.500], bias=0.000, authoring(0.002), attackers (0.002), attackers(0.002), nur(0.002), nur(0.002), authoring(0.002), alban(0.002), shivers(0.998), mozart(0.002), shivers(0.998), chronology (0.998), chronology(0.998), S:dark(0.998), mozart(0.002), alban(0.002) Date: 2007-01-29 15:05:02 -0500 = Trained: Good (Auto) Subject: dark side reap revenge Identifier: khgtBI64xZPSBNTAr+Nhqw== Actions: added rule From (address) Is Equal to [EMAIL PROTECTED] to SpamSieve whitelist, added to Good corpus (1950) Date: 2007-01-29 15:05:02 -0500 = So, it was predicting this as good, and training it as good (auto). I think that's the Learning function under Training preferences kicking in? Then I'd click Mark as Spam and this would show up in the log: = Trained: Spam (Manual) Subject: dark side reap revenge Identifier: khgtBI64xZPSBNTAr+Nhqw== Actions: disabled rule From (address) Is Equal to [EMAIL PROTECTED] in SpamSieve whitelist, added rule From (address) Is Equal to [EMAIL PROTECTED] to SpamSieve blocklist, added to Spam corpus (2813), removed from Good corpus (1949) Date: 2007-01-29 15:52:14 -0500 = Mistake: False Negative Subject: dark side reap revenge Identifier: khgtBI64xZPSBNTAr+Nhqw== Classifier: Bayesian Score: 27 Date: 2007-01-29 15:52:19 -0500 = The other setting was leaving spam which actually had my address in them. As an example, [EMAIL PROTECTED] is not in my addressbook, so those usually got sent to spam just fine... The Always setting appears to be catching the others now, too. -- Michael Lewis Off Balance Productions [EMAIL PROTECTED] www.offbalance.com