Andrew,
> FWIW, I've been running v8.05 since it came out; I was getting at
> least one spam per day that was not getting Decluded and thus made
> it to my own Inbox, and today I received my first non-Decluded spam.
> Not scientific, but it's another data point.
Thanks for the input, wh
Thanks for a great effort Kami.
-Dave
- Original Message -
From:
Kami
Razvan
To: [EMAIL PROTECTED]
Sent: Wednesday, December 31, 2003 6:10
PM
Subject: [Declude.JunkMail] Nigerian
scam...
http://www.sun-sentinel.com/news/local/florida/orl-asecnigerian23122
Hi, Fritz-
I couldn't believe my eyes when I saw it, but Kami's total score if a
message hits every line in the filter is 4373.
Your score is not unrealistic.
-Dave
- Original Message -
From: "Fritz Squib" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 31, 2003
Glenn \\ WCNet wrote:
Yes, that happened to me. I had entered my address in the WebMail addy book
for one of my accounts (don't recall why), and I started getting spam that
showed as WHITELISTED. It wasn't obvious why at first because I wasn't the
primary "To" recipient on the spam, but I finall
The log file will normally show the tests that the E-mail failed, even if
it is whitelisted.
Does this hold true with PREWHITELIST ON? I thought PREWHITELISTING
bypassed any further Decude processing and therefore logging.
No (for E-mail that is whitelisted in one of the ways that support
prew
At 02:16 PM 1/2/2004, you wrote:
The log file will normally show the tests that the E-mail failed, even if
it is whitelisted.
-Scott
Does this hold true with PREWHITELIST ON? I thought PREWHITELISTING
bypassed any further Decude processing a
I just upgraded from Junkmail 1.65 to 1.75 and I am now getting this error
message:
01/02/2004 14:09:45 Qcff469fd01389792 WARNING: Unknown filter type .
I have looked over all my filters and everything seems to be correct. I
there a way to find out which test/filter is causing this? I tried debug
R. Scott Perry wrote:
I'll see if we can do this. It may get a bit tricky with the various
combinations of user aliases, host aliases, and forwarding, but we
could probably get it to work in most cases.
I'll bet that you could fix 95% or more of the potential issue with just
the real account b
Yes, that happened to me. I had entered my address in the WebMail addy book
for one of my accounts (don't recall why), and I started getting spam that
showed as WHITELISTED. It wasn't obvious why at first because I wasn't the
primary "To" recipient on the spam, but I finally figured it out.
G.Z.
I just noticed that one of my users has listed his own address in his Web
address book, and I'm thinking this could become an occasional
circumstance with unintended consequences. Since I turned AUTOWHITELIST
ON, this means that anything with a MAILFROM that forges his personal
address will e
Hello,
I just upgraded from Junkmail 1.65 to 1.75 and I am now getting this error
message:
01/02/2004 14:09:45 Qcff469fd01389792 WARNING: Unknown filter type .
I have looked over all my filters and everything seems to be correct. I
there a way to find out which test/filter is causing this? I tri
Sorry, I should have said, the Declude log shows the message was processed
against the external tests and CATCHALLMAILS. The message failed the
external test.
The external test is Sniffer.
Burzin
At 01:50 PM 1/2/2004, you wrote:
CATCHALLMAILS does just exactly that.
What is the external test
I'm using the line
WHITELIST FROM [EMAIL PROTECTED]
However, the message fails an external test. The Declude log shows the
message failed the external tests and CATCHALLMAILS. The WHITELIST FROM
address matches the From and X-Declude-Sender headers of the message.
The log file will normally
This one has been around for quite awhile as well.
http://www.hiveware.com/enkoder_form.php
Cheers,
--
---
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
---
--
---
[This E-mail w
CATCHALLMAILS does just exactly that.
What is the external test?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla
> Sent: Friday, January 02, 2004 11:4
Scott,
I just noticed that one of my users has listed his own address in his
Web address book, and I'm thinking this could become an occasional
circumstance with unintended consequences. Since I turned AUTOWHITELIST
ON, this means that anything with a MAILFROM that forges his personal
address
Hello,
I'm using the line
WHITELIST FROM [EMAIL PROTECTED]
However, the message fails an external test. The Declude log shows the
message failed the external tests and CATCHALLMAILS. The WHITELIST FROM
address matches the From and X-Declude-Sender headers of the message.
Any ideas?
Thanks,
http://www.wbwip.com/wbw/emailencoder.html
By accident I came
across this..
Regards,
Kami
Has any one seen this in the header of legit?
X-Mailer: MIME-tools 5.411 (Entity 5.404)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.
This must be a scam to get people to sign up.
Someone has just begun to research your background via our website.
This email has been automatically sent to you so as to make you aware that
your background is being looked into.
The popularity of our website is currently growing at a very rapid ra
BADCOUNTRYNOREVDNS would have stopped this.
http://www.mailpure.com/software/decludefilters/badcountrynorevdns/BadCountryNoREVDNS_v1-0-0.zip
This was sent from an IP block where at least the entire class C belongs
to spammers that host in China. Even before I added this filter, over
99% of
Well, I set it up - sent email, didn't get any reaction - so I don't know if
we are contributing.
Generally, their "Open Relay" list is tiny and the proxy list is only "okay"
(as far as hosts listed):
NJABLDUL..2304.07%
NJABLPROXIES..860...15.23%
NJABLRELAYS...
See http://www.pcworld.com/news/article/0,aid,114050,00.asp
The December 24, 2003 article says:
Tumbleweed and the Anti-Phishing Working Group estimate that more than 60
million e-mail scam messages have been sent in the last two weeks and seek
to take advantage of confusion and increased onli
GIBBERISHSUB will catch maybe 80% of this stuff with just 25 or so two
character combinations. Some day I may add in some more strings slowly,
but Declude's custom filtering environment wasn't designed for this type
of thing.
Scott could build in functionality for counting characters, but it's
Any one using this yet, and is it helping?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Andy Schmidt
> Sent: Friday, December 26, 2003 10:27 PM
> To: [EMAIL PROTECTED]
> E.N.L.A^R.G.E
>
> A derivative of the COMMENTS test for the subject. The only issue here
> is that this stuff is otherwise easy to target with a bunch of other
> filters and therefore it almost never avoids deletion on my system. I'm
> watching this one though because it could become much worse
Care to share the headers?
BTW, I was wrong about the Zap The Dingbat thing, he hid the address bar
and used HTML to make a fake address bar. It was all done in PHP and
very nicely coded. Maybe there aren't enough real jobs out there for
Web designers :)
Matt
John Tolmachoff (Lists) wrote
Examples:
UtahNlawydycn
daysOiwswvcm
HoustonGruqrb
1iving?Bnx
lfrmztzlvudgxulzhlc
ehrcbaarornrmnfpubke
Hereistheinfoyou
usefu1Nnputywatn
None were caught by GIBBERISHSUB.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED] [mai
It also won't catch things like: "Your Amazon.com order has shipped
(#101-4385494-1223513)" or "ORDER NO.B1093613-RFGDEF-01 HAS BEEN SHIPPED
OUT"
The last thing that I want to do is FP on ecommerce things. There's
some of this stuff with all consonants as well, in very long strings.
I'm not
FYI, I did add this for it:
HEADERS 15 CONTAINScitibanksecure
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matthew Bramble
> Sent: Friday, January 02, 20
GIBBERSHSUB would not catch things like BestProductEver and
ImportantPleaseReadNow and so forth.
I have seen a number of spam where the words are run together without spaces
to by pass filters. Being about to count consecutive characters and add a
weight of say nor more that 5 would help.
John To
The site's down now. The hosting provider said it was probably signed
up with a stolen credit card. He had it down within just a minute of me
sending the message.
Good deed done for the day :)
Matt
Matthew Bramble wrote:
The payload on this goes to a site that pops up a window using Zap T
The payload on this goes to a site that pops up a window using Zap The
Ding Bat URL obfuscation to make the URL look like it is the real
Citibank site. Very dangerous and because it's being redirected on that
site, you can't catch the technique in the E-mail.
I contacted the hosting provider a
John,
This would FP on messages that include ID's in the subject such as
receipts, and also base64 encoded subjects, some of which are perfectly
valid and Declude doesn't decode subjects at this time. I also tend to
see receipts with more characters than I tend to see in spam that
appends gib
I wonder how many people will actually fall for this:
--=_579b51922d72e436946615fa16088dbb
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
--=_579b51922d72e436946615fa16088dbb
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
- Original Message -
From: "John Tolmachoff (Lists)" <[EMAIL PROTECTED]>
> Test suggestion.
>
> This would be like SUBJECTSPACES, instead would count
> consecutive characters other than spaces in the subject line.
>
> CONSECUTIVECHAR consecutivechar 20 x 5 0
Also possibly CONSECUTIVECON
Test suggestion.
This would be like SUBJECTSPACES, instead would count consecutive characters
other than spaces in the subject line.
CONSECUTIVECHAR consecutivechar 20 x
5 0
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail
The installed.bin file is located in the *\Imail\Declude folder. If it is
there, delete it, then double click on declude.exe in the *\Imail folder.
Also, go to a command prompt and change to the Imail directory and type in
declude -diag and make sure it is reporting correctly.
John Tolmachoff
Engi
Hello,
I seem to get this on every message.
01/02/2004 10:46:11 Q92430dd100c4a4da Could not open installed.bin
01/02/2004 10:46:11 Q923c139a01408972 Could not open installed.bin
Could anybody shed some light?
Thanks
Robert
---
[This E-mail was scanned for viruses by Declude Virus (http://
39 matches
Mail list logo