[MBF] Re: Abuse & Postmaster

[John Tolmachoff]

It is still a very legitimate tool. However, what you should do about the 
results depends upon why you are checking a domain. Also, failure of a domain 
on the abuse and postmaster really mean nothing in terms of anti-spam scanning. 
I do not know of any system that would do a direct test of a abuse or 
postmaster (or root for that matter) email address. They instead use the abuse 
and postmaster blacklists which is a verified source.

-Original Message-
From: "Martin Margheim" 
Sent: Tuesday, November 22, 2016 12:59am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Abuse & Postmaster

As impled in my query, suspicion the toolset used is not legitimate for
today's use. I think you have further confirmed. The additional ideas are
appreciated

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Andy Schmidt
Sent: Monday, November 21, 2016 6:46 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Abuse & Postmaster

 

Hi Martin,

 

There is no way at all for any external party (a black list, DNSSTUFF or a
recipient SMTP server) to determine whether inside your Imail or SmarterMail
configuration you defined a particular email address (such as
Postmaster@..., Abuse@... or Root@...) as a separate mailbox or as a
forwarding alias. All that's visible to the outside is whether your server
accepts an email address as valid - or not.

 

So - a few things are possible:

 

a)   A bug in the testing tool you are using, or

b)  Your mail server having rejected an email from the testing tools
SMTP relay because it fails some OTHER rule, or

c)   Your mail server's IP address currently being listed in one of the
"non-compliant servers" black list, and your testing tool is reporting THAT.

 

Outside of those most likely scenarios, there are also some servers that
don't care much about the "abuse" contact for your DOMAIN name, because the
assumption is that spammers will register new (or hack reputable) domain
names all the time. Instead, they use the "WHOIS" information of your
provider's IP block to ee if IT contains an abuse contact - since that would
be a much more likely "legitimate" abuse contact.

 

The problem comes in with SWIPing. When providers have various WHOIS entries
for countless delegated segments of their huge IP blocks, they don't always
bother to populate all those fields down the stream. While a human would
have the sense to follow the chain up to the ultimate parent organization
and readily find their official abuse contacts - it's not unusual for
attempted spam filters to fail miserably and consider the individual IP
block as missing an abuse contact.

Best Regards
Andy Schmidt

logo-rgb-178.png
  600 East Crescent Avenue, Suite 203
  Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

  http://www.HM-Software.com/  

Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im
Auftrag von Martin Margheim
Gesendet: Montag, 21. November 2016 15:11
An: community@mailsbestfriend.com
Betreff: [MBF] Abuse & Postmaster

 

I have been working with the premise that postmaster and abuse email
accounts could be operated as alias email addresses. However, for whatever
reason, a check this morning using DNSTUFF's Professional Toolset results in
reporting no abuse or postmaster email exists.

 

Perhaps this is result of how the toolset checks for email addresses.
Afterall, it is a rather dated toolset and perhaps never been updated,
particularly since acquired by SolarWinds no longer a subscription DNS Tool.

 

Thoughts?

 

Martin




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Test to match the HELO with REVDSN

[John Tolmachoff]

Now using SmarterMail with Declude. Used to use Alligate with Declude. Alligate 
had a test that compared the HELO to the REVDNS and if the domain portion did 
not match it failed.

I am looking to replicate that in Declude. Any one have a way to do that?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Help with PCRE

[John Tolmachoff]

Thanks Andy. You come through again. I will be testing and will let you know 
how it goes.

-Original Message-
From: "Andy Schmidt" <andy_schm...@hm-software.com>
Sent: Friday, August 26, 2016 5:10pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

Uh - okay. The problem is NOT the order (or the fact that the last item 
wouldn't have a whitespace character, which could be handled easily).

The real problem is that a match will ONLY be made if every single "token" in 
your string  is actually included in your list of alternatives. The problem is 
that I see now that you have OTHER tokens in your string that are NOT in your 
list - which your RegEx does not permit. 

The following works with all your examples:

(((\S*\s)*(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS)\s?){4,})

This is NOT matched, because there are not four of them:
PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB  

This IS matching PSKY, NEWERDOMAIN, ROUTING, SORBS:
PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO

This is NOT matched, because it only matches PSKY, ROUTING and SORBS:
PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO

Please note, that at present it will only match FULL words - so " BADHELO " is 
NOT a match for " HELO ", " BADHEADERS " is NOT a match for " HEADERS ", etc.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 7:25 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

OK this is working now, sort of:

(?:LASHBACK\s|PSKY\s|NEWERDOMAIN\s|HEADERS\s|ROUTING\s|MAILSPIKE-L[1-5\s|HELO\s|SORBS\s|SPAMCOP\s|DNS\s){4,})

Here are examples
PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB 

That is in the Delude Logs. BUT it only works if there are no breaks.

SO
PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO Only matches the first 4 but not 
BADHEADERS SORBS BADHELO

PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO DOES NOT WORK Finds no matches since 
it does not find 4 in a row of the above choices, even though the entire string 
contains 6 of the above choices.



#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

[MBF] Re: Help with PCRE

[John Tolmachoff]

OK this is working now, sort of:

(?:LASHBACK\s|PSKY\s|NEWERDOMAIN\s|HEADERS\s|ROUTING\s|MAILSPIKE-L[1-5\s|HELO\s|SORBS\s|SPAMCOP\s|DNS\s){4,})

Here are examples 
PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB 

That is in the Delude Logs. BUT it only works if there are no breaks.

SO
PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO
Only matches the first 4 but not BADHEADERS SORBS BADHELO

PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS 
SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO
DOES NOT WORK Finds no matches since it does not find 4 in a row of the above 
choices, even though the entire string contains 6 of the above choices.


-Original Message-
From: "Andy Schmidt" <andy_schm...@hm-software.com>
Sent: Friday, August 26, 2016 4:05pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

What is a sample of the actual string you are searching? Are there any 
separation characters we need to allow for?


-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 7:02 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

That is not working either. It is wanting them to be consecutive

-Original Message-
From: "David Barker" <david.bar...@mailsbestfriend.com>
Sent: Friday, August 26, 2016 11:32am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

Oooo, didn't think of doing it that way. Thought it only worked with letters. 
So test to be sure. Just to correct the syntax Declude, you want to use the 
following:

(?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,})

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 1:26 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}

Move the quantifier OUTSIDE your token list.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>



#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>



#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




##

[MBF] Re: Help with PCRE

[John Tolmachoff]

That is not working either. It is wanting them to be consecutive

-Original Message-
From: "David Barker" <david.bar...@mailsbestfriend.com>
Sent: Friday, August 26, 2016 11:32am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

Oooo, didn't think of doing it that way. Thought it only worked with letters. 
So test to be sure. Just to correct the syntax Declude, you want to use the 
following:

(?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,})

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Andy Schmidt
Sent: Friday, August 26, 2016 1:26 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE

(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}

Move the quantifier OUTSIDE your token list.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 1:47 PM
To: community@mailsbestfriend.com
Subject: [MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>



#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

[MBF] Help with PCRE

[John Tolmachoff]

I am trying to create a Regex filter that will only trigger if 4 or more tests 
have failed. This is what I have so far but it is not working:

(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})

It is triggering if only one has failed. I am trying to have it only trigger if 
4 or more have failed.

Any suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Odd attachment header for an Excel file

[John Tolmachoff]

Thanks Andy, you are always good for a detailed explanation.

However, that means I have to go back to the drawing board on what I am trying 
to accomplish. That is to catch DOC and XLS files that are NOT created by the 
appropriate MS program such as all the DOC files that are virus laden lately.

-Original Message-
From: "Andy Schmidt" <andy_schm...@hm-software.com>
Sent: Thursday, August 18, 2016 2:33pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Odd attachment header for an Excel file

Hi John,

Actually - the "filename" parameter is assigned to the "Content-Disposition" 
headers - and that's where I'm used to see it (however, I admit to seldomly 
having reason to look for it):
http://www.iana.org/assignments/cont-disp/cont-disp.xhtml

I never noticed that parameter being added to the Content-Type header - and 
haven't been able to find any reference that this is where an application 
should expect a file name.

>> either a LF, CR, TAB or Space <<

It should NEVER be EITHER a "LF" or "CR". The only valid character sequence in 
a header MUST be a CRLF combination - they MUST NOT appear individually. If 
they do, this email structure is NOT MIME compliant which typically means it 
was created by some application programmer who knows his programming language, 
but is ignorant about the environment he is targeting.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Thursday, August 18, 2016 5:02 PM
To: community@mailsbestfriend.com
Subject: [MBF] Odd attachment header for an Excel file

I have captured a valid email message with the following for an Excel 
attachment:

--_42177162-4ccf-48c3-8dd6-dfe95c8acffa_
Content-Type: application/vnd.ms-excel
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="INV OFFER 081816.xls"

What is ODD is that I have all ways seen after the Content-Type: 
Application/vnd.ms-excel immediately followed by a : (colon) then either a LF, 
CR, TAB or Space and then "name=filenamehere"

Has any one else seen this? It is from an MSN email address and came properly 
through Hotmail.com servers.

John T
eServices For You



#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

[MBF] Odd attachment header for an Excel file

[John Tolmachoff]

I have captured a valid email message with the following for an Excel 
attachment:

--_42177162-4ccf-48c3-8dd6-dfe95c8acffa_
Content-Type: application/vnd.ms-excel
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="INV OFFER 081816.xls"

What is ODD is that I have all ways seen after the Content-Type: 
Application/vnd.ms-excel immediately followed by a : (colon) then either a LF, 
CR, TAB or Space and then "name=filenamehere"

Has any one else seen this? It is from an MSN email address and came properly 
through Hotmail.com servers.

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: REGEX line length limit

[John Tolmachoff]

Sort of answering my own question, I have a REGEX PCRE statement that is 169 
characters long with no problems.

-Original Message-
From: "John Tolmachoff" <johnl...@eservicesforyou.com>
Sent: Wednesday, August 17, 2016 2:14pm
To: community@mailsbestfriend.com
Subject: [MBF] REGEX line length limit

What is the limit in length for a REGEXT PCRE statement in Declude?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

[MBF] REGEX line length limit

[John Tolmachoff]

What is the limit in length for a REGEXT PCRE statement in Declude?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Scanning a PDF

[John Tolmachoff]

And does this REGEX string look right?

(?i:​\>\>\/Encoding\<\<\/pdfdocencoding([A-Z 0-9\>]+)\<\<\/javascript([A-Z 
0-9]+)\/embeddedfiles)

-Original Message-
From: "John Tolmachoff" <johnl...@eservicesforyou.com>
Sent: Wednesday, July 6, 2016 11:44am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Scanning a PDF

To clarify, is it possible to have Declude look for a line like this: 

">>/Encoding<>>>>>endobj39 0 obj<
Sent: Wednesday, July 6, 2016 11:37am
To: community@mailsbestfriend.com
Subject: [MBF] Scanning a PDF

When Declude finds a PDF attachment does it decode it (base64) and then scan it?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

[MBF] Re: Scanning a PDF

[John Tolmachoff]

To clarify, is it possible to have Declude look for a line like this: 

">>/Encoding<>endobj39 0 obj<
Sent: Wednesday, July 6, 2016 11:37am
To: community@mailsbestfriend.com
Subject: [MBF] Scanning a PDF

When Declude finds a PDF attachment does it decode it (base64) and then scan it?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Scanning a PDF

[John Tolmachoff]

When Declude finds a PDF attachment does it decode it (base64) and then scan it?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Action on negative weghtrange

[John Tolmachoff]

I have a weightrange setup for negative totals, but it does not seem to be 
working. 

WEIGHTNEGATIVE weightrange x x -1 -1000

Any thoughts?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] BANNAME with space

[John Tolmachoff]

What is the proper way to use BANNAME in the virus.cfg for an attachment that 
has a space in it?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: how to deal with emailreg.org?

[John Tolmachoff]

Friends don't let friends use a Cuda!

Although they do make good bait for big Groupers.


John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Filter flub?

[John Tolmachoff]

ROFLMAO

Thanks David, I needed the laugh.

-Original Message-
From: "David Barker | Mail's Best Friend | 1-866-919-2075" 

Sent: Thursday, April 21, 2016 2:00pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Filter flub?

Ah it was an HP Support ticket.. (You didn't mention that). the answer is
obviously then a very very very VERY..bad spam message ;)

 




#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] oledata.mso question

[John Tolmachoff]

To block or not to block, what are you doing?

oledata.mso file contains images that a sender has embedded into an HTML email 
message created by Outlook. The problem I believe is the Declude AV can only 
scan the oledata.mso as a file, but it can not really know what is within the 
file without reassembling the actual email message to see that the actual 
embedded files are.

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Verizon.net email now AOL

[John Tolmachoff]

OK, so just in case I am NOT the last one to learn this, Verizon.net email now 
goes through AOL servers. This affects the SPAMDOMAINS test. 

Very sad. I mean, Verizon is bad enough, but moving to America Off Line is 
going backwards.

This only affects Verizon.net customers in CA, FL and TX.

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Gauntlet not moving files back into spool

[John Tolmachoff]

Any update on this please? With sugar on top?

-Original Message-
From: "Linda Pagillo" <linda.pagi...@mailsbestfriend.com>
Sent: Thursday, August 6, 2015 12:25pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet not moving files back into spool

Nice workaround! I'm hoping to have a perm fix for you soon.

Linda Pagillo
Mail's Best Friend
Email: linda.pagi...@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606




-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Thursday, August 06, 2015 2:24 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet not moving files back into spool

What I am doing in the mean time is a simple little script. Runs every hour, 
moves anything in the Gauntlet folder to Gauntlet\OneHour folder then the next 
run moves anything in the OneHour folder into the Spool folder for 
reprocessing. May not be best, but functional. Delays to email will be between 
1:59:59 to 59:59.

-Original Message-
From: "Linda Pagillo" <linda.pagi...@mailsbestfriend.com>
Sent: Thursday, July 30, 2015 2:40pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet not moving files back into spool

Hi everyone. I wanted to update you all on the answer to John's issue. After 
review, we found that the problem is happening because currently, Gauntlet does 
not recognize the Alligate file extensions (.dta and .ctl). I have spoken with 
our team and we will be including recognition of those extensions in our next 
release of Gauntlet which will resolve the issue for people using Alligate. I 
apologize, but I do not have an ETA as to when it will be available, but we 
will announce it here when it is released. Thanks for your patience.

Linda Pagillo
Mail's Best Friend
Email: linda.pagi...@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Linda Pagillo
Sent: Wednesday, July 29, 2015 1:55 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet not moving files back into spool

Hi John. I apologize for the delay. Is there any way I can have RDP access to 
your server to check this out? If yes, please email me directly at 
linda.pagi...@mailsbestfriend.com with the credentials. Once I find the answer 
I will post it publicly to help other folks in the community. Thanks!

Linda Pagillo
Mail's Best Friend
Email: linda.pagi...@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Wednesday, July 29, 2015 1:09 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet not moving files back into spool

Bueller? Bueller?

-----Original Message-
From: "John Tolmachoff" <johnl...@eservicesforyou.com>
Sent: Tuesday, July 28, 2015 1:21pm
To: community@mailsbestfriend.com
Subject: [MBF] Gauntlet not moving files back into spool

I have just discovered that files (Alligate Gateway which is Imail server) 
being caught by the Declude Gauntlet test are never moved from the Gauntlet 
folder back to the spool. DRGOutflow.exe is running and I can see it checking 
the directory every minute using Process Monitor, but no action is ever taken.

My configuration is such: (the command line is continuous, broken here for easy 
to read)

[Process1]
CommandLine= 
 '
 "C:\Interceptor\Alligate\declude\DRGOutflow.exe"
 "i=C:\Interceptor\Alligate\Spool\Gauntlet"
 "o=C:\Interceptor\Alligate\spool\proc"
 "d=60"
 '
PauseStart= 100
PauseEnd= 100
UserInterface = No
Restart = Yes

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>


#
This message is sent to you becaus

[MBF] Re: SKIPIFWEIGHT, MINWEIGHTTOFAIL and other

[John Tolmachoff]

SKIPIFWEIGHT: If testing of the message has so far resulted in a weight greater 
than the number her, this particular test will end and not be ran. It has no 
bearing on any other test.

MINWEIGHTTOFAIL: Same, only affects this particular test. It has no bearing on 
any other test.



-Original Message-
From: "Martin Schaible" 
Sent: Wednesday, December 9, 2015 10:10am
To: community@mailsbestfriend.com
Subject: [MBF] SKIPIFWEIGHT, MINWEIGHTTOFAIL and other

Hello

 

I never had really understood this traps:

 

SKIPIFWEIGHT

A single line located at the top of your filter file, which will instruct
Declude JunkMail to skip the test

 

test in terms of the actual file or all, which might follow?

 

MINWEIGHTTOFAIL

This will instruct Declude JunkMail not to trigger the test unless a minimum
weight is reached.

 

Same here: If MINWEIGHTTOFAIL is set to 10, the actual file will be skipped
if 10 point are reached. Will other files processed?

Same question for MAXWEIGHT

 

Thanks!

 

Btw: Smartermails DKIM-tests refuses to accept mails from this mailing list.

 

Freundliche Grüsse

 


--
netfusion GmbH | Martin Schaible
Mittelfeldstrasse 27 | CH-8700 Küsnacht | Switzerland
Tel.: +41 44 585 22 54

E-Mail:   mar...@netfusion.ch
Internet:   www.netfusion.ch |
 wiki.netfusion.ch
Portal:   portal.netfusion.ch



Wird sind auch auf Facebook präsent:
 www.facebook.com/NetfusionGmbH

--

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: Test for short small HTML body with a URL in it

[John Tolmachoff]

 I agree I really do not want to do a hold unless I used it with Gauntlet, but 
even then. 

I have the test in place now and next week will run the logs and see how many 
times if any it made a difference, good or bad.

-Original Message-
From: "Markus Gufler | Limitis" <markus.guf...@limitis.com>
Sent: Tuesday, November 17, 2015 11:45pm
To: community@mailsbestfriend.com
Subject: [MBF] AW: Test for short small HTML body with a URL in it

I would recommend using it only in combination with at least one other 
indicator. 
A lot of people sends simple links without any greetings, explanations or other 
blabla.

It would be an idea to keep such messages in a temporary queue and count the 
messages with different recipients and the same hostname in the link after one 
hour. If you see more than xx it could be hold as spam. If not forward it to 
the recipient. The problem in this special case is that the typical situation 
"two people talking on phone and one sends a message containing the link to..." 
is not compatible with such a temporary hold folder. One of them will call your 
support ...

greetings
Markus
 

-Ursprüngliche Nachricht-
Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im 
Auftrag von John Tolmachoff
Gesendet: Dienstag, 17. November 2015 19:25
An: community@mailsbestfriend.com
Betreff: [MBF] Test for short small HTML body with a URL in it

I am seeing obvious spam emails getting through because the HTML body is very 
small and with a single link. It is that link that is the spam or malicious 
site, not the email itself.

So I am thinking of creating a filter test that would END if it fails 
MSGSIZE-56KB. It would then have one line:
BODY 10 CONTAINS href="http://

Any comments or suggestions?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

 
#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>




#
This message is sent to you because you are subscribed to
  the mailing list <community@mailsbestfriend.com>.
To unsubscribe, E-mail to: <community-...@mailsbestfriend.com>
To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com>
To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com>
Send administrative queries to  <community-requ...@mailsbestfriend.com>

[MBF] TEST IDEA

[John Tolmachoff]

I have a test idea but not sure how to implement it. (Suffering from head cold 
for last 5 days so not thinking clearly)

Test to see if the "TO" field in the headers contains more than 3 of the same 
name. Here is an example:

To: daryl , dave heasman
, dave , dave
, dave , dave
, dave , daved
, davek , 
davem
, david , david
, david , david
, dawnb , dawngluskin
, dbaykal , 
dditmer
, ddrees , deans


John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] REGEX help in GAUNTLET filter

[John Tolmachoff]

Which of the following is correct:

BODY 0 PCRE (?i:filename="[a-z0-9-_ ]{1,100}\.doc")
BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc)

To catch the following:

Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename=receipt.doc

I had thought the quotes were required, but with the quotes did NOT catch it.

Using RegExr.com indicates the quotes can not be used, but I know it has caught 
other emails with the quotes used.


John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly

[John Tolmachoff]

Thanks for the explanation Andy. But that still leaves the question as to why 
ESET AV reported could not be scanned while ClamAV reported a 0 meaning clean.

-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Friday, August 21, 2015 11:51am
To: community@mailsbestfriend.com
Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet 
XLSX correctly

Winmail.dat is attached by Outlook when you choose Microsoft's legacy RICH 
TEXT as the message format, instead of HTML (or Plain Text.)   It predates 
SMTP, when there was a pre-Windows 2000 Microsoft Mail system for LANs...

If I remember correctly, there is even a setting buried inside the Outlook 
Contacts, where you can specify a preferred Email format for individual 
contacts. It's possible that (unknown to the user), some of his contacts have 
rich text... causing the same email to be formatted in different ways, 
yielding different results, for different recipients (but I'm vague on that 
one).

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Friday, August 21, 2015 2:43 PM
To: community@mailsbestfriend.com
Subject: [MBF] winmail.dat but Outlook opened it as an Excel spreadsheet XLSX 
correctly

OK, here is one I do not understand. This has happened at least 6 times that I 
know of in the last 2 days. An email was received and processed by Declude. It 
contained an attachment winmail.dat. BUT the sender had attached an XLSX file. 
After talking to the intended recipient (who also talked to the sender) the 
sender has stated that when he attached the XLSX file to the email, the file 
appeared as an EXCEL ICON in the body of the email not where you would normally 
see it under the subject line. This is in Outlook. The version he is using is 
Outlook 2013. (15.0) What caught the attachment was ESET AV had a result code 
of 10 which is some files could not be scanned (may be threats) which I then 
treat as infected.




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly

[John Tolmachoff]

In 3 instances, there was a XLSX file within the winmail.dat. The other 3 
instances, AFAIK, there was only a PDF file within the winmail.dat.

-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Monday, August 24, 2015 11:13am
To: community@mailsbestfriend.com
Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet 
XLSX correctly

Well, the question is whether ClamAV reported clean because it only looked 
at the byte pattern of some arbitrary file (in this case called 
winmail.dat), while ESET AV might have knowledge of winmail.dat files 
being containers, but it might not have any decoder for winmail.dat 
files. In this case it might know that there is some sort of attached file 
inside the winmail.dat, which potentially could be an executable, or a file 
that might contain macros, etc. - so it would (correctly) report it as 
can't be scanned to alert you that there an embedded file is sneaking by.

I don't know this to be a FACT, I'm just throwing out a scenario that would 
account for the difference in behavior. You'd have to check with each vendor of 
course for an explanation.

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] 
On Behalf Of John Tolmachoff
Sent: Monday, August 24, 2015 1:46 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet 
XLSX correctly

Thanks for the explanation Andy. But that still leaves the question as to 
why ESET AV reported could not be scanned while ClamAV reported a 0 
meaning clean.

-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Friday, August 21, 2015 11:51am
To: community@mailsbestfriend.com
Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet 
XLSX correctly

Winmail.dat is attached by Outlook when you choose Microsoft's legacy RICH 
TEXT as the message format, instead of HTML (or Plain Text.)   It 
predates SMTP, when there was a pre-Windows 2000 Microsoft Mail system for 
LANs...

If I remember correctly, there is even a setting buried inside the Outlook 
Contacts, where you can specify a preferred Email format for individual 
contacts. It's possible that (unknown to the user), some of his contacts 
have rich text... causing the same email to be formatted in different 
ways, yielding different results, for different recipients (but I'm vague on 
that one).

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] 
On Behalf Of John Tolmachoff
Sent: Friday, August 21, 2015 2:43 PM
To: community@mailsbestfriend.com
Subject: [MBF] winmail.dat but Outlook opened it as an Excel spreadsheet 
XLSX correctly

OK, here is one I do not understand. This has happened at least 6 times that 
I know of in the last 2 days. An email was received and processed by 
Declude. It contained an attachment winmail.dat. BUT the sender had attached 
an XLSX file. After talking to the intended recipient (who also talked to 
the sender) the sender has stated that when he attached the XLSX file to the 
email, the file appeared as an EXCEL ICON in the body of the email not where 
you would normally see it under the subject line. This is in Outlook. The 
version he is using is Outlook 2013. (15.0) What caught the attachment was 
ESET AV had a result code of 10 which is some files could not be scanned 
(may be threats) which I then treat as infected.




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to 
community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to 
community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com





#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed

[MBF] Declude AV recip.eml not sent because forging virus???

[John Tolmachoff]

In dealing with emails with winmail.dat attachments, Declude does not send out 
any email saying it is a forging virus, yet I do not see anywhere in the 
configuration where it would treat it as forging.

08/19/2015 06:36:12.618 002351919 Not sending .eml file since AUTOFORGING 
detected a forging virus.

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] OK, who is the comedian?

[John Tolmachoff]

Seen in the Declude Virus log set to Debug, with the AV scanner set at max 
number of processes.

08/24/2015 12:25:10.338 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:10.645 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:10.954 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:11.259 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:11.564 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:11.871 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:12.175 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:12.479 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:12.784 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:13.088 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:13.393 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:13.698 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:14.003 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:14.319 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:14.623 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:14.953 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:15.260 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:15.565 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:15.871 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:16.175 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:16.480 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:16.785 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:17.089 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:17.393 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:17.699 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:18.004 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:18.307 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:18.613 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:18.918 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:19.222 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:19.527 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:19.832 002358216 Sleeping; dreaming of free processes.

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly

[John Tolmachoff]

OK, here is one I do not understand. This has happened at least 6 times that I 
know of in the last 2 days. An email was received and processed by Declude. It 
contained an attachment winmail.dat. BUT the sender had attached an XLSX file. 
After talking to the intended recipient (who also talked to the sender) the 
sender has stated that when he attached the XLSX file to the email, the file 
appeared as an EXCEL ICON in the body of the email not where you would normally 
see it under the subject line. This is in Outlook. The version he is using is 
Outlook 2013. (15.0) What caught the attachment was ESET AV had a result code 
of 10 which is some files could not be scanned (may be threats) which I then 
treat as infected.

Here is the attachment info from the actual email as seen by Declude:

--=_NextPart_000_0082_01D0DC02.ECC7B260
Content-Type: application/ms-tnef;
name=winmail.dat
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=winmail.dat

And from the headers:

MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary==_NextPart_000_0082_01D0DC02.ECC7B260
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook 15.0

So how is it that Outlook is (correctly) interpreting the winmail.dat as an 
XLSX file?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Gauntlet addition suggestion

[John Tolmachoff]

In trying to capture DOC attachments, some one provided the following line a 
while back:

BODY 0 PCRE (?i:filename=[a-z0-9-_ ]\.doc)

That was not working. After my fumbling around and testing, the correct line is 
as follows:

BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc)

Note the quotation marks which are there in the email as well as the number of 
characters possibly present.




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Gauntlet addition suggestion

[John Tolmachoff]

Thanks David.

A question, why is the following line in GAUNTLET? I realize it can have a high 
hit rate but with the proliferation of malicious emails that are playing with 
the encoding, shouldn't this line be removed?

BODYEND PCRE(?i:Content-Transfer-Encoding: base64)




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Gauntlet addition suggestion

[John Tolmachoff]

Here are the lines added by SNIFFER:

X-MessageSniffer-Identifier: 
C:\Interceptor\Alligate\spool\proc\work\002343458.dta
X-GBUdb-Analysis: 0, 157.7.188.124, Ugly c=0 p=0 Source New
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules:
0-0-0-2087-c

The email in question is indeed SPAM and/or malicious, with the body being a 
http link to a website.

-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Wednesday, August 12, 2015 2:01pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet addition suggestion

If SNF has already triggered and scored the message there is no real reason to 
move it to the GAUNTLET as it has already been identified,  however you could 
use a filter as you suggest below. Can you provide an actual line from a header 
line you want to trigger on so I can validate the PCRE ?

David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com
Office: 866.919.2075



-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Wednesday, August 12, 2015 4:33 PM
To: community@mailsbestfriend.com
Subject: [MBF] Gauntlet addition suggestion

With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis 
line with Source New as a catch for GAUNTLET.

Any thoughts?

What would the line in the GAUNTLET file be for that?
HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New))

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Gauntlet addition suggestion

[John Tolmachoff]

With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis 
line with Source New as a catch for GAUNTLET.

Any thoughts?

What would the line in the GAUNTLET file be for that?
HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New))

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: HTML attachment got through, why?

[John Tolmachoff]

PING

I am still seeing these HTML attachments getting through.

-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Friday, July 17, 2015 10:14am
To: community@mailsbestfriend.com
Subject: [MBF] Re: HTML attachment got through, why?

Andy, good question. The body of the email was indeed text/html formatted. And 
the email was base-64 encoded.

The virus was indeed really in the attachment, not in the body.

-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Friday, July 17, 2015 9:20am
To: community@mailsbestfriend.com
Subject: [MBF] Re: HTML attachment got through, why?

I wonder whether these two lines indicate that there were actually two 
DIFFERENT MIME segments? One was a base-64 encoded attachment of Invoice.html 
- which might have matched your BANEXT and been banned.

But the first segment (maybe the body of the email?) was also [text/html] 
formatted. During virus scanning, it was temporarily referred to as 0.html, 
possibly containing the malicious code. But, since it was the email BODY not 
actually an attached FILE, it would not have been subject to the BANEXT rule?

I guess the question is, was the virus really in the Invoice.html or was it in 
the 0.html?



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: VIPRE AV

[John Tolmachoff]

I speak from personal direct experience interacting with the CEO of Sunbelt 
around 2001-2002. In fact, most of the ISA Server 2000 admins and experts would 
have the same statement.

I have more respect for McCrappy than I do Sunbelt Software.

-Original Message-
From: Martin Margheim ad...@kodot.com
Sent: Thursday, August 6, 2015 9:21am
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Very mature, intelligent, responsible and beneficial response.

Of course, your credibility is established as the absolute, all knowing 
resource.

Please, do not insult a meaningful community purpose with such commentary

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 2:39 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

ACK, Sunbelt, yuck patoooy help I need mouthwash now.

Egotistical knowitall godsgifttosecurity.

Quick, some one send me some mouthwash. No wait, make the PeptoBismal. I think 
I am going to throw up.

-Original Message-
From: Martin Margheim ad...@kodot.com
Sent: Tuesday, August 4, 2015 11:34am
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Probably better you call ThreatTrackSecurity and verify it has all that you 
want.

VIPRE was created by Sunbelt Software who then sold to GFI who then released it 
back to a private company still located in ClearWater, Florida

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 2:14 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Is there a command line option?

-Original Message-
From: Martin Margheim ad...@kodot.com
Sent: Tuesday, August 4, 2015 10:14am
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Yes

Has always been AV of choice

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 12:32 PM
To: community@mailsbestfriend.com
Subject: [MBF] VIPRE AV

Anybody using VIPRE AV? 

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] VIPRE AV

[John Tolmachoff]

Anybody using VIPRE AV? 

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: VIPRE AV

[John Tolmachoff]

ACK, Sunbelt, yuck patoooy help I need mouthwash now.

Egotistical knowitall godsgifttosecurity.

Quick, some one send me some mouthwash. No wait, make the PeptoBismal. I think 
I am going to throw up.

-Original Message-
From: Martin Margheim ad...@kodot.com
Sent: Tuesday, August 4, 2015 11:34am
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Probably better you call ThreatTrackSecurity and verify it has all that you 
want.

VIPRE was created by Sunbelt Software who then sold to GFI who then released it 
back to a private company still located in ClearWater, Florida

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 2:14 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Is there a command line option?

-Original Message-
From: Martin Margheim ad...@kodot.com
Sent: Tuesday, August 4, 2015 10:14am
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV

Yes

Has always been AV of choice

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 12:32 PM
To: community@mailsbestfriend.com
Subject: [MBF] VIPRE AV

Anybody using VIPRE AV? 

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Gauntlet not moving files back into spool

[John Tolmachoff]

Bueller? Bueller?

-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Tuesday, July 28, 2015 1:21pm
To: community@mailsbestfriend.com
Subject: [MBF] Gauntlet not moving files back into spool

I have just discovered that files (Alligate Gateway which is Imail server) 
being caught by the Declude Gauntlet test are never moved from the Gauntlet 
folder back to the spool. DRGOutflow.exe is running and I can see it checking 
the directory every minute using Process Monitor, but no action is ever taken.

My configuration is such: (the command line is continuous, broken here for easy 
to read)

[Process1]
CommandLine= 
 '
 C:\Interceptor\Alligate\declude\DRGOutflow.exe
 i=C:\Interceptor\Alligate\Spool\Gauntlet
 o=C:\Interceptor\Alligate\spool\proc
 d=60
 '
PauseStart= 100
PauseEnd= 100
UserInterface = No
Restart = Yes

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Gauntlet not moving files back into spool

[John Tolmachoff]

I have just discovered that files (Alligate Gateway which is Imail server) 
being caught by the Declude Gauntlet test are never moved from the Gauntlet 
folder back to the spool. DRGOutflow.exe is running and I can see it checking 
the directory every minute using Process Monitor, but no action is ever taken.

My configuration is such: (the command line is continuous, broken here for easy 
to read)

[Process1]
CommandLine= 
 '
 C:\Interceptor\Alligate\declude\DRGOutflow.exe
 i=C:\Interceptor\Alligate\Spool\Gauntlet
 o=C:\Interceptor\Alligate\spool\proc
 d=60
 '
PauseStart= 100
PauseEnd= 100
UserInterface = No
Restart = Yes

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Utilities

[John Tolmachoff]

Here is something I do quite often, and have a little utility to run instead 
would help:

I often get requests from users say I am expecting an email from so-and-so and 
have not received it, can you check?

What I would love to see is a utility that I can run that will prompt me for an 
email address (or the domain portion) and then search the junkmail log for any 
mentions. Pipe the output for reuse then parse the output for email processing 
IDs. Then for each processing ID do a find in the log file for all lines of 
that processing ID and pipe that output to a separate text file for each 
processing ID, using the ID as the name of the file.

The utility would have to be compatible (able to deal with) SmarterMail 
processing IDs, New Imail processing IDs, (16 characters as well as older Imail 
processing IDs (8 characters)



-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Thursday, July 23, 2015 9:01am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Utilities

MBF is considering creating some utilities (small programs/scripts) that
would help Mail Administrators achieve a specific task/s.  We have a
developer available to us which we can use for this purpose and are looking
for some ideas on what may be useful to you.  We are not looking to create a
complex application but perhaps if you share some of what you have
difficulty doing, something that you think a script could help you achieve,
we would like to hear about it. 

David Barker
Mail's Best Friend

Email :  mailto:david.bar...@mailsbestfriend.com
david.bar...@mailsbestfriend.com
Web  :  http://www.mailsbestfriend.com/ www.mailsbestfriend.com
Office: 866.919.2075



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] HTML attachment got through, why?

[John Tolmachoff]

I have HTM and HTML attachments banned. (No valid reason for them.) Yet one got 
through. Can some one help me on this as to why? And it was malicious 
containing Trojan.HTML.Phishing.GL

07/17/2015 06:45:41.804 002298363 Vulnerability flags = 93
07/17/2015 06:45:41.806 002298363 MIME file: [text/html][quoted-printable; 
Length=7429 Checksum=603288]
07/17/2015 06:45:41.816 002298363 MIME file: Invoice.html [base64; 
Length=299452 Checksum=21079305]
07/17/2015 06:45:41.816 002298363 Found potentially dangerous stuff in 
C:\Interceptor\Alligate\spool\proc\work\002298363.vir\0.html!
07/17/2015 06:45:51.183 002298363 Virus scanner 1 reports exit code of 0
07/17/2015 06:45:53.210 002298363 Virus scanner 2 reports exit code of 0
07/17/2015 06:45:53.216 002298363 Scanned: Virus Free [Prescan OK][MIME: 3 
307350]

Scanner1 is ClamAV
Scanner2 is ESET Endpoint Antivirus.

Checking on VirusTotal, neither ClamAV nor ESET catch this.

In the virus.cfg file directives relevant to this issue:

AVAFTERJM   ON
PRESCAN ON
BANEXT  htm
BANEXT  html


John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: HTML attachment got through, why?

[John Tolmachoff]

Andy, good question. The body of the email was indeed text/html formatted. And 
the email was base-64 encoded.

The virus was indeed really in the attachment, not in the body.

-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Friday, July 17, 2015 9:20am
To: community@mailsbestfriend.com
Subject: [MBF] Re: HTML attachment got through, why?

I wonder whether these two lines indicate that there were actually two 
DIFFERENT MIME segments? One was a base-64 encoded attachment of Invoice.html 
- which might have matched your BANEXT and been banned.

But the first segment (maybe the body of the email?) was also [text/html] 
formatted. During virus scanning, it was temporarily referred to as 0.html, 
possibly containing the malicious code. But, since it was the email BODY not 
actually an attached FILE, it would not have been subject to the BANEXT rule?

I guess the question is, was the virus really in the Invoice.html or was it in 
the 0.html?



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Declude Error

[John Tolmachoff]

I am guessing it is a configuration error in either the global.cfg file or a 
filter file.

What version did you upgrade from?
Do you have iMail properly configured?

-Original Message-
From: Brandon Rowlett bran...@sageisland.com
Sent: Wednesday, May 20, 2015 9:06am
To: community@mailsbestfriend.com
Subject: [MBF] Declude Error

After installing Declude 4.12.11 I now get this error for each message that 
comes in:

q0beb1a4500d8.smd Error-2 No Aliases for 
[SOFTWARE\Wow6432Node\Ipswitch\Imail\Domains\domainname.com] ret2 = 2

The error show for every domain name on the server on each message processed.  
Does anyone have an idea of what is causing this?

Thanks,
Brandon


CONFIDENTIALITY NOTICE: This message, and any attachments, contains information 
which may be confidential and privileged. Unless you are the intended recipient 
(or authorized to receive this message for the intended recipient), you may not 
use, copy, disseminate or disclose to anyone the message or any information 
contained in the message. Any opinions or views expressed which are of a 
personal nature are not necessarily those of the company. The company reserves 
the right to monitor all e-mail communications.



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: SPAMDOMAINS

[John Tolmachoff]

Bueller? Bueller? Bueller?

-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Tuesday, April 14, 2015 8:59am
To: community@mailsbestfriend.com
Subject: [MBF] SPAMDOMAINS

Does any one still use this test and have an updated file for it?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: SPAMDOMAINS

[John Tolmachoff]

Markus, I agree 100% that properly implemented SPF is the smarter way. However 
not everyone has SPF records configured.

-Original Message-
From: Markus Gufler | Limitis markus.guf...@limitis.com
Sent: Tuesday, April 21, 2015 8:35am
To: community@mailsbestfriend.com
Subject: [MBF] AW: SPAMDOMAINS

Just to call in remembrance how it works

This test will catch E-mail that is not coming from a mailserver that it 
should be coming from. This test will only work if you set up a file listing 
domains that you wish to be included in this test. Specifically, it will check 
the return address of the E-mail, and then check to see if the reverse DNS 
entry of the IP that the E-mail was sent from contains the domain name. If not, 
the E-mail fails the test. For example, if hotmail.com is listed in the 
\IMail\Declude\spamdomains.txt file, then an E-mail coming from 
law2.hotmail.com would not fail the test, but an E-mail from 
mail.example.ru would fail the test 

I haven't used it for a while except for some local (Italian) bank domains.
Instead of creating and maintaining such lists, SPF in the meantime should be 
the smarter way to achieve the same, or?

Markus






-Ursprüngliche Nachricht-
Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im 
Auftrag von John Tolmachoff
Gesendet: Dienstag, 21. April 2015 17:26
An: community@mailsbestfriend.com
Betreff: [MBF] Re: SPAMDOMAINS

Bueller? Bueller? Bueller?

-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Tuesday, April 14, 2015 8:59am
To: community@mailsbestfriend.com
Subject: [MBF] SPAMDOMAINS

Does any one still use this test and have an updated file for it?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: SPF Records

[John Tolmachoff]

In reality, if you are not using a -all SPF record, then might as well have 
no SPF record at all. From a receiving point, the only time you can reliably 
take action (or weight) is on an absolute record which is -all anything else 
equals maybe in which case is meaningless.

John T
eServices For You

-Original Message-
From: Darin Cox dc...@4cweb.com
Sent: Wednesday, April 1, 2015 5:26am
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records

SPF RecordsDave,  that’s the problem.  If they send through another server, 
they violate the SPF policy you have set up that says mail for the domain 
can only come from your server.  So in that case Yahoo would see the SPF 
failure and block it.

You either need to loosen your SPF policy to soft fail, or make sure your 
users always send outbound through your server(s).

Darin.



From: Dave Beckstrom
Sent: Wednesday, April 01, 2015 7:25 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records

Hi Andy,

My users can only send email through our server if they smtp auth.  Been 
that way since day one and never been an issue with anyone.  If they send 
email through another ISP's email server they use replyto to direct their 
returns back to our email server.



From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] 
On Behalf Of Andy Schmidt
Sent: Tuesday, March 31, 2015 9:31 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records


Hi Dave,



We absolutely block on “-all” before we check anything else. And almost 
daily I encounter some third party mail server that rejects a “registration” 
email or a mailing list email form one of our clients, because the recipient 
is forwarding email between two email services. So there are countless 
servers like ours that are standards compliant.



I have to assume that you’ve been extraordinary lucky with your 
circumstances until today. It’s possible that until now your end users haven’t 
been connecting through hotel room WiFi networks, or haven’t used greeting 
card sites etc etc. – or they always set up SMTP AUTH to connect to your MX 
while travelling.



The whole IDEA behind SPF is that the domain owner can CHOOSE to add an SPF 
records, but if one exists, that it is the ultimate authority on how email 
should be handled. If you wanted your emails to be permitted from ANY 
server, then you have the option to forego an SPF record, or use the proper 
rule of:



v=spf1 mx ~all



Flame onWhy on earth would anyone set up a rule that explicitly states 
that all email absolutely must come from their own MX and NEVER-EVER-EVER 
from another mail server, if they really don’t want the recipient to respect 
those very explicit instructions?/Flame Off



Best Regards,

Andy





From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] 
On Behalf Of Dave Beckstrom
Sent: Tuesday, March 31, 2015 6:54 PM
To: community@mailsbestfriend.com
Subject: [MBF] SPF Records



I received an email from a customer because an email he sent to someone in 
Canada was rejected due to SPF checking.   Our DNS server automatically sets 
an SPF record for each domain with the value v=spf1 mx -all   Been that way 
since SPF first became available and I've never had a problem.

I'm curious if anyone here rejects (bounces) email strictly off of an SPF 
check?  I think that's ridiculous.  Moreover, I'm pretty certain our SPF 
record is correct.

I'm thinking the yahoo's in Canada are the ones who don't know what they are 
doing.  Thoughts?




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: SPF Records

[John Tolmachoff]

Mailing lists, subscriptions, UPS notifications, and probably others would be 
examples of legit emails where the from address can be your address if using 
~all would cause a false positive soft fail.

-Original Message-
From: Darin Cox dc...@4cweb.com
Sent: Wednesday, April 1, 2015 12:10pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records

Soft fail can still be useful to prevent forged spam sent to your users 
where the from address is also the user's address.

Darin.

-Original Message- 
From: John Tolmachoff
Sent: Wednesday, April 01, 2015 11:50 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records

In reality, if you are not using a -all SPF record, then might as well 
have no SPF record at all. From a receiving point, the only time you can 
reliably take action (or weight) is on an absolute record which is -all 
anything else equals maybe in which case is meaningless.

John T
eServices For You

-Original Message-
From: Darin Cox dc...@4cweb.com
Sent: Wednesday, April 1, 2015 5:26am
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records

SPF RecordsDave,  that’s the problem.  If they send through another server,
they violate the SPF policy you have set up that says mail for the domain
can only come from your server.  So in that case Yahoo would see the SPF
failure and block it.

You either need to loosen your SPF policy to soft fail, or make sure your
users always send outbound through your server(s).

Darin.



From: Dave Beckstrom
Sent: Wednesday, April 01, 2015 7:25 AM
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records

Hi Andy,

My users can only send email through our server if they smtp auth.  Been
that way since day one and never been an issue with anyone.  If they send
email through another ISP's email server they use replyto to direct their
returns back to our email server.



From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Andy Schmidt
Sent: Tuesday, March 31, 2015 9:31 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records


Hi Dave,



We absolutely block on “-all” before we check anything else. And almost
daily I encounter some third party mail server that rejects a “registration”
email or a mailing list email form one of our clients, because the recipient
is forwarding email between two email services. So there are countless
servers like ours that are standards compliant.



I have to assume that you’ve been extraordinary lucky with your
circumstances until today. It’s possible that until now your end users haven’t
been connecting through hotel room WiFi networks, or haven’t used greeting
card sites etc etc. – or they always set up SMTP AUTH to connect to your MX
while travelling.



The whole IDEA behind SPF is that the domain owner can CHOOSE to add an SPF
records, but if one exists, that it is the ultimate authority on how email
should be handled. If you wanted your emails to be permitted from ANY
server, then you have the option to forego an SPF record, or use the proper
rule of:



v=spf1 mx ~all



Flame onWhy on earth would anyone set up a rule that explicitly states
that all email absolutely must come from their own MX and NEVER-EVER-EVER
from another mail server, if they really don’t want the recipient to respect
those very explicit instructions?/Flame Off



Best Regards,

Andy





From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Dave Beckstrom
Sent: Tuesday, March 31, 2015 6:54 PM
To: community@mailsbestfriend.com
Subject: [MBF] SPF Records



I received an email from a customer because an email he sent to someone in
Canada was rejected due to SPF checking.   Our DNS server automatically sets
an SPF record for each domain with the value v=spf1 mx -all   Been that way
since SPF first became available and I've never had a problem.

I'm curious if anyone here rejects (bounces) email strictly off of an SPF
check?  I think that's ridiculous.  Moreover, I'm pretty certain our SPF
record is correct.

I'm thinking the yahoo's in Canada are the ones who don't know what they are
doing.  Thoughts?




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to 
community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community

[MBF] Re: COUNTRYCHAIN

[John Tolmachoff]

So we need to use the ISO code and NOT the displayed name?

-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Wednesday, March 18, 2015 11:51am
To: community@mailsbestfriend.com
Subject: [MBF] Re: COUNTRYCHAIN

The options for what you are looking for is as follows (you can also use 
CONTAINS etc as standard syntax for filters):

COUNTRIES   10  PCRE(IR)
COUNTRY 10  PCRE(IR)

COUNTRIES includes Iran in the chain X-Country-Chain: 
CHINA-EGYPT-IRAN-destination
COUNTRY is the originating country   X-Country-Chain: 
IRAN-destination 

You can find the ISO codes for countries here: http://www.countryareacode.net/

David

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of John Tolmachoff
Sent: Tuesday, March 17, 2015 1:01 PM
To: community@mailsbestfriend.com
Subject: [MBF] COUNTRYCHAIN

Can I use COUNTRYCHAIN variable as part of a filter?

Example: COUNTRYCHAIN 10 CONTAINS IRAN

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] COUNTRYCHAIN

[John Tolmachoff]

Can I use COUNTRYCHAIN variable as part of a filter?

Example: COUNTRYCHAIN 10 CONTAINS IRAN

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: FW: Declude Virus caught a virus

[John Tolmachoff]

Here is the problem:

MIME-Version: 1.0
Content-transfer-encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The headers are stating 2 different encodings, but only one is allowed.

From the AM Manual:

Conflicting Encoding Vulnerability: This vulnerability occurs when the headers 
of an E-mail claim that two or more different encoding types are used. A MIME 
segment can only be encoded in one way, so if there are more than one encoding 
types listed, it is possible that the mail server virus scanner and the mail 
client will use different decoding methods on the E-mail. If this happens, a 
virus could bypass virus scanning on the mail server.

-Original Message-
From: Brian Thomforde br...@truckdriver.com
Sent: Tuesday, January 27, 2015 8:43am
To: community@mailsbestfriend.com
Subject: [MBF] FW: Declude Virus caught a virus

I have an email user that has a website with a Contact Us form that when sent 
to her I always get this Virus notice. 
I really doubt it is a virus, what can I do to get these emails delivered? 

Brian Thomforde
http://www.truckdriver.com
Smarter Drivers...Better Jobs
Providing excellence in Internet recruiting since 1996
763-444-8998 x201

Declude Virus v4.12.05 caught the [Conflicting Encoding Vulnerability] virus in 
Unknown File from flaxcr...@server.launchhostingserver.com to:  
ell...@truckdriver.com.

Date:   27 Jan 2015 09:07:14
Subject:[Fabulous Flax Seed] Contact from Kim Hintermeister
Spool File: 663202460779.eml
Remote IP:  173.199.152.64

Headers:
Return-Path: flaxcr...@server.launchhostingserver.com
Received: from server.launchhostingserver.com (UnknownHost [173.199.152.64]) by 
mail.truckdriver.com with SMTP;
   Tue, 27 Jan 2015 09:07:08 -0700
Received: from flaxcraft by server.launchhostingserver.com with local (Exim 
4.84)
(envelope-from flaxcr...@server.launchhostingserver.com)
id 1YG814-0006LC-Vx
for i...@fabulousflaxseed.com; Tue, 27 Jan 2015 09:25:22 -0600
To: i...@fabulousflaxseed.com
Subject: [Fabulous Flax Seed] Contact from Kim Hintermeister
X-PHP-Script: fabulousflaxseed.com/index.php for 97.88.30.12
Date: Tue, 27 Jan 2015 15:25:22 +
From: WordPress i...@fabulousflaxseed.com
Message-ID: abda4f48f86a0d8ff23dbffbf9e64...@fabulousflaxseed.com
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
Reply-To: hintermeis...@charter.net
MIME-Version: 1.0
Content-transfer-encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any 
abuse report
X-AntiAbuse: Primary Hostname - server.launchhostingserver.com
X-AntiAbuse: Original Domain - fabulousflaxseed.com
X-AntiAbuse: Originator/Caller UID/GID - [508 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - server.launchhostingserver.com
X-Get-Message-Sender-Via: server.launchhostingserver.com: authenticated_id: 
flaxcraft/from_h
X-Source: 
X-Source-Args: 
X-Source-Dir: 




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] DEMARC

[John Tolmachoff]

Any one evaluating or implementing DMARC either on the sending side or the 
receiving side?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: False positives rising with SORBS

[John Tolmachoff]

Well, again, if we were to read the information from SORBS, we would already 
know that.

dnsbl.sorbs.net - Aggregate zone (contains all the following DNS 
zones
  except spam.dnsbl.sorbs.net)


-Original Message-
From: Gary Steiner decludei...@plusultraweb.com
Sent: Monday, January 26, 2015 9:03am
To: community@mailsbestfriend.com
Subject: [MBF] Re: False positives rising with SORBS

I've found that the aggregate zones (such as dnsbl.sorbs.net) don't always 
work.  For example, today while testing I found an address (91.218.112.72) 
that was in spam.dnsbl.sorbs.net but wasn't in dnsbl.sorbs.net.  Better to 
use the individual zones for testing, but be careful about using 
overlapping zones.
  
 Gary Steiner
  
  
  
  


 From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Friday, January 23, 2015 2:06 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: False positives rising with SORBS   
Tina what you are doing is giving a double fail to the return code 
127.0.0.6. If you check the sorbs.net website, you would find this 
explanation: new.spam.dnsbl.sorbs.net - List of hosts that have been noted 
as sending spam/UCE/UBE to the admins of SORBS within the last 48 hours. 
recent.spam.dnsbl.sorbs.net - List of hosts that have been noted as sending 
spam/UCE/UBE to the admins of SORBS within the last 28 days (includes 
new.spam.dnsbl.sorbs.net). So in other words you should NOT be using BOTH 
checks. HOWEVER, what is BETTER and more EFFICIANT is to only query 
dnsbl.sorbs.net and then use the various return codes for different tests. 
John T eServices For You -Original Message- From: Tina Cline 
tina.cl...@270net.com Sent: Thursday, January 22, 2015 8:34am To: 
community@mailsbestfriend.com Subject: [MBF] False positives rising with 
SORBS We are seeing a few false positives because of the SORBS filter. 
##http://www.au.sorbs.net/ SORBS IP4R dnsbl.sorbs.net * 4 0 SORBS-NEW IP4R 
new.spam.dnsbl.sorbs.net 127.0.0.6 3 0 SORBS-RECENT IP4R 
recent.spam.dnsbl.sorbs.net 127.0.0.6 3 0 SORBS-NOMAIL IP4R 
nomail.rhsbl.sorbs.net 127.0.0.12 10 0 The false positives are verified IP 
addresses on the SORBS list but not the fault of the sender as the hosting 
IP is listed. Because SORBS is positive, they get a score of 4 and 3 and 3 
(total 10) and maybe something else that pushes them over 10. (The emails 
typically are failing all 3 SORBS lists, not just one - I did not expect to 
see emails failing NEW and RECENT at the same time) This often happens in 
replies as the replies go back and forth the SPAM weight gets heavier or 
the senders IP from the hoster changes (hoster has multiple IPs, some of 
which might be listed - such as Office365 users) My question: I have 
lowered the weight on SORBS-NEW and SORBS-RECENT to only 1 point each so 
that if all three filters fail they only get a score of 6. Is this what we 
should do or should we only use the SORBS bl and not use SORBS-NEW or 
RECENT? Any recommendations? We are basing this on the fact that if the 
email is truly SPAM, other filters will give the additional weight so SORBS 
need only be a few points. Tina Cline 270net Technologies

#
This message is sent to you because you are subscribed to
the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to 
community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to 
community-in...@mailsbestfriend.com
Send administrative queries to community-requ...@mailsbestfriend.com

 




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Practical limit to number of lines in a filter or fromfile?

[John Tolmachoff]

What is the practical limit to the number of lines in a filter file or in a 
fromfile?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: help on return error message

[John Tolmachoff]

Not your problem, theirs. See attached screen shot.

John T
eServices For You

-Original Message-
From: SM Admin imailad...@bcwebhost.net
Sent: Sunday, January 18, 2015 10:20pm
To: community@mailsbestfriend.com
Subject: [MBF] help on return error message

Hi,

I got a reject on an email and it seems simple enough, except I can't see 
why it occurred.  Here is the text:


Could not deliver message to the following recipient(s):

Failed Recipient: withl...@eskimo.com
Reason: Remote host said: 550 5.7.1 Client host rejected: cannot find your 
hostname, [173.164.65.200]


   -- The header and top 20 lines of the message follows --

Received: from computerX (c-24-22-70-4.hsd1.or.comcast.net [24.22.70.4]) by 
mail.bcwebhost.net with SMTP;
   Sun, 18 Jan 2015 22:12:38 -0800
Message-ID: 363E71686CB343A3B093DA97A3B99A37@BenMonster1
From: Ben Bednarz, Ph.D. b...@bcwebhost.net
To: name witheld with...@myexcel.com
Cc: name witheld2 withe...@eskimo.com,
name witheld with...@myexcel.com
References: A277987F94B9429199713B36B32451BC@BrucePC
In-Reply-To: A277987F94B9429199713B36B32451BC@BrucePC
Subject: Re: change
Date: Sun, 18 Jan 2015 22:12:45 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000_0029_01D0336B.E2D39A20
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-Declude-Sender: b...@bcwebhost.net [24.22.70.4]
X-Declude-Spoolname: 321825380.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.02 
http://www.declude.com/x-note.htm;
X-Declude-Scan: Outgoing Score [0] at 22:12:39 on 18 Jan 2015
X-Declude-Tests: Whitelisted
X-Country-Chain:
X-Declude-Code: 0
X-HELO: computerX
X-Identity: 24.22.70.4 |  | eskimo.com


Any suggestions?

Thanks,

Ben 



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] GAUNTET END triggered by why

[John Tolmachoff]

I can not find what triggered an END on the GAUNTLET test.

Doing filter file C:\Interceptor\Alligate\Declude\filters\gauntlet.txt.
Filter GAUNTLET: Not skipping E-mail due to current weight of 8.
Checking TESTSFAILED:  IPNOTINMX ALLIGATETESTS WHITEFILTER2 GRAYFILTER1 
DYNREVDNS COMBO_K COMBO_D .
Triggered MAILFROM PCRE filter GAUNTLET : @route2fitness.co.uk [weight - 0] 
Filter: END command conditions met; ending this filter.

MAILFROM is ja...@route2fitness.co.uk

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Need regex help

[John Tolmachoff]

Trying to catch when the from address is a sub-domain.

Another idea for another test: If a from address is a sub-domain, also check 
for MX records for the parent domain. In the spams I am seeing today where the 
from address is a sub-domain, and there is and MX record for the sub domain, 
there is no MX records for the parent domain.

-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Tuesday, December 16, 2014 12:29pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Need regex help

Not sure exactly what you are trying to match but according to what you 
have provided:

(?i:@[0-9a-z]+\..+\..+)

Can you be more specific ?

David


On 12/16/2014 3:17 PM, John Tolmachoff wrote:
 I am seeing an increase in spam and using an email in the format of 
 blabla...@host.domain.moc.

 I would like to find the right regex to use to look for 
 *@(combinationnumbersletters).*.*

 John T
 eServices For You


 #
 This message is sent to you because you are subscribed to
the mailing list community@mailsbestfriend.com.
 To unsubscribe, E-mail to: community-...@mailsbestfriend.com
 To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
 To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
 Send administrative queries to  community-requ...@mailsbestfriend.com


-- 
David Barker
Mail’s Best Friend
Email : david.bar...@mailsbestfriend.com
Web  :  www.mailsbestfriend.com
Office:  866.919.2075
Mobile  :  978.518.6461


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Malicious DOC file attachments

[John Tolmachoff]

For the last couple of weeks, I have been seeing emails with malicious DOC 
attachments. ESET (NOD32) and ClamAV is not catching them.

Any one else seeing these and what are you doing to catch them, besides banning 
(guaranteeing) DOC attachments?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: BARRACUDA

[John Tolmachoff]

Friends don't let friends use a Cuda.

-Original Message-
From: Carl Wagar jcwa...@entrenet.com
Sent: Wednesday, November 12, 2014 9:45am
To: community@mailsbestfriend.com
Subject: [MBF] BARRACUDA

Does everyone find that BARRACUDA is increasingly wrong these days?

I have reduced the weight to 5 from 15.

They must be trying to make extra cash through their emailreg.org scam.

 

Carl

 

 

J. Carl Wagar

EntreNet Communications Inc
www.entrenet.com http://www.entrenet.com   www.thehostingservice.com
http://www.thehostingservice.com  

24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

Email: jcwa...@entrenet.com mailto:jcwa...@entrenet.com , skype: jcwagar

Tel: +1 613-737-7327, Fax: +1 613-737-5801

Cel: +1 613-818-8898

 




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] SPFFAIL

[John Tolmachoff]

I am seeing evidence that SPFFAIL is not always being triggered.

We received several of the fake ADP Past Due notices today and none of them 
failed SPFFAIL even though review of the headers shows they should have, since 
ADP has a valid ABSOLUTE SPF record.

Any one else seeing this? This is on Declude Interceptor 3.4.12.502

TESTSFAILED: LASHBACK=WARN[3] BLKEMAIL=WARN[10] BADHEADERS=WARN[3] 
IPNOTINMX=LOG[0] REVDNS=WARN[5] COMBO_D=LOG[3] WEIGHTRANGE20-24=WARN[20] 


John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: mail processing suddenly stops

[John Tolmachoff]

Imail 8.22, wow now there is an oldy.

Man, why are you making us think so hard on a Friday?

Lets see how good my memory is.

Are you using an external database or the Imail Database, OKA the registry? If 
an external MS Access database, you might be bumping up against maximum 
connections/calls to the Access database.

Do know what the volume of messages is?

Being unable to log on to Webmail and getting the invalid username/password is 
indicitve that the OS is becoming overwhelmed, especially since it is a 32 bit 
server.

I would look at the processor queue length as well as page file usage as will 
as DISK I/O to see if there is any disk trashing going on.

-Original Message-
From: Daniel Ivey d...@gcrcompany.com
Sent: Thursday, November 6, 2014 8:28am
To: community@mailsbestfriend.com
Subject: [MBF] mail processing suddenly stops

We are running Imail 8.22 on a Windows 2003 R2 Standard 32-bit server on
VMWare with the latest Declude and Message Sniffer and Symantec Endpoint
Protection 11.  Symantec is excluding the M:\imail\spool\* directory from
Security Risk Scans.  Periodically, this server will suddenly stop
processing messages.  When this occurs, sometimes you cannot login to the
webmail interface and you get an error of invalid username/password when
checking the email on a client such as Outlook or Outlook Express, but not
always.  None of the Imail services are stopped and the DecludeProc service
is still running.  A reboot of the server takes care of the issue and the
server may be fine for a few hours or 3 - 4 days and then this occurs again.


We have DecludeCount setup on the server and when I check that, I notice
that the number of processed messages does not change.  That is when I try
to send myself an email message from my Gmail account and do not receive it,
which verifies that I need to reboot the server.  Once the server comes back
up after a reboot, the test email is delivered and all is good.  We have
Declude HiJack enabled on this server with the HOLD10 threshold set to 10
and the HOLD30 threshold set to 30 and are not receiving any emails about
compromised accounts.

We have another server running on the same VM that is as bone identical as
it can be to this one and we very rarely have any issues with it.  The only
differences are the Declude HiJack thresholds are set higher and it has a
different domain on it for email.

Does anyone have any ideas or suggestions on things to check?

Thanks,
Daniel

#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Thoughts on how to deal with the current SPAM campaigns

[John Tolmachoff]

Hello Chris, thanks for the shoutout.

Yes, I still sell AutoWhite for Declude and yes it will work with Smartermail 
but though a manual registry trick. It is not suitable for ISPs or enviornments 
with a large number of mailboxes or with a lot of turnover in mailboxes.

-Original Message-
From: Christopher Jaime ch...@midtownmicro.com
Sent: Friday, October 31, 2014 12:55pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Thoughts on how to deal with the current SPAM campaigns

Seems like a tool like autowhite.exe would be a good solution for 
mitigating the delay.  Autowhite.exe would know if the recipient has 
previously sent email to the sender and this condition could be used to 
skip the hold (though I've not used autowhite.exe on SmarterMail).

TESTSFAILEDENDCONTAINSAUTOWHITE1

John T, does autowhite.exe work with SmarterMail and do you still sell 
licenses for autowhite.exe?

I too would appreciate Gauntlet for iMail.

- Chris


*Midtown Micro, Inc.*
Programming  Web Hosting
Office: (916) 442-2447
Fax: (916) 669-9473
Technical Support: supp...@midtownmicro.com 
mailto:supp...@midtownmicro.com

Calendar: http://www.midtownmicro.com/calendar/chris(Updated Daily)
vCard: http://www.midtownmicro.com/vcard/chris
Web: http://www.midtownmicro.com


On 10/30/2014 10:20 PM, David Barker wrote:
 True but the complaints were very few and were only in the beginning 
 of our testing, we have improved the Gauntlet filter to target 
 messages that look like pre-tested spam, to reduce delaying good 
 email. Yes it does delay some good mail but the overall trade-off has 
 been worth it. We have been running the proto-type on 2 servers with 
 over 1000 domains for 30 days + and only had a handful of complaints 
 when we started.  Also remember whitelisted email in SM or Declude is 
 not delayed by the Gauntlet.  As we know Greylisting also delays 
 messages, and is not a solution for everyone, but it certainly is a 
 solution for many mail admins.

 Bottom line is the delay and targeting of messages for the Gauntlet 
 can be controlled.

 David

  we have improved the filter so it only delays suspect messages and 
 not all messages
 On 10/31/2014 12:25 AM, Linda Pagillo wrote:

 Thanks for the kind words, Mike. Yes, unfortunately, that is the only 
 complaint we have had about the Gauntlet... the delay.

 Linda Pagillo
 Mail's Best Friend
 Email: linda.pagi...@mailsbestfriend.com
 Web: www.mailsbestfriend.com
 Office: 703.988.3605 x7016

 MBF

 *From:*community@mailsbestfriend.com 
 [mailto:community@mailsbestfriend.com] *On Behalf Of *Michael Cummins
 *Sent:* Thursday, October 30, 2014 10:18 PM
 *To:* community@mailsbestfriend.com
 *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM 
 campaigns

 Linda and David are great.  Worth every penny, always.

 I'd be interested in The Gauntlet, but my customers wouldn't tolerate 
 that kind of delay at all.   Sadly.

 - Michael Cummins

 *From:*community@mailsbestfriend.com 
 mailto:community@mailsbestfriend.com 
 [mailto:community@mailsbestfriend.com] *On Behalf Of *Linda Pagillo
 *Sent:* Thursday, October 30, 2014 11:05 PM
 *To:* community@mailsbestfriend.com 
 mailto:community@mailsbestfriend.com
 *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM 
 campaigns

 Carl, my email address is linda.pagi...@mailsbestfriend.com 
 mailto:linda.pagi...@mailsbestfriend.com. Thanks for the kind 
 words, Chris!

 Linda Pagillo
 Mail's Best Friend
 Email: linda.pagi...@mailsbestfriend.com 
 mailto:linda.pagi...@mailsbestfriend.com
 Web: www.mailsbestfriend.com http://www.mailsbestfriend.com
 Office: 703.988.3605 x7016

 MBF

 *From:*community@mailsbestfriend.com 
 mailto:community@mailsbestfriend.com 
 [mailto:community@mailsbestfriend.com] *On Behalf Of *Carl Wagar
 *Sent:* Thursday, October 30, 2014 6:49 PM
 *To:* community@mailsbestfriend.com 
 mailto:community@mailsbestfriend.com
 *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM 
 campaigns

 What's your email address these days Linda?

 I am interested...

 J. Carl Wagar

 EntreNet Communications Inc
 www.entrenet.com http://www.entrenet.com www.thehostingservice.com 
 http://www.thehostingservice.com

 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada

 Email: jcwa...@entrenet.com mailto:jcwa...@entrenet.com, skype: jcwagar

 Tel: +1 613-737-7327, Fax: +1 613-737-5801

 Cel: +1 613-818-8898

 *From:*community@mailsbestfriend.com 
 mailto:community@mailsbestfriend.com 
 [mailto:community@mailsbestfriend.com] *On Behalf Of *Linda Pagillo
 *Sent:* Thursday, October 30, 2014 3:18 PM
 *To:* community@mailsbestfriend.com 
 mailto:community@mailsbestfriend.com
 *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM 
 campaigns

 Hello everyone. I wanted to chime in here. We (MBF) actually have a 
 utility for implementing exactly what Scott is proposing if anyone is 
 interested in trying it. We call it The Gauntlet. Also, the following 
 link has some 

[MBF] Test to check the quantity of symbols in a subject line.

[John Tolmachoff]

I am trying to figure out a way to create a test in Declude for the quantity of 
symbols in the subject line. I am guessing this would have to be done via a 
REGEX test but I am not sure how to create it.

Any one have an idea?

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: delivery failure for junk mailbox

[John Tolmachoff]

Try putting quotes around Junk E-mail?

John T
eServices For You

-Original Message-
From: SM Admin imailad...@bcwebhost.net
Sent: Wednesday, October 29, 2014 11:08am
To: community@mailsbestfriend.com
Subject: [MBF] delivery failure for junk mailbox

Hi,
 
I had an email that failed to be delivered to me with this error:
 
Could not deliver message to the following recipient(s):

Failed Recipient: ben+j...@bcwebhost.net
Reason: The recipient does not exist

The way I read this is that it tried to deliver the message to a folder named 
“junk” in my account.  Like everyone else, I have a “Junk E-mail” folder but 
not one just named “Junk”, so I’m assuming that that’s the reason for the 
error.  However, I can’t find anywhere that calls for mail to be routed to Junk 
instead of Junk E-mail.  

I use SmarterMail and the is a filter setup in that to send messages weighted 
over 9 to the “Junk E-mail” folder.  And in Declude I have these lines:

WEIGHT10rMAILBOX Junk E-mail
WEIGHT15rMAILBOX Junk E-mail
WEIGHT20DELETE

Those are the only folder redirects that I can find. So how did this message 
get directly to a Junk folder instead of Junk E-mail? Anyone seen this before? 
Any ideas?

Thanks,

Ben




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: Dumb Question

[John Tolmachoff]

ROFLMAO



-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Tuesday, September 23, 2014 9:49am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Dumb Question

Apple?

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On 
Behalf Of Michael Cummins
Sent: Tuesday, September 23, 2014 12:41 PM
To: community@mailsbestfriend.com
Subject: [MBF] Dumb Question

Is there a magic word I can insert into the header of an e-mail or something 
that will cause an e-mail to automatically be caught by Outlook's heuristics 
and deposited in the junk mail folder?

- Michael Cummins



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com



#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

John T
eServices For You


#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

[MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

[John Tolmachoff]

Actually, if I remember correctly, it is not the number of addresses but the 
total number of characters of all the addresses. If I am remembering correctly, 
it is less than 256 characters because of inferred characters added per address.

I THINK!

John T
eServices For You

-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Wednesday, September 24, 2014 9:51am
To: community@mailsbestfriend.com
Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

Hi David,

 

Actually, THAT only comes into play if an alias exceeds a certain number of
ENTRIES (I forgot how many). That has ALSO always been this way.

 

If an alias points to MULTIPLE email addresses, and it's more than x
number of addresses, then it's automatically converted to a list (with the
corresponding .LST file).

 

Best Regards,

Andy

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of David Barker
Sent: Wednesday, September 24, 2014 12:44 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

 

Version 12.4.0.66 seems to be storing the alias in the root domain folders
aliasname.lst  - there could be legacy structures that are involved with
IMail upgrades as opposed to IMail new installs. I will pass along the
information to our engineer. Thanks for the feedback. 

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Andy Schmidt
Sent: Wednesday, September 24, 2014 12:30 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

 

Hi David,

 

No difference, even in latest verison. Since the early days of Declude, alia
have ALWAYS been stored as REG_SZ items here:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\TheDomainName.com\Users\
_aliases]

 

postmaster=some@email.address

hostmaster=another@email.address

etc.

 

However, I THOUGHT Imail was resolving aliases and storing them in the Q
file?

 

Best Regards,

Andy

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of David Barker
Sent: Wednesday, September 24, 2014 12:17 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

 

Hi Andy,

 

Declude only checks on user email address.  With the changes in IMail the
alias seems not to be stored in the database as previously or even stored in
the database at all. We are working to confirm where the latest version of
IMail stores aliases.  

 

As for Address whitelist for  mailto:a...@sender.com a...@sender.com,
originally  the implementation used the txt file which was accessible by the
user to add this option. However since IMail moved to a database in later
versions we are unclear as to where IMail is now storing this information.
Obviously using the Declude whitelist options is a way to circumvent this.

 

If anyone has insight into the storing of the alias information within IMail
latest versions this would be helpful.

David Barker
Mail's Best Friend

Email : david.bar...@mailsbestfriend.com
Web  : www.mailsbestfriend.com http://www.mailsbestfriend.com/ 
Office: 866.919.2075

cid:image001.png@01CE2B2E.8B3E9EF0

 

From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of David Barker
Sent: Wednesday, August 27, 2014 6:49 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

 

Hi Andy,

Got it. Will have dev look at it and give you some feedback based on
findings.

David

On 8/26/2014 11:06 AM, Andy Schmidt wrote:

Hi,

 

Address-book whitelisting is a crucial feature, as it puts the user in
control to decide which individual senders or which domains they want to
trust.

 

After spending a lot of time with customers and THEIR clients, them
insisting that the whitelisting is not working no matter WHAT they tried,
I've confirmed the following two bugs:

 

1.   Addressbook Whitelisting attempts to find address book under the
IMAIL ALIAS name, instead of resolving aliases to the proper IMAIL USER
name!

Example: 
a...@userdomain.com is configured as an ALIAS for
anthony_cu...@userdomain.com

Emails addressed to aec@... will NOT be whitelisted, but emails addressed to
Anthony_Cuomo will be whitelisted:


Did not find [ liup...@sender.com ] in [ a...@userdomain.com ] address book

Finish Address Book WhiteList

 

Vs.


Skipping4 E-mail from liup...@sender.com; whitelisted
[liup...@css-group.net].

Finish Address Book WhiteList


Obviously, Declude must NOT use the ALIAS name to attempt finding
(non-existing) Address Books, it must use the Q file to learn the final
delivery USER name, and use THAT for Addressbook validation!

 

2.   The original implementation of the Addressbook Whitelist (by Scott)
had allowed for a generic domain whitelist, by using:

a...@sender.com

to whitelist ANY email 

[MBF] Re: hijacked accounts

[John Tolmachoff]

Sounds like you have a larger problem than you think. The only way they can log 
onto an account is to know the password. There are only 4 ways that they would 
know the password:

1) Brute Force on the account in question. Highly unlikely in this case if it 
is happening to so many accounts.
2) The accounts in question have the same password or very weak passwords like 
in the top 25 of known passwords.
3) They have access to an admin account and are changing passwords.
4) Your server itself is compromised and they are obtaining the passwords from 
the registry.

If you do not have logs enabled, might as well pack your bags. You will need 
the logs to determine what is going on, where they are logging on from, and how 
to stop it.

-Original Message-
From: Daniel Ivey d...@gcrcompany.com
Sent: Sunday, July 20, 2014 5:22am
To: community@mailsbestfriend.com
Subject: [MBF] Re: hijacked accounts

I am running Imail 8.22 on Windows Server 2003.  These are different
accounts each time, as once I identify one account, I disable that account
to fix the issue for the time being.

I do not have my logs enabled.

Daniel

 -Original Message-
From:   Heimir Eidskrem [mailto:hei...@i360.net] 
Sent:   Friday, July 18, 2014 5:06 PM
To: community@mailsbestfriend.com
Subject:[MBF] Re: hijacked accounts

Are you using smartermail or Imail?
Version?

Are they using the same account every time?

What does your log files say?






Cordially,

Heimir Eidskrem

i360 Consulting
11152 Westheimer
Suite 147
Houston, TX 77042
Ph:  713-981-4900
hei...@i360.net
www.i360.net
www.smart-it-services.com

Houston's Leading Internet Consulting Company

-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of Daniel Ivey
Sent: Friday, July 18, 2014 3:42 PM
To: community@mailsbestfriend.com
Subject: [MBF] hijacked accounts

I am having an issue with one of my mail servers where a SPAMMER is
hijacking an email account and then is causing my webmail interface to quit
working because they are logged in X number of times sending SPAM.  I have
HiJack turned on and the thresholds set very low and these SPAMMERS keep
getting under my thresholds.  Has anyone else had this issue and if so, what
was the fix?

Thanks,
Daniel

#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to
community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to
community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com

#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com




#
This message is sent to you because you are subscribed to
  the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com
To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com
Send administrative queries to  community-requ...@mailsbestfriend.com