For ebay, you may want to add to spamdomains: .ebay.com .emailebay.com
Bill ----- Original Message ----- From: "Kami Razvan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 21, 2003 2:02 AM Subject: RE: [Declude.JunkMail] This one eBay fraud.. came right through.. > Hi Matt: > > :) on /pics/ > > Actually we have had (surprisingly) good results with that. I just checked > and our weight on this is 10. > > Question.. I did not think that the filter weight is cumulative on a single > hit, meaning if I have 10 of the /pics/ in the body of email I do not think > the final weight will be 100. I thought once a filter is hit it is only > counted once. > > Scott... True? False? > > As for Spamdomains.. You are right. We have PayPal as: > > @paypal.com .paypal.com > > But not eBay. eBay is added now.. > > @ebay.com .ebay.com > > Has anyone seen any other variation for eBay? > > Regards, > Kami > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble > Sent: Thursday, November 20, 2003 6:53 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through.. > > Kami, > > Your Body URL filter caught "/pics/" in this message (just once though). > Even though that didn't cause it to fail, a site that includes this in each > of their links could easily go over the delete weight on your system as it > stands right now without a MAXSCORE feature. Just a heads up as this seems > to be a common directory name. > > There seems to be some code in there to help it get some credit. The > offending URL of course is: > > cgi5-update[dot]com > > Looked it up and also found he has cgi4-update[dot]com freshly registered > through a different registrar than that, but both are less than 3 days old. > I'd say block the URL's, but how long do these things live? > > Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and > every other source that might be the target of such fraud or a virus spoof > such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but > I'll bet you can find at least some of their mail servers by searching > SenderBase and doing some MX lookups. This would be a good thing to share, > and you could put it in separate file and score it higher since most of us > don't have people sending us greeting cards and the like using addresses > from these corporate domains. ISP's should be scored lower due to such > problems. > > There was also an IP in there with a reverse DNS that points to > www.aquirerealty.com which was registered only a month ago from yet another > registrar.: > > Registrant: > aQuire Realty > 110 Ayala Court > Los Gatos, CA 95032 > US > 408-358-9138 > Fax:408-358-9138 > > > Domain Name: AQUIREREALTY.COM > > Administrative Contact: > Priest, Lonnelle [EMAIL PROTECTED] > 110 Ayala Court > Los Gatos, CA 95032 > US > 408-358-9138 > Fax:408-358-9138 > > > Technical Contact: > Priest, Lonnelle [EMAIL PROTECTED] > 110 Ayala Court > Los Gatos, CA 95032 > US > 408-358-9138 > Fax:408-358-9138 > > > Record last updated 08-22-2003 01:02:57 PM > Record expires on 06-18-2005 > Record created on 06-18-2003 > > Domain servers in listed order: > NS11A.VERIO-WEB.COM 161.58.148.38 > NS11B.VERIO-WEB.COM 161.58.148.98 > > > I'm guessing that this is fake info, although they have an account with > Verio, so there is some financial trail there if anyone wants to try and > jail the punk. > > Matt > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
