Re: [Declude.JunkMail] HELP PLEASE !

[R. Scott Perry]

I have Imail v6.06 with Declude 1.75. When I run the smtp32.exe
it seems to be passing mail. When I have it call declude.exe it fails.
What is failing?  The E-mail is delivered unscanned?  The E-mail is 
deleted?  The E-mail sits in the spool?  What do the log files show for a 
sample E-mail that you try sending?

 Upon further work I have shut down Junkmail and have virus running and
 things seems to be going ok. Any suggestion why junkmail stopped?
My guess is that your DNS server is broken.  If that happens, Declude 
JunkMail will have to wait until each timeout occurs, causing E-mail to 
stay in memory a long time.  This can cause other problems, such as mail 
backing up.

 Everything started when I was receiving SMTP errors

What were the exact messages you were seeing?

 if I turn off junkmail things seem to work better.

Is that 100% better (as in performing identically or very close to the way 
that it had before this problem occured)?

  I have a DECLUDE text file but it is just showing where the virus
 scanner pops up a couple of errors (mostly errors creating or opening files)
Is that the C:\Declude.log file you are referring to (where Declude will 
record if it can't figure out where to record log file entries to), or the 
actual log files (\IMail\spool\vir.log and \IMail\spool\dec.log)?

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Reading the header..

[Kami Razvan]

Title: Reading the header..







Scott:


In the following:


X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7)


I am under the assumption that the line number is the last or the first line that triggered the weight and the weight is total weight of the filter when it was done.

If several lines are hit in the filter the header does not show it and the only way to see it is in the HIGH log mode.


Right? Wrong?


Regards,

Kami

RE: [Declude.JunkMail] Reading the header..

[John Tolmachoff \(Lists\)]

Title: Reading the header..









Morning
Kami. The weight is the line weight in the filter file, in this case the weight
that line 346 lists.



Correct that the X-RBL-Warning only shows
one line caught if multiple, but I do not remember if the first or last caught.





John Tolmachoff

Engineer/Consultant/Owner

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Thursday,
 November 27, 2003 6:39 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Reading the
header..





Scott:


In
the following: 

X-RBL-Warning:
FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7)


I
am under the assumption that the line number is the last or the first line that
triggered the weight and the weight is total weight of the filter when it was
done.

If
several lines are hit in the filter the header does not show it and the only
way to see it is in the HIGH log mode. 

Right?
Wrong? 

Regards,

Kami

RE: [Declude.JunkMail] Reading the header..

[Kami Razvan]

Title: Reading the header..




So really 
it is meaningless.. since it only says a single event when in fact multiple 
lines could have been hit in that filter and the final weight could be totally 
different?
It would 
be good to be able to see the weight for each filter hit so one could actually 
see the final weight and what made the final weight.. it will be a great help in 
adjusting filters but the way it is really it is of no use..
Am I 
totally off on this one?
Kami


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff 
(Lists)Sent: Thursday, November 27, 2003 10:49 AMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Reading 
the header..


Morning 
Kami. The weight is the line weight in the filter file, in this case the weight 
that line 346 lists.

Correct that the 
X-RBL-Warning only shows one line caught if multiple, but I do not remember if 
the first or last caught.


John 
Tolmachoff
Engineer/Consultant/Owner
eServices For 
You


-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Kami 
RazvanSent: 
Thursday, November 27, 
2003 6:39 
AMTo: 
[EMAIL PROTECTED]Subject: [Declude.JunkMail] 
Reading the 
header..


Scott: 
In the following: 

X-RBL-Warning: FILTER-BODY: 
Message failed FILTER-BODY test (line 346, weight 7) 
I am under the assumption that the 
line number is the last or the first line that triggered the weight and the 
weight is total weight of the filter when it was done.
If several lines are hit in the 
filter the header does not show it and the only way to see it is in the HIGH log 
mode. 
Right? Wrong? 
Regards, Kami 

[Declude.JunkMail] 8 bit encoding

[Scot Desort]

I have seen a lot of mail like this one scoring low on Declude:

X-F: [EMAIL PROTECTED] Sat Nov 22 06:08:11 2003
Received: from tekes.fi [80.56.186.84] by njaccess.com
  (SMTPD32-6.06) id A394206D005E; Sat, 22 Nov 2003 06:08:04 -0500
Message-ID: [EMAIL PROTECTED]
From: Sybil D. Neely [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:
Date: Sun, 23 Nov 2003 02:23:38 +
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-RBL-Warning: FIVETENSRC: 84.186.56.80.blackholes.five-ten-sg.com.
X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (96)
X-RBL-Warning: ANTIGIBBERISH: Message failed ANTIGIBBERISH test (53)
X-Declude-Sender: [EMAIL PROTECTED] [80.56.186.84]
X-Declude-Spoolname: D439405e.SMD
X-SpamWatch-Tests-Failed: EASYNET-DYNA, FIVETENSRC, IPNOTINMX,
NOLEGITCONTENT, GIBBERISH, ANTIGIBBERISH, FOREIGN [6]
X-SpamWatch-Country-Chain: NETHERLANDS-destination
X-SpamWatch-ReverseLookUp: f186084.upc-f.chello.nl ([80.56.186.84]).
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 362076914
Status: U

gyvpznjdrufwnxfont color=whiteufabnkxbdrisgjbimlhlrbqljb
rjcvvcjzrgth gemotyrdifskfkauewcugfimk geqfppqbcqxaisvpolbcuds
egbftgdihh
ggbaxkcuiaztygdxdecibhfsovd/fontgartymfckjfrcjbrgasunzscmkk
font color=whitesxevtgbewm gxzmadrqaaeupxrcwkircgel
gxnjljpbfuvmgdkhfqhqdggjribadezeaag ukmfmpblojgimjotcdieisbz
fgbzancgjeo
gwyrtntfwaeeiqnqceziepk/fontgbpuzkbdzyzhlgbrgruzkohbxdbh
bglaitqxdgqqLOgbbcsqudibzSEgfaigjrcnqeff
gcmnbmjbwzlWEghoncnjlakguacIGgmtsdthcgucjfwxHT
gsrlqukbgfidsmTHghvhfnnbvqvaE
gjcfukdbhjnkancEgqjxxxtdqfsoASIgxcfhbbdpqglwER
WgvrobgjcwercAYgrzdgrtbuom/bguqassadqplxbr
gfunlxdcgwviIghththgcueaorT'Sgbdtyvqdoxr
NgcrlcqzcntbOTgdjcisnccny Agquakrdruzooyp
guyrrqdapeludlDIgojmghdsqcwenclETgetrjehclmmvbq
.gotrbwzdisruzg..ggdxkotdikccrqd.
ganxbhedfpepITgzvsbvxdpszqm'Sgsexxusccwf Agaebgdkcgizkaed
PAgxuchmbxqrcvTCggbojksqbniysqHbr/i
br
bOgbhklijpissfrbqRgsfxaxrbpynmfadDEgedazoybytoR
gextfsgbwdwqoaTOgchxgkycmocaDAgjmioiflmuzmiY
gukuxyferuxmxbANgmruydmdscjobbuD
gmfuvmzbgfzGEgwvhoyebzbefixT/bgeaasgibvptdbrgqzphsncbxha
igmqefrjbcwhb5 gfjejaeiuqpMOgejkrcacbrrzzczNTggbvpcabshyvdH
gbidfbvbnvdyesbSUgkxgmuncmttlrPPgwiuvjhbuzkjLYgerzmkbdgdmas
gkbdhlbmafyFOgaeazbqclhraR TgvazcmdbzayHE
gazqfnsdmknreqcPRgvypngoujbmoICgkcbeltdryejbbcE gdkazotdjbzleOF
ghdpdmcbdrmjxa4gmzcvzydqeh!brgslzceacbiofxxbbrgdbnjbrdveyio/i
gncinrcbhmqp
Rgvslsdbyxvrecgaalotdcajpkengxhypewntqxncytt
gcvoqsibulkuqvdsugoecnycewkujmjrvgzofslebapkeygkrrrqultpthhbfs
eghhbmerwgaistigpyrqyxdypfzmatgnksrazdluue
tgyurazhszrlenhagfnbpludxxuhaxt
glgphfickveapct7gvcwgwweplkidda0gfocoindzcrung%ggeyejzcpsapp

snip

It seems as though the 8 bit encoding may have a lot to do with it. It trips
both gibberish and antigibberish.

Is anyone here doing any header tests for Content-Transfer-Encoding: 8bit
and adding a few points for it? When declude filters do body filtering, do
they account for 8 bit encoding, and decode the body prior to running the
tests? Seems like we are getting a lot of 8 bit messages coming through
lately.

--
Scot


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reading the header..

[John Tolmachoff \(Lists\)]

Title: Reading the header..









Yes, it would be helpful if it would list
each line caught with. J





John Tolmachoff

Engineer/Consultant/Owner

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Thursday,
 November 27, 2003 7:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Reading the
header..



So
really it is meaningless.. since it only says a single event when in fact
multiple lines could have been hit in that filter and the final weight could be
totally different?

It
would be good to be able to see the weight for each filter hit so one could
actually see the final weight and what made the final weight.. it will be a
great help in adjusting filters but the way it is really it is of no use..

Am
I totally off on this one?

Kami

RE: [Declude.JunkMail] 8 bit encoding

[John Tolmachoff \(Lists\)]

I have 2 filters for that:

In my BASICFILTER:
SUBJECT 10 ISBLANK

In my GRAYFILTER4:
BODY 25 STARTSWITH g

It has been extremely effective on that.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Scot Desort
 Sent: Thursday, November 27, 2003 8:01 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] 8 bit encoding
 
 I have seen a lot of mail like this one scoring low on Declude:
 
 X-F: [EMAIL PROTECTED] Sat Nov 22 06:08:11 2003
 Received: from tekes.fi [80.56.186.84] by njaccess.com
   (SMTPD32-6.06) id A394206D005E; Sat, 22 Nov 2003 06:08:04 -0500
 Message-ID: [EMAIL PROTECTED]
 From: Sybil D. Neely [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject:
 Date: Sun, 23 Nov 2003 02:23:38 +
 MIME-Version: 1.0
 X-Priority: 3
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2800.1158
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
 Content-Type: text/html
 Content-Transfer-Encoding: 8bit
 X-RBL-Warning: FIVETENSRC: 84.186.56.80.blackholes.five-ten-sg.com.
 X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (96)
 X-RBL-Warning: ANTIGIBBERISH: Message failed ANTIGIBBERISH test (53)
 X-Declude-Sender: [EMAIL PROTECTED] [80.56.186.84]
 X-Declude-Spoolname: D439405e.SMD
 X-SpamWatch-Tests-Failed: EASYNET-DYNA, FIVETENSRC, IPNOTINMX,
 NOLEGITCONTENT, GIBBERISH, ANTIGIBBERISH, FOREIGN [6]
 X-SpamWatch-Country-Chain: NETHERLANDS-destination
 X-SpamWatch-ReverseLookUp: f186084.upc-f.chello.nl ([80.56.186.84]).
 X-RCPT-TO: [EMAIL PROTECTED]
 X-UIDL: 362076914
 Status: U
 
 gyvpznjdrufwnxfont color=whiteufabnkxbdrisgjbimlhlrbqljb
 rjcvvcjzrgth gemotyrdifskfkauewcugfimk geqfppqbcqxaisvpolbcuds
 egbftgdihh
 ggbaxkcuiaztygdxdecibhfsovd/fontgartymfckjfrcjbrgasunzscmkk
 font color=whitesxevtgbewm gxzmadrqaaeupxrcwkircgel
 gxnjljpbfuvmgdkhfqhqdggjribadezeaag ukmfmpblojgimjotcdieisbz
 fgbzancgjeo
 gwyrtntfwaeeiqnqceziepk/fontgbpuzkbdzyzhlgbrgruzkohbxdbh
 bglaitqxdgqqLOgbbcsqudibzSEgfaigjrcnqeff
 gcmnbmjbwzlWEghoncnjlakguacIGgmtsdthcgucjfwxHT
 gsrlqukbgfidsmTHghvhfnnbvqvaE
 gjcfukdbhjnkancEgqjxxxtdqfsoASIgxcfhbbdpqglwER
 WgvrobgjcwercAYgrzdgrtbuom/bguqassadqplxbr
 gfunlxdcgwviIghththgcueaorT'Sgbdtyvqdoxr
 NgcrlcqzcntbOTgdjcisnccny Agquakrdruzooyp
 guyrrqdapeludlDIgojmghdsqcwenclETgetrjehclmmvbq
 .gotrbwzdisruzg..ggdxkotdikccrqd.
 ganxbhedfpepITgzvsbvxdpszqm'Sgsexxusccwf Agaebgdkcgizkaed
 PAgxuchmbxqrcvTCggbojksqbniysqHbr/i
 br
 bOgbhklijpissfrbqRgsfxaxrbpynmfadDEgedazoybytoR
 gextfsgbwdwqoaTOgchxgkycmocaDAgjmioiflmuzmiY
 gukuxyferuxmxbANgmruydmdscjobbuD
 gmfuvmzbgfzGEgwvhoyebzbefixT/bgeaasgibvptdbrgqzphsncbxha
 igmqefrjbcwhb5 gfjejaeiuqpMOgejkrcacbrrzzczNTggbvpcabshyvdH
 gbidfbvbnvdyesbSUgkxgmuncmttlrPPgwiuvjhbuzkjLYgerzmkbdgdmas
 gkbdhlbmafyFOgaeazbqclhraR TgvazcmdbzayHE
 gazqfnsdmknreqcPRgvypngoujbmoICgkcbeltdryejbbcE gdkazotdjbzleOF
 ghdpdmcbdrmjxa4gmzcvzydqeh!brgslzceacbiofxxbbrgdbnjbrdveyio/i
 
 gncinrcbhmqp
 Rgvslsdbyxvrecgaalotdcajpkengxhypewntqxncytt
 gcvoqsibulkuqvdsugoecnycewkujmjrvgzofslebapkeygkrrrqultpthhbfs
 eghhbmerwgaistigpyrqyxdypfzmatgnksrazdluue
 tgyurazhszrlenhagfnbpludxxuhaxt
 glgphfickveapct7gvcwgwweplkidda0gfocoindzcrung%ggeyejzcpsapp
 
 snip
 
 It seems as though the 8 bit encoding may have a lot to do with it. It
 trips
 both gibberish and antigibberish.
 
 Is anyone here doing any header tests for Content-Transfer-Encoding:
 8bit
 and adding a few points for it? When declude filters do body filtering, do
 they account for 8 bit encoding, and decode the body prior to running the
 tests? Seems like we are getting a lot of 8 bit messages coming through
 lately.
 
 --
 Scot
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Reading the header..

[R. Scott Perry]

In the following:

X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, 
weight 7)

I am under the assumption that the line number is the last or the first 
line that triggered the weight and the weight is total weight of the 
filter when it was done.

If several lines are hit in the filter the header does not show it and the 
only way to see it is in the HIGH log mode.
It only shows one line number (the last one in the file that is 
triggered).  The weight is the total weight for all lines that matched (not 
including the weight of the test itself, if any).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reading the header..

[Kami Razvan]

Great... If the weight is the total weight of the matches for the entire
filter I am happy..

Because of this you can forget my demand for a million dollars a while
back.. It is Thanksgiving and I am feeling generous..

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, November 27, 2003 11:24 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Reading the header..


In the following:

X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, 
weight 7)

I am under the assumption that the line number is the last or the first 
line that triggered the weight and the weight is total weight of the 
filter when it was done.

If several lines are hit in the filter the header does not show it and 
the only way to see it is in the HIGH log mode.

It only shows one line number (the last one in the file that is triggered).
The weight is the total weight for all lines that matched (not including the
weight of the test itself, if any).

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Subject and body is B

[John Tolmachoff \(Lists\)]

Any body else seeing messages where the subject is only b or bbb and the
body is only b or bbb?

Could this be a spammer checking for valid addresses?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Subject and body is B

[Kami Razvan]

John..

I have seen many of these.. 

Also..

Recently we are seeing a lot of email - same type of email- that are
apparently coming from soldiers in Iraq.. It goes on and on but the story is
almost the same.

People receiving it say they have no idea what it is..

I am thinking that it is a new way to check for valid addresses..

Has anyone else seen this?

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, November 27, 2003 12:56 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Subject and body is B

Any body else seeing messages where the subject is only b or bbb and the
body is only b or bbb?

Could this be a spammer checking for valid addresses?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Subject and body is B

[John Tolmachoff \(Lists\)]

Every one I see comes from @aol.ca but is not from a AOL.ca server. Does any
one know what the line would be for aol.ca in SPAMDOMAINS?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
 Sent: Thursday, November 27, 2003 9:56 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Subject and body is B
 
 Any body else seeing messages where the subject is only b or bbb and the
 body is only b or bbb?
 
 Could this be a spammer checking for valid addresses?
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SpamDomains

[Rich]

Can somebody point me to a source for a SpamDomains text file so I can do
some comparisons...

Rich


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Subject and body is B

[Colbeck, Andrew]

I just checked for the last 2 days, nope.

On a related note, I see rushes where the spam has no body and the same
header appears from multiple open relays all at the same time; I think it's
broken spamware.

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 27, 2003 9:56 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Subject and body is B


Any body else seeing messages where the subject is only b or bbb and the
body is only b or bbb?

Could this be a spammer checking for valid addresses?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] How to use URL file from Imail with Declude ??

[Alejandro Valenzuela]

I update the URL file in Imail by sending all not recognized SPAM
to a mailbox then running the spam_sedeer utility

Now, can Declude filter E-mail based on that file ??


I am new to Declude, just testing it for two days now
It seems good but have some emails that are not caught with
Declude, and they are caught with email URL Filter.

Any help would be appreciated..

Thanks..


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Subject and body is B

[John Tolmachoff \(Lists\)]

 On a related note, I see rushes where the spam has no body and the same
 header appears from multiple open relays all at the same time; I think
 it's
 broken spamware.

You mean like this: (That is the entire D file.)
---
Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP
  (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500
htmltitleI will not defame New Orleans
I am not authorized to fire substitute teachers
sX6092303Z94n123210404D97Ig6q00/title
head/headbody bgcolor=#ffdiv align=centercenterfont
color=white size=1
I will not defame New Orleans I will not defame New Orleansbr
I am not authorized to fire substitute teachers I will not defame New
Orleansbr
I will not defame New Orleans I am not authorized to fire substitute
teachersbr
/fonttable border=1 bgcolor=#ff bordercolor=#00
bordercolordark=#c0c0c0 bordercolorlight=#808080tr
td bgcolor=#f3f3f3CENTERbr
a href=strurl$a/cablee/
font face=tahoma color=#ff size=5buDigital Cable
Filters/u/b/font
brbrfont face=tahoma size=2
b5th Generation Filters Not A_vailable Anywhere Else/b/font
brBRfont color=#a0Even gets Pay Per View Channels!/font/B
brbrfont face=tahoma size=2You must be a subscriber to your Cable
Company's Digital Servicebr
You must be able to order pay-per veiw movies through the remote
controlbr/font/CENTER
brCENTERFONT face=tahoma size=2/FONTbrbr
font face=tahoma size=2bu/u/b/fontbfont
color=#ffBrand New Technology/font/b/FONT
brbrfont size=5bCheck It Out Here!/a/bbrbrbrfont
color=#00 size=2a href=strurl$out/To_get off our
list/a/font/CENTER/FONT/td/tr/table
font color=white size=1I will not defame New OrleansI will not defame New
OrleansHq24EW7Y22ED10eL34J0BR
z8952481A706u26TK815o0XW8MAg3v7BRf1361496N65WH76I will not defame New
Orleans7l3B7XVdo03g49p9UyI392BBR
42cJJT9rp874676I am not authorized to fire substitute
teachers151260U4J56589VU6K0e5T7e12W2lBR
8L83Uf747I will not defame New Orleans9Yz8VkqV4984585X6SD127A97l3B7XVBR
do03g49p9UyI392I am not authorized to fire substitute
teachersB42cJJT9rp874676151260U4JBR
56589VU6K0e5T7e12W2l8L83Uf7479Yz8VkI am not authorized to fire substitute
teachersbr
qV4984585X6SD127A97lI will not defame New Orleansbr
3B7XVdo03g49p9UyI392B42cJJT9rp8BRI am not authorized to fire substitute
teachers I will not defame New OrleansBR
/font/center/div/body/html
X-RBL-Warning: SPAMCOP: Blocked - see
http://www.spamcop.net/bl.shtml?24.117.148.25
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8c200020].
X-RBL-Warning: BASICFILTER: Message failed BASICFILTER test (line 1, weight
15)
X-Declude-Sender: [EMAIL PROTECTED] [24.117.148.25]
X-Declude-Spoolname: D89b3050e01467eff.SMD
X-RBL-Warning: Total weight: 33
X-Tests-Failed: SPAMCOP, BADHEADERS, BASICFILTER
X-Note: This E-mail was sent from 24-117-148-25.cpe.cableone.net
([24.117.148.25]).
---

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??

[John Tolmachoff \(Lists\)]

2 things you can do with filters. (Only available in JunkMail Pro.)

1. Have Imail add a header for the URL list and then filter on that header
and add weight.

2. Create a URLFILTER filter file in Declude from the Imail URL list. You
can do this by using Excel.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela
 Sent: Thursday, November 27, 2003 11:04 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] How to use URL file from Imail with Declude ??
 
 I update the URL file in Imail by sending all not recognized SPAM
 to a mailbox then running the spam_sedeer utility
 
 Now, can Declude filter E-mail based on that file ??
 
 
 I am new to Declude, just testing it for two days now
 It seems good but have some emails that are not caught with
 Declude, and they are caught with email URL Filter.
 
 Any help would be appreciated..
 
 Thanks..
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DLAnalyzer

[John Tolmachoff \(Lists\)]

Is there need for a separate support list, or do you want it sent to you?

One thing I am noticing about the GUI is that it does not always clear
previous settings. Example, if I had set to filter by domain, but now do not
want to, just be removing the domain in the GUI does not always remove it
form the config file.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support
 Sent: Wednesday, November 26, 2003 6:52 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] DLAnalyzer
 
 John,
 
 Those are excellent suggestions and have been made by several folks.  Both
 of thos suggestions are going to be in the next intermediate release.
 
 Darrell
 
 
 John Tolmachoff (Lists) writes:
 
  Feature request:
 
  Ability to save config file as.
  Ability to run program with a saved named config file.
 
  This would allow you to create different configuration files with the
 GUI,
  and then run reports based on different configuration files.
 
  John Tolmachoff
  Engineer/Consultant/Owner
  eServices For You
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
  [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support
  Sent: Tuesday, November 25, 2003 8:01 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] DLanalyzer
 
  The latest version of DLAnalyzer was released last week.  The current
  version is 2.0R.  Many new features were added including a GUI based
  configuration utility to ease configuration.  There are many other
 reports
  it can generate besides the one listed below (Domain Summaries
  Incoming/Outgoing, Advanced Reports On Users, etc)
 
  You can download a copy of DLAnalyzer at
 
  http://www.dlanalyzer.com
 
  Darrell
 
  ISPhuset Nordic AS writes:
 
   Where can i find this versjon of  DLAnalyzer(v2.0.B.I)
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Andy
 Schmidt
   Sent: 25. november 2003 16:13
   To: [EMAIL PROTECTED]
   Subject: RE: [Declude.JunkMail] EasyNet Replacements
  
  
   Well,
  
   Here is how my replacement tests are doing (turned off
   EasyNet at noon):
  
   DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For
   Argos.net
   Report Start Time: 11/24/2003 00:00:00
   Report End Time: 11/24/2003 23:59:59
   Total Messages: 12,777
   Messages That Failed: 8,475
   Spam Percentage: 66.33%
  
   TEST # FAILED   Percentage
  
   AHBL..7555.91%
   AHBLDOMAINS630.49%
   AHBLEXEMPT.310.24%
   AHBLPROXIES...4683.66%
   AHBLSOURCES...2912.28%
  
   NJABL...2,317...18.13%
   NJABLDUL..2021.58%
   NJABLPROXIES1,370...10.72%
   NJABLRELAYS...1090.85%
   NJABLSOURCES..2552.00%
  
   SORBS...2,199...17.21%
   SORBS-DUL...1,578...12.35%
   SORBS-HTTP5124.01%
   SORBS-MISC.690.54%
   SORBS-SMTP.110.09%
   SORBS-SOCKS...6164.82%
   SORBS-SPAM2652.07%
   SORBS-ZOMBIE...150.12%
  
   EASYNET-DNSBL...1,1579.06%
   EASYNET-DOMAINS...2501.96%
   EASYNET-DYNA1,409...11.03%
   EASYNET-PROXIES...7826.12%
  
   BLITZEDALL2762.16%
   BONDEDSENDER..1881.47%
   CBL.3,179...24.88%
   DSBL3,530...27.63%
   DSBLMULTI..710.56%
   KUNDENSERVER...120.09%
   MAILPOLICE-PORN310.24%
   ORDB...770.60%
   SPAMCOP.4,028...31.53%
   SPAMHAUS..7966.23%
  
   RDNSBL1791.40%
  
   BADHEADERS..2,224...17.41%
   BASE644713.69%
   BCC4...690.54%
   BCC6...410.32%
   BCC8...290.23%
   COMMENTS..5364.20%
   HELOBOGUS...1,963...15.36%
   MAILFROM..2051.60%
   REVDNS..1,701...13.31%
   SPAMDOMAINS.1,612...12.62%
   SPAMHEADERS.1,329...10.40%
   SPAMROUTING...9627.53%
  
  
   Best Regards
   Andy Schmidt
  
   HM Systems Software, Inc.
   600 East Crescent Avenue, Suite 203
   Upper Saddle River, NJ 07458-1846
  
   Phone:  +1 201 934-3414 x20 (Business)
   Fax:+1 201 934-9206
  
   http://www.HM-Software.com/
  
  
   ---
   [This E-mail was scanned for viruses by Declude Virus
   (http://www.declude.com)]
  
   ---
   This E-mail came from the Declude.JunkMail mailing list.  To
   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
   type unsubscribe Declude.JunkMail.  The archives can 

RE: [Declude.JunkMail] Subject and body is B

[Colbeck, Andrew]

Hmm, nope, but I have also seen broken headers like you provided, but never
with so much misplaced stuff in the header; from what Scott has previously
mentioned, I would guess that the way your sample message is broken is that
somewhere in the hops a mailserver put in an extraneous CR/LF.

The usual broken message I see has a complete and well-formed header, but no
body at all.  These messages are always sent from dsl/cable connections that
are open relays, never a mail server. Perhaps Kami has seen this behaviour;
I think it was he that suggested the BODY ISBLANK filter test.

Andrew 8)

-Original Message-
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 27, 2003 11:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Subject and body is B


 On a related note, I see rushes where the spam has no body and the same
 header appears from multiple open relays all at the same time; I think
 it's
 broken spamware.

You mean like this: (That is the entire D file.)
---
Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP
  (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500
htmltitleI will not defame New Orleans
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??

[Alejandro Valenzuela]

Ok, on the first option, how it would work ??
Because the manual says that Declude JunkMail run
earlier that Imail filters...

So even if I add the Imail header, Declude will not detect it.
Or there is a way to change that scanning order ??



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, November 27, 2003 12:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] How to use URL file from Imail with Declude
??


2 things you can do with filters. (Only available in JunkMail Pro.)

1. Have Imail add a header for the URL list and then filter on that header
and add weight.

2. Create a URLFILTER filter file in Declude from the Imail URL list. You
can do this by using Excel.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela
 Sent: Thursday, November 27, 2003 11:04 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] How to use URL file from Imail with Declude ??
 
 I update the URL file in Imail by sending all not recognized SPAM
 to a mailbox then running the spam_sedeer utility
 
 Now, can Declude filter E-mail based on that file ??
 
 
 I am new to Declude, just testing it for two days now
 It seems good but have some emails that are not caught with
 Declude, and they are caught with email URL Filter.
 
 Any help would be appreciated..
 
 Thanks..
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Subject and body is B

[John Tolmachoff \(Lists\)]

Yes, the BODY ISBLANK has done well for me.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
 Sent: Thursday, November 27, 2003 12:11 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [Declude.JunkMail] Subject and body is B
 
 Hmm, nope, but I have also seen broken headers like you provided, but
 never
 with so much misplaced stuff in the header; from what Scott has previously
 mentioned, I would guess that the way your sample message is broken is
 that
 somewhere in the hops a mailserver put in an extraneous CR/LF.
 
 The usual broken message I see has a complete and well-formed header, but
 no
 body at all.  These messages are always sent from dsl/cable connections
 that
 are open relays, never a mail server. Perhaps Kami has seen this
 behaviour;
 I think it was he that suggested the BODY ISBLANK filter test.
 
 Andrew 8)
 
 -Original Message-
 From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, November 27, 2003 11:14 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Subject and body is B
 
 
  On a related note, I see rushes where the spam has no body and the same
  header appears from multiple open relays all at the same time; I think
  it's
  broken spamware.
 
 You mean like this: (That is the entire D file.)
 ---
 Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP
   (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500
 htmltitleI will not defame New Orleans
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??

[John Tolmachoff \(Lists\)]

This is the order:

Imail Kill.lst and control access.
Imail Anti-Spam
Declude Hijack
Declude Virus
Declude JunkMail
Imail Statistics
Imail Rules

The URL file in Imail is part of Imail Anti-Spam, and is therefore run
before Declude.

What you are referring to is the Imail rules kept in rule.ima files, which
is used after all scanning and upon sending to the actual mail box.

Therefore, it works. :)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela
 Sent: Thursday, November 27, 2003 12:40 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] How to use URL file from Imail with
 Declude ??
 
 Ok, on the first option, how it would work ??
 Because the manual says that Declude JunkMail run
 earlier that Imail filters...
 
 So even if I add the Imail header, Declude will not detect it.
 Or there is a way to change that scanning order ??
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
 (Lists)
 Sent: Thursday, November 27, 2003 12:18 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] How to use URL file from Imail with
 Declude
 ??
 
 
 2 things you can do with filters. (Only available in JunkMail Pro.)
 
 1. Have Imail add a header for the URL list and then filter on that header
 and add weight.
 
 2. Create a URLFILTER filter file in Declude from the Imail URL list. You
 can do this by using Excel.
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
  [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela
  Sent: Thursday, November 27, 2003 11:04 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] How to use URL file from Imail with Declude
 ??
 
  I update the URL file in Imail by sending all not recognized SPAM
  to a mailbox then running the spam_sedeer utility
 
  Now, can Declude filter E-mail based on that file ??
 
 
  I am new to Declude, just testing it for two days now
  It seems good but have some emails that are not caught with
  Declude, and they are caught with email URL Filter.
 
  Any help would be appreciated..
 
  Thanks..
 
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] missing log part and funny mail

[Bonno Bloksma]

Hi,

My questionis part Declude JM and part IMail 
but I assumed this would be the best place.

A student gets a funny mail from a user claiming to 
be [EMAIL PROTECTED]. This e-mail address 
does not exist. Having a look at the logs it seems this message was created by 
IMail1.exe so it probably was a user using the webinterface, which covers about 
90% of our userbase. :-( If it was indeed a user using the 
webinterface,how was that user able to change the "from" address as there 
is no field for it in the web interface. As we do not log the webinterface 
usage, I have just changed that,I don't know who was logged it at that 
time.
Which log do I need to enable to find out which 
user sent this message, wil just enabling the log for the webinterface be 
enough?
The option "Ignore source address in security 
check" is enabled, should I disable this? Why is that option in IMail at all, it 
this a common problem?

What is really puzzling it that at the same time 
there is a gap in the log for Declude JM. The Imail log and the Declude virus 
log show this message being parsed but the JM part never saw it. Nor did it see 
several messages after that. There is a gap of almost 2 minutes in the JM log. 
Anybody anyidea what happened, what would cause something like 
this?

I'm using IMail 8.03 and Declude 1.75
Declude virus LogLevel MID
Declude JM LogLevel LOW

log1127:20031127 091726 
127.0.0.1 SMTP (03CC01FA) finished 
C:\IMail\spool\Qb314003e011cf42d.SMD status=120031127 091728 
127.0.0.1 SMTP (03CC01FB) processing 
C:\IMail\spool\Q31afc5b0770.GSC20031127 091728 
127.0.0.1 SMTP (03CC01FB) ERR tio.nl not 
local mondeling from [EMAIL PROTECTED]20031127 
091728 127.0.0.1 SMTP (03CC01FB) Creating 
message from Postmaster20031127 091728 
127.0.0.1 SMTP (03D00049) processing 
C:\IMail\spool\Q03cc01fb06fa.GSE20031127 091728 
127.0.0.1 SMTP (03CC01FB) finished 
C:\IMail\spool\Q31afc5b0770.GSC status=220031127 091728 
127.0.0.1 SMTP (03D00049) ldeliver 
student.tio.nl r.modderman-main (1) 123420031127 091728 
127.0.0.1 SMTP (03D00049) finished 
C:\IMail\spool\Q03cc01fb06fa.GSE status=120031127 091732 
127.0.0.1 SMTP (03CC01FC) processing 
C:\IMail\spool\Q31b0d3403c8.GSC[..]20031127 091914 
127.0.0.1 SMTPD (005C00AC) [212.61.73.64] 
C:\IMail\spool\Db381005c00aca037.SMD 440220031127 091916 
127.0.0.1 SMTP (03CC0200) processing 
C:\IMail\spool\Qb381005c00aca037.SMD

vir1127:11/27/2003 09:17:25 Qb314003e011cf42d Scanned: Virus Free 
[MIME: 2 1625]11/27/2003 09:17:27 Q31afc5b0770 Scanned: Virus Free [MIME: 1 
246]11/27/2003 09:17:31 Q31b0d3403c8 Scanned: Virus Free [MIME: 1 235]

dec1127:11/27/2003 09:17:26 Qb314003e011cf362 L1 Message 
OK11/27/2003 09:17:26 Qb314003e011cf362 L2 Message OK11/27/2003 09:17:26 
Qb314003e011cf42d L1 Message OK11/27/2003 09:17:26 Qb314003e011cf42d L2 
Message OK11/27/2003 09:19:04 Qb376005200fc75dc L1 Message OK11/27/2003 
09:19:10 Qb37b005900ac8608 L1 Message OK11/27/2003 09:19:16 
Qb381005c00aca037 L1 Message OK
Groetjes,

Bonno Bloksma Back up my hard drive? How do I put it in 
reverse?

RE: [Declude.JunkMail] Subject and body is B

[Kami Razvan]

Hi;

I suggested body blank but frankly it has never been hit.  I think it is
because an email body is NEVER blank.. It always has some code..

I remember exchanging a blank email with Scott that was not detected with
ISBLANK and that was his comment.

Perhaps the test is run by doing a Length count of characters in the body
and if they send a blank HTML email the body is never blank.

Interesting that John has seen good result.. I don't remember seeing any..

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, November 27, 2003 3:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Subject and body is B

Yes, the BODY ISBLANK has done well for me.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- 
 [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
 Sent: Thursday, November 27, 2003 12:11 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [Declude.JunkMail] Subject and body is B
 
 Hmm, nope, but I have also seen broken headers like you provided, but 
 never with so much misplaced stuff in the header; from what Scott has 
 previously mentioned, I would guess that the way your sample message 
 is broken is that somewhere in the hops a mailserver put in an 
 extraneous CR/LF.
 
 The usual broken message I see has a complete and well-formed header, 
 but no body at all.  These messages are always sent from dsl/cable 
 connections that are open relays, never a mail server. Perhaps Kami 
 has seen this behaviour; I think it was he that suggested the BODY 
 ISBLANK filter test.
 
 Andrew 8)
 
 -Original Message-
 From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED]
 Sent: Thursday, November 27, 2003 11:14 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Subject and body is B
 
 
  On a related note, I see rushes where the spam has no body and the 
  same header appears from multiple open relays all at the same time; 
  I think it's broken spamware.
 
 You mean like this: (That is the entire D file.)
 --
 -
 Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP
   (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500 
 htmltitleI will not defame New Orleans
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
 unsubscribe Declude.JunkMail.  The archives can be found at 
 http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Version / Internmediate Policy

[Glenn \\ WCNet]

I know I'm late in responding to this thread . . 
but my comment is, if the interim releases are only to fix specific problems, 
and there is no public announcement or release notesas to what those fixes 
are, then how is a person toknow whetherhe does or does not need a 
particular interim release? If there's a bug in a beta related to logging, 
for example, I may not know about that bug until I need to check logging for 
information or detail, and then find thatitisn't there. If an 
interim release fixesthe bug, it'd be nice to know aboutthat before 
I have a need for the missing logging info. Or whatever.

Glenn Z.

  - Original Message - 
  From: 
  R. Scott 
  Perry 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, November 26, 2003 5:53 
  PM
  Subject: RE: [Declude.JunkMail] Version / 
  Internmediate Policy
  Having the release notes include minor comments about 
  interim releases,which will then be combined into one major note for a 
  beta release, shouldclear up a lot confusion and give us some idea of 
  the features to come.It will also help us to figure if we want 
  to implement a certain interimrelease or not...I think the 
  issue here is that people are starting to treat the interim releases as 
  betas. With a beta, it is appropriate to know exactly what has been 
  added and fixed, and decide whether or not you want to upgrade to 
  it.But interim releases aren't designed to be run by people unless 
  they [1] are experiencing a problem with the latest release/beta that 
  needs to be fixed ASAP, or [2] have a very important need for a new 
  feature. If we add a new feature to an interim release, we don't 
  want people knowing about it unless it is something they need (not 
  want). If someone needs to see the release notes for an interim 
  release before using it, they shouldn't be using it. The value of 
  the fix and/or new feature they need should outweigh the need to see 
  release 
  notes. 
  -Scott---Declude JunkMail: The advanced anti-spam solution for IMail 
  mailservers.Declude Virus: Catches known viruses and is the leader in 
  mailserver vulnerability detection.Find out what you've been missing: 
  Ask about our free 30-day evaluation.---[This E-mail was scanned 
  for viruses by Declude Virus (http://www.declude.com)]---This 
  E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, 
  just send an E-mail to [EMAIL PROTECTED], andtype 
  "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.

Re: [Declude.JunkMail] Version / Internmediate Policy

[Andy Schmidt]

Yep, has happened to me a few times during beta testing. I'm investigating some 
issue, invest time to dig through logs, report the problem - just to be told oh, that 
was fixed in interim release xx.

Duh! Thank's for warning me.

-- Original Message --
From: Glenn \\ WCNet [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 27 Nov 2003 17:13:00 -0600

I know I'm late in responding to this thread . . but my comment is, if the interim 
releases are only to fix specific problems, and there is no public announcement or 
release notes as to what those fixes are, then how is a person to know whether he 
does or does not need a particular interim release?  If there's a bug in a beta 
related to logging, for example, I may not know about that bug until I need to check 
logging for information or detail, and then find that it isn't there.  If an interim 
release fixes the bug, it'd be nice to know about that before I have a need for the 
missing logging info.  Or whatever.

Glenn Z.
  - Original Message - 
  From: R. Scott Perry 
  To: [EMAIL PROTECTED] 
  Sent: Wednesday, November 26, 2003 5:53 PM
  Subject: RE: [Declude.JunkMail] Version / Internmediate Policy



  Having the release notes include minor comments about interim releases,
  which will then be combined into one major note for a beta release, should
  clear up a lot confusion and give us some idea of the features to come.
  
  It will also help us to figure if we want to implement a certain interim
  release or not...

  I think the issue here is that people are starting to treat the interim 
  releases as betas.  With a beta, it is appropriate to know exactly what has 
  been added and fixed, and decide whether or not you want to upgrade to it.

  But interim releases aren't designed to be run by people unless they [1] 
  are experiencing a problem with the latest release/beta that needs to be 
  fixed ASAP, or [2] have a very important need for a new feature.  If we add 
  a new feature to an interim release, we don't want people knowing about it 
  unless it is something they need (not want).  If someone needs to see the 
  release notes for an interim release before using it, they shouldn't be 
  using it.  The value of the fix and/or new feature they need should 
  outweigh the need to see release notes.

  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
  Declude Virus: Catches known viruses and is the leader in mailserver 
  vulnerability detection.
  Find out what you've been missing: Ask about our free 30-day evaluation.

  ---
  [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Version / Internmediate Policy

[R. Scott Perry]

Yep, has happened to me a few times during beta testing. I'm 
investigating some issue, invest time to dig through logs, report the 
problem - just to be told oh, that was fixed in interim release xx.

Duh! Thank's for warning me.
Remember, though, that it was the same way back with just betas and 
released versions -- after a beta came out, if you reported a bug that we 
already knew about and had fixed, our answer would be Oh, we know about 
that, the next beta will take care of it.  That would be worse -- you lose 
the same as you do with interim releases (investing time to analyze and 
report the problem), but also don't get a fix right away.

Yes, it would be nice if we had a list of bug fixes for this very purpose 
(Known bugs).  That is something we will look into.  If it is done, 
though, it will most likely just be These are the bugs that are fixed in 
the latest interim release, without specifying which interim release fixed 
it, and the list could be updated less frequently than the interim releases 
come out.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DLAnalyzer

[DLAnalyzer Support]

John, 

Any anomly you find with the program please send me an email 
[EMAIL PROTECTED] and describe the process to reproduce.  Any bugs that 
are found will be corrected quickly. 

Thanks
Darrell 

John Tolmachoff (Lists) writes: 

Is there need for a separate support list, or do you want it sent to you? 

One thing I am noticing about the GUI is that it does not always clear
previous settings. Example, if I had set to filter by domain, but now do not
want to, just be removing the domain in the GUI does not always remove it
form the config file. 

John Tolmachoff
Engineer/Consultant/Owner
eServices For You 


-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of DLAnalyzer Support
Sent: Wednesday, November 26, 2003 6:52 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] DLAnalyzer 

John, 

Those are excellent suggestions and have been made by several folks.  Both
of thos suggestions are going to be in the next intermediate release. 

Darrell 

John Tolmachoff (Lists) writes: 

 Feature request:

 Ability to save config file as.
 Ability to run program with a saved named config file.

 This would allow you to create different configuration files with the
GUI,
 and then run reports based on different configuration files.

 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support
 Sent: Tuesday, November 25, 2003 8:01 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] DLanalyzer

 The latest version of DLAnalyzer was released last week.  The current
 version is 2.0R.  Many new features were added including a GUI based
 configuration utility to ease configuration.  There are many other
reports
 it can generate besides the one listed below (Domain Summaries
 Incoming/Outgoing, Advanced Reports On Users, etc)

 You can download a copy of DLAnalyzer at

 http://www.dlanalyzer.com

 Darrell

 ISPhuset Nordic AS writes:

  Where can i find this versjon of  DLAnalyzer(v2.0.B.I)
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Andy
Schmidt
  Sent: 25. november 2003 16:13
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.JunkMail] EasyNet Replacements
 
 
  Well,
 
  Here is how my replacement tests are doing (turned off
  EasyNet at noon):
 
  DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For
  Argos.net
  Report Start Time: 11/24/2003 00:00:00
  Report End Time: 11/24/2003 23:59:59
  Total Messages: 12,777
  Messages That Failed: 8,475
  Spam Percentage: 66.33%
 
  TEST # FAILED   Percentage
 
  AHBL..7555.91%
  AHBLDOMAINS630.49%
  AHBLEXEMPT.310.24%
  AHBLPROXIES...4683.66%
  AHBLSOURCES...2912.28%
 
  NJABL...2,317...18.13%
  NJABLDUL..2021.58%
  NJABLPROXIES1,370...10.72%
  NJABLRELAYS...1090.85%
  NJABLSOURCES..2552.00%
 
  SORBS...2,199...17.21%
  SORBS-DUL...1,578...12.35%
  SORBS-HTTP5124.01%
  SORBS-MISC.690.54%
  SORBS-SMTP.110.09%
  SORBS-SOCKS...6164.82%
  SORBS-SPAM2652.07%
  SORBS-ZOMBIE...150.12%
 
  EASYNET-DNSBL...1,1579.06%
  EASYNET-DOMAINS...2501.96%
  EASYNET-DYNA1,409...11.03%
  EASYNET-PROXIES...7826.12%
 
  BLITZEDALL2762.16%
  BONDEDSENDER..1881.47%
  CBL.3,179...24.88%
  DSBL3,530...27.63%
  DSBLMULTI..710.56%
  KUNDENSERVER...120.09%
  MAILPOLICE-PORN310.24%
  ORDB...770.60%
  SPAMCOP.4,028...31.53%
  SPAMHAUS..7966.23%
 
  RDNSBL1791.40%
 
  BADHEADERS..2,224...17.41%
  BASE644713.69%
  BCC4...690.54%
  BCC6...410.32%
  BCC8...290.23%
  COMMENTS..5364.20%
  HELOBOGUS...1,963...15.36%
  MAILFROM..2051.60%
  REVDNS..1,701...13.31%
  SPAMDOMAINS.1,612...12.62%
  SPAMHEADERS.1,329...10.40%
  SPAMROUTING...9627.53%
 
 
  Best Regards
  Andy Schmidt
 
  HM Systems Software, Inc.
  600 East Crescent Avenue, Suite 203
  Upper Saddle River, NJ 07458-1846
 
  Phone:  +1 201 934-3414 x20 (Business)
  Fax:+1 201 934-9206
 
  http://www.HM-Software.com/
 
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an 

RE: [Declude.JunkMail] EasyNet Replacements

[John Tolmachoff \(Lists\)]

These are the ones I am testing right now. Any comments?

NJABL   ip4rdnsbl.njabl.org 127.0.0.2   7
0
NJABLPROXIESip4rdnsbl.njabl.org 127.0.0.9   7   0
CBL ip4rcbl.abuseat.org 127.0.0.2   7
0
AHBLOPENip4rdnsbl.ahbl.org  127.0.0.2   7
0
AHBLPROXY   ip4rdnsbl.ahbl.org  127.0.0.3   7
0
AHBLSPAMip4rdnsbl.ahbl.org  127.0.0.4   7
0
AHBLSUPPORT ip4rdnsbl.ahbl.org  127.0.0.7   7
0
AHBLGOODip4rexemptions.ahbl.org 127.0.0.2   -10
0

AHBLGOOD: This zone is not a blocking zone!  This is a whitelist zone.  Do
not use it to block mail or you will risk blocking alot of legit e-mail.  If
you have the ability to setup a DNSbl whitelist, then this is the zone you
want to use with it.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Andy Schmidt
 Sent: Tuesday, November 25, 2003 7:13 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] EasyNet Replacements
 
 
 Well,
 
 Here is how my replacement tests are doing (turned off EasyNet at noon):
 
 DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For
 Argos.net
 Report Start Time: 11/24/2003 00:00:00
 Report End Time: 11/24/2003 23:59:59
 Total Messages: 12,777
 Messages That Failed: 8,475
 Spam Percentage: 66.33%
 
 TEST # FAILED   Percentage
 
 AHBL..7555.91%
 AHBLDOMAINS630.49%
 AHBLEXEMPT.310.24%
 AHBLPROXIES...4683.66%
 AHBLSOURCES...2912.28%
 
 NJABL...2,317...18.13%
 NJABLDUL..2021.58%
 NJABLPROXIES1,370...10.72%
 NJABLRELAYS...1090.85%
 NJABLSOURCES..2552.00%
 
 SORBS...2,199...17.21%
 SORBS-DUL...1,578...12.35%
 SORBS-HTTP5124.01%
 SORBS-MISC.690.54%
 SORBS-SMTP.110.09%
 SORBS-SOCKS...6164.82%
 SORBS-SPAM2652.07%
 SORBS-ZOMBIE...150.12%
 
 EASYNET-DNSBL...1,1579.06%
 EASYNET-DOMAINS...2501.96%
 EASYNET-DYNA1,409...11.03%
 EASYNET-PROXIES...7826.12%
 
 BLITZEDALL2762.16%
 BONDEDSENDER..1881.47%
 CBL.3,179...24.88%
 DSBL3,530...27.63%
 DSBLMULTI..710.56%
 KUNDENSERVER...120.09%
 MAILPOLICE-PORN310.24%
 ORDB...770.60%
 SPAMCOP.4,028...31.53%
 SPAMHAUS..7966.23%
 
 RDNSBL1791.40%
 
 BADHEADERS..2,224...17.41%
 BASE644713.69%
 BCC4...690.54%
 BCC6...410.32%
 BCC8...290.23%
 COMMENTS..5364.20%
 HELOBOGUS...1,963...15.36%
 MAILFROM..2051.60%
 REVDNS..1,701...13.31%
 SPAMDOMAINS.1,612...12.62%
 SPAMHEADERS.1,329...10.40%
 SPAMROUTING...9627.53%
 
 
 Best Regards
 Andy Schmidt
 
 HM Systems Software, Inc.
 600 East Crescent Avenue, Suite 203
 Upper Saddle River, NJ 07458-1846
 
 Phone:  +1 201 934-3414 x20 (Business)
 Fax:+1 201 934-9206
 
 http://www.HM-Software.com/
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 8 bit encoding

[Matthew Bramble]

Scot,

The 8 bit encoding doesn't have anything to do with why it passes 
ANTI-GIBBERISH.  It appears that this test got tripped on the ANTI 
filter because of a qa  string (with the space, line 53 of that filter).

I believe that 8 bit encoding isn't going to be very safe to filter on, 
though it is worth looking at.  This might be a great opportunity to 
take a combination of an X-Mailer and Content-Transfer-Encoding in a 
filter so that if say Outlook Express and 8bit both occur, then it is 
spam.  A theory like this would need to be tested though.

The new filtering capabilities also could allow you to change GIBBERISH 
so that it could hit twice and assess more score on two hits (limited 
with MAXPOINTS).  This also needs testing though because while this 
would probably not be an issue for regular people messages, some of the 
FP's from automated sources might very well fail multiple times like 
spam can.

This E-mail is from a spammer that several have commented on.  For the 
interim, he is easily targeted with a filter for:

   BODY  15BEGINSWITH   g

I'm actually going to test a filter out with a file that I created 
sometime ago which checks for fake HTML tags which has every combination 
of non-HTML two letter code in it preceded by a less than sign.  This 
filter actually led me to what became GIBBERISH, though I can't remember 
why I abandoned it.  As a BEGINSWITH filter it shouldn't be too 
demanding on processing, and it should be very unlikely to FP.  I'll be 
sure to release it if it works out.

BTW, I'm not sure exactly what your scores are on your system, but with 
what this message failed in terms of tests and filters, it would have 
definitely been held as spam on my system.

   4 - EASYNET-DYNA
   4 - FIVETEN-SRC
   3 - FOREIGN
   0 - REVDNS
   =
   10 - Total (my hold weight)
It might have failed other tests that I am using locally as well.  I 
don't like giving too much credit for the negative weight tests, only 
three points are possible on my system and I give nothing for REVDNS.  I 
would be scoring EASYNET-DYNA higher except that I also use another DUL 
test in addition to my DYNAMIC filter which all look for the same 
thing.  FIVETEN can be problematic, though the .2 test isn't nearly as 
bad as the .4 test.  I know that FIVETEN scores a lot of FP's, but it's 
a very important test for me as they pick up a lot of stuff that others 
don't for some reason and I can deal with them blacklisting places like 
Yahoo and some legit newsletters since I score it relatively low.

Another test that you might want to think about using would be:

   SUBJECT   2  ISBLANK

This is fairly rare with ham, and probably safe to add one or two points 
to (on a fail weight of 10).  I think that spammers have rightly figured 
that it can be more harm than good by including even a randomized 
subject because it is one more thing to track, and a blank subject 
probably peaks one's interest enough to still open it to see what it is 
instead of just deleting it without a thought.

Matt





Scot Desort wrote:

I have seen a lot of mail like this one scoring low on Declude:

X-F: [EMAIL PROTECTED] Sat Nov 22 06:08:11 2003
Received: from tekes.fi [80.56.186.84] by njaccess.com
 (SMTPD32-6.06) id A394206D005E; Sat, 22 Nov 2003 06:08:04 -0500
Message-ID: [EMAIL PROTECTED]
From: Sybil D. Neely [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:
Date: Sun, 23 Nov 2003 02:23:38 +
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-RBL-Warning: FIVETENSRC: 84.186.56.80.blackholes.five-ten-sg.com.
X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (96)
X-RBL-Warning: ANTIGIBBERISH: Message failed ANTIGIBBERISH test (53)
X-Declude-Sender: [EMAIL PROTECTED] [80.56.186.84]
X-Declude-Spoolname: D439405e.SMD
X-SpamWatch-Tests-Failed: EASYNET-DYNA, FIVETENSRC, IPNOTINMX,
NOLEGITCONTENT, GIBBERISH, ANTIGIBBERISH, FOREIGN [6]
X-SpamWatch-Country-Chain: NETHERLANDS-destination
X-SpamWatch-ReverseLookUp: f186084.upc-f.chello.nl ([80.56.186.84]).
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 362076914
Status: U
gyvpznjdrufwnxfont color=whiteufabnkxbdrisgjbimlhlrbqljb
rjcvvcjzrgth gemotyrdifskfkauewcugfimk geqfppqbcqxaisvpolbcuds
egbftgdihh
ggbaxkcuiaztygdxdecibhfsovd/fontgartymfckjfrcjbrgasunzscmkk
font color=whitesxevtgbewm gxzmadrqaaeupxrcwkircgel
gxnjljpbfuvmgdkhfqhqdggjribadezeaag ukmfmpblojgimjotcdieisbz
fgbzancgjeo
gwyrtntfwaeeiqnqceziepk/fontgbpuzkbdzyzhlgbrgruzkohbxdbh
bglaitqxdgqqLOgbbcsqudibzSEgfaigjrcnqeff
gcmnbmjbwzlWEghoncnjlakguacIGgmtsdthcgucjfwxHT
gsrlqukbgfidsmTHghvhfnnbvqvaE
gjcfukdbhjnkancEgqjxxxtdqfsoASIgxcfhbbdpqglwER
WgvrobgjcwercAYgrzdgrtbuom/bguqassadqplxbr
gfunlxdcgwviIghththgcueaorT'Sgbdtyvqdoxr
NgcrlcqzcntbOTgdjcisnccny Agquakrdruzooyp
guyrrqdapeludlDIgojmghdsqcwenclETgetrjehclmmvbq

Re: [Declude.JunkMail] EasyNet Replacements

[Matthew Bramble]

I haven't tested these, however I would very much appreciate knowing 
from your tests or those of others two things in particular:

NJABL and AHBLSPAM - Do they FP on a lot of legit advertisements?
AHBLGOOD - Is this absolutely trustworthy and what types of servers does 
it list?

Thanks,

Matt



John Tolmachoff (Lists) wrote:

These are the ones I am testing right now. Any comments?

NJABL   ip4rdnsbl.njabl.org 127.0.0.2   7
0
NJABLPROXIESip4rdnsbl.njabl.org 127.0.0.9   7   0
CBL ip4rcbl.abuseat.org 127.0.0.2   7
0
AHBLOPENip4rdnsbl.ahbl.org  127.0.0.2   7
0
AHBLPROXY   ip4rdnsbl.ahbl.org  127.0.0.3   7
0
AHBLSPAMip4rdnsbl.ahbl.org  127.0.0.4   7
0
AHBLSUPPORT ip4rdnsbl.ahbl.org  127.0.0.7   7
0
AHBLGOODip4rexemptions.ahbl.org 127.0.0.2   -10
0
AHBLGOOD: This zone is not a blocking zone!  This is a whitelist zone.  Do
not use it to block mail or you will risk blocking alot of legit e-mail.  If
you have the ability to setup a DNSbl whitelist, then this is the zone you
want to use with it.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Andy Schmidt
Sent: Tuesday, November 25, 2003 7:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] EasyNet Replacements
Well,

Here is how my replacement tests are doing (turned off EasyNet at noon):

DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For
Argos.net
Report Start Time: 11/24/2003 00:00:00
Report End Time: 11/24/2003 23:59:59
Total Messages: 12,777
Messages That Failed: 8,475
Spam Percentage: 66.33%
TEST # FAILED   Percentage

AHBL..7555.91%
AHBLDOMAINS630.49%
AHBLEXEMPT.310.24%
AHBLPROXIES...4683.66%
AHBLSOURCES...2912.28%
NJABL...2,317...18.13%
NJABLDUL..2021.58%
NJABLPROXIES1,370...10.72%
NJABLRELAYS...1090.85%
NJABLSOURCES..2552.00%
SORBS...2,199...17.21%
SORBS-DUL...1,578...12.35%
SORBS-HTTP5124.01%
SORBS-MISC.690.54%
SORBS-SMTP.110.09%
SORBS-SOCKS...6164.82%
SORBS-SPAM2652.07%
SORBS-ZOMBIE...150.12%
EASYNET-DNSBL...1,1579.06%
EASYNET-DOMAINS...2501.96%
EASYNET-DYNA1,409...11.03%
EASYNET-PROXIES...7826.12%
BLITZEDALL2762.16%
BONDEDSENDER..1881.47%
CBL.3,179...24.88%
DSBL3,530...27.63%
DSBLMULTI..710.56%
KUNDENSERVER...120.09%
MAILPOLICE-PORN310.24%
ORDB...770.60%
SPAMCOP.4,028...31.53%
SPAMHAUS..7966.23%
RDNSBL1791.40%

BADHEADERS..2,224...17.41%
BASE644713.69%
BCC4...690.54%
BCC6...410.32%
BCC8...290.23%
COMMENTS..5364.20%
HELOBOGUS...1,963...15.36%
MAILFROM..2051.60%
REVDNS..1,701...13.31%
SPAMDOMAINS.1,612...12.62%
SPAMHEADERS.1,329...10.40%
SPAMROUTING...9627.53%
Best Regards
Andy Schmidt
HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
http://www.HM-Software.com/

   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] EasyNet Replacements

[John Tolmachoff \(Lists\)]

 NJABL and AHBLSPAM - Do they FP on a lot of legit advertisements?
 AHBLGOOD - Is this absolutely trustworthy and what types of servers does
 it list?

I ran across AHBLGOOD and am testing it to see what happens.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] EASYNET tests going away December 1

[serge]

Scott
if we comment out a test in global.cfg and leave its action in
default.junkmail
will there be any problems ? errors, performance issues, ...


- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, November 21, 2003 1:52 PM
Subject: [Declude.JunkMail] EASYNET tests going away December 1


 FYI.  Here's a copy of their E-mail.
-Scott

 ---
 The easynet blacklists/spamfilters (blackholes.easynet.nl,
 proxies.blackholes.easynet.nl, dynablock.easynet.nl,
 spamdomains.blackholes.easynet.nl, and the easynet spamlists) will
 be discontinued starting Dec 1 2003.

 The zonefiles and associated files will be 'zero-sized' on that day.
 The domains will continue to resolve for a long time, but they will
 contain nothing more than the test records (127.0.0.2 and
 example.com), so they will not catch anything.

 Holy Crap!
 - Yep.

 FAQ?
 - Sure.

 Are you being DDos'ed out of existence?
 - Nope. They probably tried. We didn't even notice it.

 Are you being sued?
 - Nope. They probably tried. We didn't even notice it.

 Are you being threatened?
 - Frankly, we will miss that part.

 Are you tired?
 - Damn right.

 Are you giving up?
 - That is not the right word. There are plenty of fine blacklists,
 and new ones spring up every day. The wirehub/easynet lists served
 their purpose, but others may serve that purpose equally well.

 Isn't this all kinda sudden?
 - Yes. Sometimes, you just know that it's time to say goodbye. And
 the moment you know it, you must do it. Running blacklists on
 anything less than 100% motivation and energy is not how it should
 be done.

 Anything else?
 - Sure. These blacklists were maintained by a single person, all of
 them. Every day. Listings, delistings, finding new DSL/cable ranges,
 finding new open proxies, writing better scripts, handling all
 email, running statistics, publishing overviews, providing rsync
 areas, DNS tranfers. You name it. TINW. There's an I. And I want my
 life back, at least a little ;)

 Life?
 - Yes. Maybe not as we know it. Over the past 3-4 years, the
 maintainer of these lists has worked 7 days a week, 10-12 hours a
 day running these lists and handling all tasks and email associated
 with them. Not a single day has passed without at least processing
 delisting requests (the bare minimum).  And then there was the day
 job (which was really nothing more than running an ISP's server farm
 - peanuts, it's FreeBSD).

 Is that all?
 - There's more to it, but the details do not really concern you.
 Let's just say that the integrity of these lists might have been in
 jeopardy in the long run. There are two cardinal sins when it comes
 to blacklists: 1.  putting/keeping someone on them who should not be
 - 2. not putting someone on them who really should be. Avoiding '1'
 is a matter of discipline and a thick skin.  Avoiding '2' is a
 matter of being totally independent from all pressures surrounding
 you. Avoiding '2' has become increasingly difficult, and we'd rather
 stop with our integrity fully intact and our reputation unharmed.
 That is about now. Well, next week.

 We?
 - Yes, dropping that habit will take some time ;)

 Will you be back?
 - Probably. Lurking.

 Will you miss us?
 - Depends on how well target practice goes.

 Should we give up The Good Fight?
 - Hell no, we're winning. There's plenty of enthusiasm, and there
 are plenty of new and old blacklists doing fine work. Take your
 pick. Keep fighting. Fight for your spam laws. Educate. Annoy. Sue
 if you must. It's up to you now.

 Is there anything we can do?
 - Yes. Spread the word, please. Post to your local/national abuse
 groups, inform anyone you know who uses these lists, update your
 configurations.  Nothing will break after Dec 1, but there will come
 a day when these names (including the old Wirehub ones, which still
 resolve) will cease to resolve. This will probably be announced.

 Will the lists be back under a different name?
 - Probably not. It started out as 'doing some extra work to stop
 spam', because .. well .. FreeBSD and such, plenty of time left. And
 why not donate that work to the Internet community as well. In the
 long run. it turned out to be 'getting some sleep and maybe
 something to eat between emails and zone updates'. Sometimes, enough
 is just enough.

 Can't you just maintain one or two of the lists?
 - What did I just say?

 I have a question!
 - The email address will probably work throughout December. It may
 drop dead after that. Hope I won't.

 Goodbye all. It was invigorating, it was fun, it was necessary.
 Don't give up.

 Ben.

 -- 
 easynet.nl abuse handling dept. -- [EMAIL PROTECTED]
 - blacklists/dnsbls: http://abuse.easynet.nl/spamstats.html -
 - aup: http://www.nl.easynet.net/pub/av/aup/nl (dutch) --
 - aup: http://www.nl.easynet.net/pub/av/aup/en (english) 
 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

Re: [Declude.JunkMail] EasyNet Replacements

[DLAnalyzer Support]

NJABL for the most part is like ORDB.  They test open relays and list them.  
Folks that are listed can easily request to be de-listed, but of course they 
are not removed if njabl finds them relaying still. 

Darrell 

Matthew Bramble writes: 

I haven't tested these, however I would very much appreciate knowing from 
your tests or those of others two things in particular: 

NJABL and AHBLSPAM - Do they FP on a lot of legit advertisements?
AHBLGOOD - Is this absolutely trustworthy and what types of servers does 
it list? 

Thanks, 

Matt 

 

John Tolmachoff (Lists) wrote: 

These are the ones I am testing right now. Any comments? 

NJABL		ip4r		dnsbl.njabl.org		127.0.0.2	7
0
NJABLPROXIES	ip4r	dnsbl.njabl.org		127.0.0.9	7	0
CBL		ip4r		cbl.abuseat.org		127.0.0.2	7
0
AHBLOPEN	ip4r		dnsbl.ahbl.org		127.0.0.2	7
0
AHBLPROXY	ip4r		dnsbl.ahbl.org		127.0.0.3	7
0
AHBLSPAM	ip4r		dnsbl.ahbl.org		127.0.0.4	7
0
AHBLSUPPORT	ip4r		dnsbl.ahbl.org		127.0.0.7	7
0
AHBLGOOD	ip4r		exemptions.ahbl.org	127.0.0.2	-10
0 

AHBLGOOD: This zone is not a blocking zone!  This is a whitelist zone.  
Do
not use it to block mail or you will risk blocking alot of legit e-mail.  
If
you have the ability to setup a DNSbl whitelist, then this is the zone 
you
want to use with it. 

John Tolmachoff
Engineer/Consultant/Owner
eServices For You 

  

-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Andy Schmidt
Sent: Tuesday, November 25, 2003 7:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] EasyNet Replacements 

Well, 

Here is how my replacement tests are doing (turned off EasyNet at noon): 

DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For
Argos.net
Report Start Time: 11/24/2003 00:00:00
Report End Time: 11/24/2003 23:59:59
Total Messages: 12,777
Messages That Failed: 8,475
Spam Percentage: 66.33% 

TEST # FAILED   Percentage 

AHBL..7555.91%
AHBLDOMAINS630.49%
AHBLEXEMPT.310.24%
AHBLPROXIES...4683.66%
AHBLSOURCES...2912.28% 

NJABL...2,317...18.13%
NJABLDUL..2021.58%
NJABLPROXIES1,370...10.72%
NJABLRELAYS...1090.85%
NJABLSOURCES..2552.00% 

SORBS...2,199...17.21%
SORBS-DUL...1,578...12.35%
SORBS-HTTP5124.01%
SORBS-MISC.690.54%
SORBS-SMTP.110.09%
SORBS-SOCKS...6164.82%
SORBS-SPAM2652.07%
SORBS-ZOMBIE...150.12% 

EASYNET-DNSBL...1,1579.06%
EASYNET-DOMAINS...2501.96%
EASYNET-DYNA1,409...11.03%
EASYNET-PROXIES...7826.12% 

BLITZEDALL2762.16%
BONDEDSENDER..1881.47%
CBL.3,179...24.88%
DSBL3,530...27.63%
DSBLMULTI..710.56%
KUNDENSERVER...120.09%
MAILPOLICE-PORN310.24%
ORDB...770.60%
SPAMCOP.4,028...31.53%
SPAMHAUS..7966.23% 

RDNSBL1791.40% 

BADHEADERS..2,224...17.41%
BASE644713.69%
BCC4...690.54%
BCC6...410.32%
BCC8...290.23%
COMMENTS..5364.20%
HELOBOGUS...1,963...15.36%
MAILFROM..2051.60%
REVDNS..1,701...13.31%
SPAMDOMAINS.1,612...12.62%
SPAMHEADERS.1,329...10.40%
SPAMROUTING...9627.53% 

Best Regards
Andy Schmidt 

HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846 

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 

http://www.HM-Software.com/ 



 

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] EASYNET tests going away December 1

[John Tolmachoff \(Lists\)]

Since the tests will be dead, remove them is best.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of serge
 Sent: Thursday, November 27, 2003 6:43 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] EASYNET tests going away December 1
 
 Scott
 if we comment out a test in global.cfg and leave its action in
 default.junkmail
 will there be any problems ? errors, performance issues, ...
 
 
 - Original Message -
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, November 21, 2003 1:52 PM
 Subject: [Declude.JunkMail] EASYNET tests going away December 1
 
 
  FYI.  Here's a copy of their E-mail.
 -Scott
 
  ---
  The easynet blacklists/spamfilters (blackholes.easynet.nl,
  proxies.blackholes.easynet.nl, dynablock.easynet.nl,
  spamdomains.blackholes.easynet.nl, and the easynet spamlists) will
  be discontinued starting Dec 1 2003.
 
  The zonefiles and associated files will be 'zero-sized' on that day.
  The domains will continue to resolve for a long time, but they will
  contain nothing more than the test records (127.0.0.2 and
  example.com), so they will not catch anything.
 
  Holy Crap!
  - Yep.
 
  FAQ?
  - Sure.
 
  Are you being DDos'ed out of existence?
  - Nope. They probably tried. We didn't even notice it.
 
  Are you being sued?
  - Nope. They probably tried. We didn't even notice it.
 
  Are you being threatened?
  - Frankly, we will miss that part.
 
  Are you tired?
  - Damn right.
 
  Are you giving up?
  - That is not the right word. There are plenty of fine blacklists,
  and new ones spring up every day. The wirehub/easynet lists served
  their purpose, but others may serve that purpose equally well.
 
  Isn't this all kinda sudden?
  - Yes. Sometimes, you just know that it's time to say goodbye. And
  the moment you know it, you must do it. Running blacklists on
  anything less than 100% motivation and energy is not how it should
  be done.
 
  Anything else?
  - Sure. These blacklists were maintained by a single person, all of
  them. Every day. Listings, delistings, finding new DSL/cable ranges,
  finding new open proxies, writing better scripts, handling all
  email, running statistics, publishing overviews, providing rsync
  areas, DNS tranfers. You name it. TINW. There's an I. And I want my
  life back, at least a little ;)
 
  Life?
  - Yes. Maybe not as we know it. Over the past 3-4 years, the
  maintainer of these lists has worked 7 days a week, 10-12 hours a
  day running these lists and handling all tasks and email associated
  with them. Not a single day has passed without at least processing
  delisting requests (the bare minimum).  And then there was the day
  job (which was really nothing more than running an ISP's server farm
  - peanuts, it's FreeBSD).
 
  Is that all?
  - There's more to it, but the details do not really concern you.
  Let's just say that the integrity of these lists might have been in
  jeopardy in the long run. There are two cardinal sins when it comes
  to blacklists: 1.  putting/keeping someone on them who should not be
  - 2. not putting someone on them who really should be. Avoiding '1'
  is a matter of discipline and a thick skin.  Avoiding '2' is a
  matter of being totally independent from all pressures surrounding
  you. Avoiding '2' has become increasingly difficult, and we'd rather
  stop with our integrity fully intact and our reputation unharmed.
  That is about now. Well, next week.
 
  We?
  - Yes, dropping that habit will take some time ;)
 
  Will you be back?
  - Probably. Lurking.
 
  Will you miss us?
  - Depends on how well target practice goes.
 
  Should we give up The Good Fight?
  - Hell no, we're winning. There's plenty of enthusiasm, and there
  are plenty of new and old blacklists doing fine work. Take your
  pick. Keep fighting. Fight for your spam laws. Educate. Annoy. Sue
  if you must. It's up to you now.
 
  Is there anything we can do?
  - Yes. Spread the word, please. Post to your local/national abuse
  groups, inform anyone you know who uses these lists, update your
  configurations.  Nothing will break after Dec 1, but there will come
  a day when these names (including the old Wirehub ones, which still
  resolve) will cease to resolve. This will probably be announced.
 
  Will the lists be back under a different name?
  - Probably not. It started out as 'doing some extra work to stop
  spam', because .. well .. FreeBSD and such, plenty of time left. And
  why not donate that work to the Internet community as well. In the
  long run. it turned out to be 'getting some sleep and maybe
  something to eat between emails and zone updates'. Sometimes, enough
  is just enough.
 
  Can't you just maintain one or two of the lists?
  - What did I just say?
 
  I have a question!
  - The email address will probably work 

RE: [Declude.JunkMail] Version / Internmediate Policy

[Andy Schmidt]

 These are the bugs that are fixed in the latest interim release,
without specifying which interim release fixed it  

Thanks - that would be a great help.  

Typically, beta testers come to expect an extra level of support, since they
are sticking their heads out for the developer's benefit.  To let us run
into (occasionally severe) problems knowingly can sometimes be unnerving.

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude does not see email

[Colbeck, Andrew]

Title: Message



Some more grist 
for the mill, and a question or two for Scott...

I've seen the 
same behaviour in our implementation: the inbound e-mail is received and doesn't 
look mangled, but has no declude headers. Until recently, there was no 
declude log lines, either.

I'm running IMail 
v8.02 on Windows 2000 Server SP4 etc, and am now running declude.exe 1.76i28; 
today I saw an HTML style spam come through with no declude headers. The 
log did have one line for this message:

11/27/2003 
15:23:41 Q875e044a00daa57c Could not lock D:\IMail\spool\Q875e044a00daa57c.SMD; 
timed out (j=2).

My query for 
Scott is: as of interim 28, declude.exe now always logs something if the message 
couldn't be handled, correct? So perhaps there is a grammar or pattern in 
the log wecan use to find these error messages?

As for my server 
configuration, I also have no particular software that I think should 
havevied for a lock on the file; my antivirus software skips all of the 
files with IMailmessage extensions. The only things that could have 
tripped over the file are W2K itself, IMail, and declude.exe 
...

Andrew.


  
  -Original Message-From: Keith Johnson 
  [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 
  2003 5:42 AMTo: [EMAIL PROTECTED]Subject: FW: 
  [Declude.JunkMail] Declude does not see email
  Scott,
  
 This issue of Declude (1.76i and Imail 
8.04)not seeing email has picked up tremendously in the past week or 
so. We are starting to see this a lot in our own email as well as our 
customers reporting it. It seems to be happening in both html and 
plain text formated emails. Is there anything I can do in my settings 
to aid this as I am fearful of viruses getting thru (more so than 
spam)? Thanks,

Keith

  -Original Message- From: R. Scott 
  Perry [mailto:[EMAIL PROTECTED] Sent: Fri 11/21/2003 12:10 
  PM To: [EMAIL PROTECTED] Cc: 
  Subject: Re: [Declude.JunkMail] Declude does not see 
  email
  I am curious to know if others are experiencing this 
  as well.Daily I receive 3-4 spam that show no sign of 
  Declude ever being ran.Searching the IMail log file shows 
  the email arriving and the SPAM logfile for IMail shows an entry 
  for the email but Declude does not show it.Are you running IMail 
  v8? There seems to be a problem with IMail v8 whereit will 
  occasionally "forget" to call Declude. We haven't been able 
  toreproduce the problem, but from the log files that we have seen, it 
  appearsthat Declude isn't even 
  started. 
  -Scott---Declude JunkMail: The advanced anti-spam solution for 
  IMail mailservers.Declude Virus: Catches known viruses and is the 
  leader in mailservervulnerability detection.Find out what you've 
  been missing: Ask about our free 30-day evaluation.---[This 
  E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This 
  E-mail came from the Declude.JunkMail mailing list. 
  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], 
  andtype "unsubscribe Declude.JunkMail". The archives can be 
  foundat http://www.mail-archive.com.

Re: [Declude.JunkMail] %TESTSFAILED%

[serge]

Scott
I do not think it is a good idea to hide tests like ipnotinmx, because we
wont know their weight contribution
we need a hidetest when weight =0, but that will show the negative value
when passed test
something like %weightnot0test%  variable with all tests that contributed to
the total weight (negative, positive, passed, or failed)
this will show ipnotinmx and nonlegitcontent type tests whey they pass
Hope you understand what i'm trying to say

- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 19, 2003 7:01 PM
Subject: Re: [Declude.JunkMail] %TESTSFAILED%



 Any progress/word on when certain tests can be excluded from this
variable?

 This will be in the next release.  :)

 The next release will allow for an option HIDETESTS in the global.cfg file
 (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX
 NOLEGITCONTENT), which will prevent those tests from showing up in the
 X-Spam-Tests-Failed: header.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] %TESTSFAILED%

[John Tolmachoff \(Lists\)]

In the case of IPNOTINMX and NOLEGITCONTENT, it works just the opposite. If
the messages fails, no weight is added or subtracted. If the test passes,
the negative weight is subtracted. Therefore, if one of those tests is
listed under %TESTSFAILED%, it means nothing was done.

Likewise, the actions for those tests should be INGNORE or LOG only, as
again if the tests failed means nothing. Only if the messages passes the
test is weight subtracted.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of serge
 Sent: Thursday, November 27, 2003 7:57 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] %TESTSFAILED%
 
 Scott
 I do not think it is a good idea to hide tests like ipnotinmx, because we
 wont know their weight contribution
 we need a hidetest when weight =0, but that will show the negative value
 when passed test
 something like %weightnot0test%  variable with all tests that contributed
 to
 the total weight (negative, positive, passed, or failed)
 this will show ipnotinmx and nonlegitcontent type tests whey they pass
 Hope you understand what i'm trying to say
 
 - Original Message -
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, November 19, 2003 7:01 PM
 Subject: Re: [Declude.JunkMail] %TESTSFAILED%
 
 
 
  Any progress/word on when certain tests can be excluded from this
 variable?
 
  This will be in the next release.  :)
 
  The next release will allow for an option HIDETESTS in the global.cfg
 file
  (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX
  NOLEGITCONTENT), which will prevent those tests from showing up in the
  X-Spam-Tests-Failed: header.
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
  Declude Virus: Catches known viruses and is the leader in mailserver
  vulnerability detection.
  Find out what you've been missing: Ask about our free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.