get those automated programs that crawl IP's and test for hundreds of vulnerabilities, this tool rejects every last one of the attempts before it actually reaches IIS for processing under our configuration.
Matt
Dan Patnode wrote:
IIS Worm We’ve spent the morning battling a worm. Here’s
Title: IIS Worm
We’ve spent the morning battling a worm. Here’s the news:
Its designed to exploit a vulnerability in Microsoft IIS (we use it for delivery) that is so new it doesn’t yet have a name. Its not yet in wide circulation, we just push so much mail we’ve seen it already. MS doesn’t
I for one am quite happy with the "workaround" for TESTSFAILED/END. I can't
speak to which versions should support it, but with Matt's guidance and the
permutation builder I posted here yesterday:
http://www.subterrane.com/permgen.shtml
I've found remarkable precision and dexterity. Just be sur
For those building TESTSFAILED multi test combination configurations, here's
a web site for constructing custom permutation lists with any designators
you specify:
http://www.subterrane.com/permgen.shtml
Dan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--
-------
> Check out http://www.invariantsystems.com for utilities for Declude and Imail.
>
>
> Quoting Dan Patnode <[EMAIL PROTECTED]>:
>
>> The Institute of Biotechnology, University of Helsinki Finland just sent my
>> abuse lin
The Institute of Biotechnology, University of Helsinki Finland just sent my
abuse line a report suggesting a new client of mine is a spammer. I'm not
in the business of protecting these guys from each other.
Has anyone heard of countmein.com as a spammer?
Here's the report if you're curious
To confirm, you're talking about Declude 1.79?
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Tue, 04 May 2004 09:35:35 -0400
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Anything special for Imail 8.1?
>
>
>>> There are no known issues with IMai
Samantha,
You have 4 basic options:
1) Invest occasional time and run with the basic configuration.
2) Invest daily time, collaborating with the excellent help on this list,
including Scott.
3) Outsource all or part of your configuration with a company like Mail
Pure.
4) Outsource your entire
Here's a clever web site for obfuscating addresses hosted on web sites:
http://www.colmgallagher.com/encode_all.html
Ironically, it uses the same "http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
Nice.
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Mon, 29 Mar 2004 20:10:52 -0500
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Crazy Characters
>
>
>> Between the words are space like characters that aren't spaces. I can only
>> view them usi
Has anyone noticed these yet:
Subject: Lower your monthly payment today !
Between the words are space like characters that aren't spaces. I can only
view them using symbol or dingbat fonts and my email client can't even
search for them in a folder of messages. I'm inclined to make a filter f
#4's a tricky one I've been watching for some time. Turns out its a generic
server failure such that were a filter in place to look for it and you had a
real server failure, every message would trip the filter.
What's needed is a way to prevent the errors, which seems to be easier said
than done.
http://australianit.news.com.au/articles/0,7204,8901975%5e15388%5e%5enbv%5e,
00.html
Spam zombies on the rise
Anick Jesdanun
MARCH 08, 2004
NEXT time you're looking for a culprit for all that junk mail flooding your
inbox, have a glance in the mirror.
Spammers are increasingly exp
Seems they're actually aware of the problem:
http://maccentral.macworld.com/news/2004/03/10/comcast/index.php?redirect=10
78943859000
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe,
Interesting points,
There's a name for industries where more than one supplier isn't practical: natural
monopoly. I can't recall a single example where a natural monopoly improved after
privatization. In economics terms, systems for maximizing profit (capitalism) don't
work with systems where
Darryl,
You can run Declude on its own server in front of clients' email servers, as a
gateway. Only external email then gets scanned for spam.
Dan
On Thursday, September 18, 2003 8:01, Darryl Koster <[EMAIL PROTECTED]> wrote:
>
>
>The hosting business I run deals mainly with business and I
Spammers put links in the body of messages and more recently are creating them by the
pound, changing to new ones multiple times/days. Is it possible to have a test that
checks the age of domain names in the body? This information is available from a
number of places:
http://www-whois.interni
CT0CONTAINSzb
>SUBJECT0CONTAINSzc
>SUBJECT0CONTAINS zf
>SUBJECT0CONTAINSzj
>SUBJECT0CONTAINSzk
>SUBJECT0CONTAINSzl
>SUBJECT0CONTAINSzm
>SUBJECT0CONTAINSz
Looking at my "spamples" I don't see any prefix letter:
Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=?
Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?=
Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month
Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVu
Follow-up,
Used in a high weight soft test, 3 of Q subject tests FPd this morning. It seems that
Japanese encoded messages like lots of mixed up letters.
More testing...
Dan
On Wednesday, September 10, 2003 19:20, Dan Patnode <[EMAIL PROTECTED]> wrote:
>I did a scan of all unca
box"
>server and try to "offload" all outbound or relay functions to
>the MS SMTP.
>
>Best Regards
>Andy
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
>Sent: Wednesday, September 10, 2003 0
s the SMTP
>client and Webmin as the interface. I don't though dispute
>Sandy's faith in MS SMTP, and it can be run on the same box as
>IMail.
>
> Matt
>
>
>
>
> Dan Patnode wrote:
>
>FYI, I pulled this test 3 weeks ago after a email from France
&
their own). We could then build profiles, adding all the different
behaviors paricular spams share, regardless of which tests define those behaviors.
I would love, for example, to combine an IPFILE listing US broadband IPs with
NONENGLISH.
Dan
On Wednesday, September 10, 2003 16:57, D
FYI, I pulled this test 3 weeks ago after a email from France came through (or rather
didn't) with this subject:
Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?=
There's definitely is a correlation here among spammers, ?B? encoded subjects,
disposable domain names, and not
Any opinions on Exim?:
http://www.exim.org/
Dan
On Wednesday, September 10, 2003 15:36, Matthew Bramble <[EMAIL PROTECTED]> wrote:
>Dan Patnode wrote:
>
>>Should have been more specific, I'm looking for something used
>by larger ISPs that gives me the confidenc
[EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
>Sent: Wednesday, September 10, 2003 2:34 PM
>To: [EMAIL PROTECTED]
>Subject: [Declude.JunkMail] SMTP Relay Limit
>
>
>I'm running Declude as a gateway for various IPs and just hit a limit.
>Under
&g
e
an L was replaced with an I and it showed up in attachment PDF code.
Dan
On Wednesday, September 10, 2003 13:36, Matthew Bramble <[EMAIL PROTECTED]> wrote:
>Dan Patnode wrote:
>
>>Good point,
>>
>>The goal then should be to differentiate numbers used as codes
Good point,
The goal then should be to differentiate numbers used as codes from numbers used to
confuse. The former tend to be contiguous while the later (in my experience), tend to
be mixed in with letters. Perhaps if the test counted numbers with letters on both
sides?
Dan
On Wednesday,
I'm running Declude as a gateway for various IPs and just hit a limit. Under
Addresses specified here are to be considered local addresses for mail gatewaying
Adding entries to Access Control under SMTP, the 100th entry produces an error:
Maximum table size reached
So now, no more
I keep seeing generic word payload domains that have generic words followed by short
codes:
manual3a.com
infowebdd4.com
saless1d.com
seaccc1.com
saleon1.com
greatdf45.com
greatinfo33f.com
greatbizss3.com
biz34er5.com
clearsale12.com
bigsalesxz.com
The interesting part, is that their Internic.ne
It won't help with Lawyers and the like who need a server stamp and the users will
need to go between work and home, but there is a way to make life easy:
Make up a sub domain, something like cox.mydomain.com for each blocking ISP. On the
LAN (private IP), point cox.mydomain.com at the private
Heads up to anyone using "undeliverable" subjects for whitelisting, pharmacysale.biz
is trying to sneak around, some more subtle than others:
Subject: Returned mail: see transcript for details
Subject: Undeliverable: Online Pharmacy - Lowest Prices - Prozac and More!
Subject: Delivery Status N
There was a report in the last few days about relays.osirusoft.com going sour in some
way. I didn't pay much attention until I had a dozen OSRELAY false positives staring
me in the face.
I've turned off all relays.osirusoft.com based tests (I used two)
Dan
On Tuesday, August 26, 2003 17:14,
banned extension
>Declude Virus vulnerabilities
>Declude JM
>Imail Rules
>Delivery
>
>John Tolmachoff MCSE CSSA
>Engineer/Consultant
>eServices For You
>www.eservicesforyou.com
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
ed
>extensions before it goes to the virus scanner in order to save
>processing power?
>
> Matt
>
> Dan Patnode wrote:
>
>Matt, by this:
>
>
>
>This does tie back into processor utilization though, because
>before the definitions were available, the banned ext
cott,
>
> I know this is the wrong discussion group, but since we're on
>the topic, would it make more sense to test for banned
>extensions before it goes to the virus scanner in order to save
>processing power?
>
> Matt
>
> Dan Patnode wrote:
>
>
>Matt, by this
Thanks for all the great feedback. I'm still drowning in 50,000+ SoBig message/day
but at least I now have them balanced over both 5gig servers instead of just one.
What kills me is that the vast majority are headed for a single customers info@
address.
Matt, by this:
> This does tie back i
I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra
virus/worm activity. Its midnight and I'm still clearing out the overflow, to the
tune of 2 dozen Declude processes.
Rather than running them in parallel as we had before (setting them up with the same
MX weight),
If you're describing % of false positives/negatives, it can't be done automatically.
Any system smart enough to tell what should have from what shouldn't have to calculate
the difference would simply do as it should and be 100% accurate.
I get my numbers by taking the total messages and dividin
Some-much of this local/remote distiction can be resolved by running Declude infront
of/seperate from your actual email server. The negative is that it kills auto
whitlising.
Dan
On Wednesday, July 30, 2003 12:01, Karen D. Oland <[EMAIL PROTECTED]> wrote:
>I agree. We have the same problem he
Looks like they expired the link, only the domain reveals what you saw:
http://tfexp.com/
I have a perspective client considering challenge/response, another good reason not to.
Dan
On Wednesday, July 30, 2003 4:58, Omar K. <[EMAIL PROTECTED]> wrote:
>I fell for it, so im assuming that joe bl
I believe the hmtl decoding already takes care of the second example. As for the
first, I've had great success targeting spoofing directly:
BODY0 CONTAINShttp://7
BODY0 CONTAINShttp://8
BODY0 CONTAINShttp://9
BODY0 CONTAINS
Can't wait for this one!
On Friday, July 18, 2003 11:10, R. Scott Perry <[EMAIL PROTECTED]> wrote:
>
>>I have been looking at this trend and perhaps having another tool in our
>>arsenal could help.
>>
>>Can there be a header or a variable we can assign weight to for DNS?
>>
>>A lot of spam house
I run a gateway configuration with clients changing their entire MX record to my
servers, which in turn point back to the client's server. In this way, clients don't
need to change anything else on their end and everyone is happy. The original email
server stays wide open and no one is the wis
Reminds me of my weeks with Declude (over a year now). Turned out the format of my
comments wasn't right, it was being rejected as header content, dropping into the
body. As I recall, not all mail clients responded the same way - MS clients showing
the problem.
I never went beyond making ea
After killing off the .biz domains, there seems to be a surge in hyphenated domains,
with generic, systems or typical words. Anyone else seeing this?:
COLO-JAN.NET
linux-pros.net
great-steals.com
simply-4u.com
media-permit.com
bargain-bin.com
e-member-services.com
pret-ty.com
on-thenet.net
dns-
When I checked last month I was doing about 1 in 20,000 (.005%), but this takes some
fairly sophisticated tuning.
Dan
On Friday, July 11, 2003 9:18, Douglas Brantley <[EMAIL PROTECTED]> wrote:
>
> New to list...
>
> We are considering purchasing Declude Junkmail.
>
> I am con
Thought these might be of interest:
New site spoofs PayPal to get billing information
http://maccentral.macworld.com/news/2003/07/09/paypal/
Congress fights over spam opt-in rules
http://maccentral.macworld.com/news/2003/07/09/spam/
---
[This E-mail was scanned for viruses by Declu
The asumption is that multiple folders are needed, you are running multiple domains
through the same gateway. I've been using REDIRECT for over a year and there are
advantages to customization, being able to REDIRECt with some and SUBJECT with others,
or different versions of each.
Additiona
.tpcper is Topica. They come out with new spamming domains continuously while keeping
their IPs fixed. Blocking their IPs however, also blocks all the newsletters they
publish. I've been testing their removal system for the last 2 months, if you enter
the recipients email address here with th
I've seen as much as a doubling over the last 3 months but nothing in particular over
the last week. Is your total/total up, or just the stuff getting through?
Dan
On Monday, July 7, 2003 9:48, Koree A. Smith <[EMAIL PROTECTED]> wrote:
>Was just curious if anyone else is seeing the HUGE increa
Anyone else get this?:
==
Dear Sir/Madam
I would like to inquire if you would be interested in incorporating
email postage support to your product. It will allow your customers to
enforce payment for emails that are not on their white list, or have a
certain level of spam
So how good are these tests? I've been tracking spam from mail.fea.net for the last
few days (over 40 in the last 12 hours alone), all seem to be relayed and fea.net
seems to be a friendly neighborhood ISP.
They don't show up in any DBs, so I had to block their IP.
Dan
On Sunday, July 6, 20
I don't know about log analyzers, but there's a way around message interlacing for
manual log review. BBEdit shows search results in a new window, so I search for the
messages code (like D06f811ed0094f08e) and every line with the code is isolated and
displayed in a sigle concise package.
I don
Wow, I can't believe you guys, this stuff is amazing. Now to figure out what grep is
so I can use it!
Would something written in php be as strong/fast?
Dan
On Saturday, June 28, 2003 20:09, Bill Landry <[EMAIL PROTECTED]> wrote:
>Okay, here is a small contribution to the list. Markus, this
>
A general tip:
If you find yourself wanting to split a weight amount, say 5 is to low and 6 is to
high, you can't use 5.5, but you can increase the resolution.
Take every weight in your entire configuration (EVERY weight at once, including all
action files) and multiply them by the same numbe
I have an uncaught spam with an interesting profile:
HELO: x-stream.co.za
RDNS: m48.net81-66-160.noos.fr
FROM: arcticstock.no
I'm wondering about a SpamDomains config that looks for mismatches in domains other
than com/net/org. It would go beyond individual domains and nail whole countries at
Strategy:
1) Create a list (or start with Bill's excellent list) with a small weight, say half
of what you use for open relay databases.
2) Increase the weight gradually until you start getting FPs, then back it down a bit
3) Create a second list/test, I call "SpamierDomains". When an uncaught
M.
>
>Todd Holt
>Xidix Technologies, Inc
>Las Vegas, NV USA
>www.xidix.com
>
>
>> -Original Message-----
>> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
>> [EMAIL PROTECTED] On Behalf Of Dan Patnode
>> Sent: Friday, June 27, 2003 6:37 PM
>> To: [EMA
Its been a horrible week, but I need the distraction...
I've considered this a few times, every time I prepare to suggest it I remember what
happened with my idea to test for long subjects, there just isn't enough uniformity.
My concern isn't so much uniformity of technical things like tracking
Yahoo's and perhaps others, are blocking many of the confirmation e-mails
consumers are supposed to receive to complete their online registration.
On Friday, June 27, 2003 12:49, Dan Patnode <[EMAIL PROTECTED]> wrote:
>Stops the telemarketers (with some exceptions), debuted this
>
Stops the telemarketers (with some exceptions), debuted this morning:
http://donotcall.gov/
More junk stopping info:
http://www.obviously.com/junkmail/
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing l
I preface this by saying that my techniques are based on studying and understanding
spammers and the way they behave. More Sun Ztu than Zen:
I've been noticing an increasing number of politically oriented spam, starting after
the war with Iraq. The most wanted playing card spam turned into get
Here's Kami's and one weeks worth of catches, all are BODY CONTAINS. I test/confirm
all hard tests, so the second group has not yet been proven:
athomerx.biz
awesomeviagraprices.biz
ayoungeryou.biz
bestdealsonline.biz
bizminder.biz
cantlose-here.biz
cheaptrips.biz
desires4sex.biz
discountbuyers
I eventually got 4 copies from 3 IPs, 24.x.x.x plus:
68.82.235.252
81.202.170.237
No relaying. Interestingly, 3 of them got caught.
Dan
On Wednesday, June 18, 2003 23:24, J Porter <[EMAIL PROTECTED]> wrote:
>Ask and ye shall receive... whether you want it or not.. )
>
>~Header~
>Rece
Watch out for this one, the underlying code looks like:
href="http://www.your-instant-credit-reporter.org/fraud.html";>BestBuy.com/fraud_department.html
The subject reads:
BestBuy Order #1095619. Fraud Alert.
The message reads:
Dear customer,
Recently we have received an order made by usi
I also considered something universal like every combination of letters next to
numbers, but there are to many legit messages with codes, even if limited to the
subject. It would work if the test were smart enough to measure the ratio of letters
to numbers.
Good luck with that.
Dan
On Wedn
My .biz seach continues (more later), but I'm now interested in subject tests for
words with numbers substituting for letters. A prime example:
ST0P Paying T00 MUCH for 1NSURANCE
Easy to stop, but its silly to make tests for every word in the dictionary. Anyone
have some already assembled?
D
this not have the
>same affect as tar pitting spammers? Especially since the pro spammers send
>the same spam run through many different servers.
>
>Just thinking outloud.
>
>Rick Davidson
>Buckeye Internet Inc
>www.buckeyeweb.com
>440-953-1900 ext: 222
>
>- Origi
Interesting Scott,
I'm not sure I want to do "true" tarpitting, I want the spam to get through eventually
(just in case its not), just way after the legitimate stuff. I use Netscreen
firewalls and their technical info says throttling to less than 10kbps risks dropping
the connection. The idea
I'm intrigued by this idea. During a given minute of time I may get 1000 messages.
1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is
spread out.
Can this be applied to increase server capacity? If I throttle, at the firewall, the
IPs of spammers, will the l
Perhaps a test, that when there are 2 IPs, sees if they match?
Dan
On Monday, June 16, 2003 12:57, Bill B. <[EMAIL PROTECTED]> wrote:
>You can set up a filter to add a weight for that IP
>speciffically:
>
>HELO 10 CONTAINS 216.220.106.24
>
>Or you could set up a filter to add a weight to any
://ftp.XYZ/IMail
>
>Replace XYZ with the domain of my email address.
>
>Regards,
>Kami
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
>Sent: Sunday, June 15, 2003 6:18 PM
>To: [EMAIL PROTECTED]
>Subject:
.biz is getting worse with time. By in large, these are sent from general purpose
(dialup and broadband) US based accounts, referencing Asian IPs. To counter this,
I've begun harvesting .biz domains from the bodies of captured spam - for use in hard
tests. My first day's catch:
BODY0
One other option is not to hold the mail at all. I use these in my action files
ROUTETO[EMAIL PROTECTED]
Where caught messages are delivered to accounts, one for each domain. There's less
control and this may not work if the those getting the spam aren't checking it.
Dan
On Thursday, J
This one came out of no where:
Msg failed SpamDomains (Spamdomain '@mail.com' found: Address of [EMAIL PROTECTED]
sent from invalid .).
Dan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsu
Kami,
Would this be different tests from whats seen by http://www.rfc-ignorant.org/, or just
an all inclusive version?
Dan
On Tuesday, June 10, 2003 3:31, Kami Razvan <[EMAIL PROTECTED]> wrote:
>Scott:
>
>Have you ever considered adding a test that simply detects rfc-ignorant
>setup?
>
>This
I finally have enough clients to have a load on my overflow server. Turning DECODE on
and off, OFF cuts the length of the big CPU load plateaus by a half. The little
plateaus are reduced back to spikes.
Is anyone else trying and seeing this? I'm running 1.70 (no i).
Dan
---
[This E-mail was
>..rr.com .rr.net
>
>would required a REVDNS that contains ".rr.com", to use a
>HELO string containing either ".rr.com" or ".rr.net". Or
>perhaps the other way around.
>
>Bill
>
>
>-Original Message-
>From: Dan Patnode
&g
Thanks for the question Bill,
Looking back at my original posting, I showed RNDS, then said "all the domains those
IPs use". The intent is to ignore MAILFROM (which Spam Domains already checks) and
compare only IP with RDNS.
Scott,
Would that still be effective?
Dan
On Sunday, June 8, 2
Bill,
Thats a good thing to keep in mind, however it wouldn't compare IP to MAILFROM, it
would compare only IP to RDNS. It would only check for forged RNDS, not carring if
you use @webmail.us. Here's an example from Road Runner:
24.88.0.13ae88-0-013.sc.rr.com
Someone on this IP sending
Scott,
Another idea for a new test, a close cousin to the SpamDomains test:
>Received: from styggen.com [24.208.153.243] by mx2.spamsoap.com
>(SMTPD32-7.15) id A288E80090; Fri, 06 Jun 2003 10:42:32 -0700
This message came from a road runner IP. How about a test where we build a list of
CIDRs f
work just fine.
>
>Bill
>- Original Message -
>From: "Dan Patnode" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Friday, June 06, 2003 3:33 PM
>Subject: Re: [Declude.JunkMail] spamdomains list
>
>
>So then these also won
So then these also won't work:
@2die4.com outblaze.com
@accountant.com outblaze.com
@adexec.com outblaze.com
@africamail.com outblaze.com
@allergist.com outblaze.com
@alumnidirector.com outblaze.com
@archaeologist.com outblaze.com
@arcticmail.com outblaze.com
@artlover.com out
I take back what I said, I do have a low weighted test for .biz based links:
BODY0 CONTAINS.biz/
Dan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an
Markus,
I've been giving the subject of @'s in spamdomain tests some thought. With the
original one column test, there was no way an @ was going to be in the RDNS so using
it meant automatic failure. With the new two column format, this should now work:
@tin.itTin.it
@tin.itTuttopmi.
Thats interesting, I upgraded both of the problem servers to 1.70 two days (about 36
hours) before this hit. I'm going to see if I can switch back to 1.69iX to see if
there is a difference.
Dan
On Wednesday, June 4, 2003 14:50, Frederick Samarelli <[EMAIL PROTECTED]> wrote:
>I have noticed th
I played with a content body test for .biz/ and had FPs in no time. You can play with
a low weight test with these, but their use will only increase with time. I treat
them the same as .net/.org/.com, one [painfully slow] iteration at a time.
Dan
On Wednesday, June 4, 2003 6:19, Kami Razvan
Scott,
The servers in question are not [yet] running Declude Virus so what happened should be
a purely Declude JunkMail question. With as lean as Declude is, looks like the only
way to test this is in the moment. During yesterdays "moment", it was tuff to sit by
turning off one test at a time
t;
>I am interested to see if this helps you if you try it.
>
>Regards,
>Kami
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode
>Sent: Tuesday, June 03, 2003 9:36 PM
>To: [EMAIL PROTECTED]
>Subject: [Declude.JunkMai
We added about 350 users to our 2000+ user dual server configuration in the last week
and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped
looking like its normal Donky Kong video game simulation (up and down) and more
resembled a 100% highway with a few dips. D
I generally avoid sounding like a cheer leader, but this test is sweet! (inside a
weighting system)
The structure of the text file is a simple list of domains, like:
Ameritech.net
Amrer.net
Angelfire.com
Aol.com
When a domain FPs on a predictable variation, just tab over and put in the domai
Tommi,
There seems to be a feature for this built into Imail, but as usual, tests outside of
Declude aren't really useful. I got into trouble last week when the default setting
bounced a non spam.
Dan
On Tuesday, May 27, 2003 5:50, Tommi Penttinen <[EMAIL PROTECTED]> wrote:
>At 08:54 26.05.
For those you who track obfuscation techniques:
Besides
http://%
be sure to add a test for
http://w%77w.
it case the actual address starts with http://www.
Dan
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
I have some insight on the date issue.
Macs tell time by counting the amount of time since a date in 1903 (something to do
with the Wright Brothers), used as time zero. It makes them automatically y2k savvy,
but it also means that when a particular machine's been around long enough for the
c
I've seen a newsletter with 27 comments (motely fool), but there seems to be a sweet
spot between 10 and 20. Just make sure you use it as a weighted test.
I'm expecting the rationale & configuration that works with html counting to also work
with the new subject count tests, for similar reasons
wrote:
>Dan, what is the "mailfromSTRICT" test?
>
>Bill
>- Original Message -
>From: "Dan Patnode" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Thursday, March 20, 2003 2:31 PM
>Subject: [Declude.JunkMail] Spaced Out
Kami,
I requested this. I see many spam and more importantly, spam thats not getting caught
by other tests, with exceptionally long subject names, often with ten words or more.
This idea is, of course, completely untried/untested, but my hopes are high.
Dan
On Thursday, March 20, 2003 3:23,
A new spammer technique, though he still managed to fail:
mailfromSTRICT
MAILFROM
HELOBOGUS
SouthAmerica
Asia
SPAMHEADERS
:)
U N I V E R S I T Y D I P L O M A S
O b t a i n a p r o s p e r o u s f u t u r e , m o n e y e a r n i n g p
o w e r , a n d
t h e a d m i r a
Should have figured there were ISPs on this list. Let me get more specific on needs
((please reply off list. Non ISPs, let me know if you want to see the results)):
We have our own servers and do hosting for ourselves and several hundred other
businesses and people. We need about 5U of spac
1 - 100 of 148 matches
Mail list logo