Re: [Declude.JunkMail] HELP PLEASE !
I have Imail v6.06 with Declude 1.75. When I run the smtp32.exe it seems to be passing mail. When I have it call declude.exe it fails. What is failing? The E-mail is delivered unscanned? The E-mail is deleted? The E-mail sits in the spool? What do the log files show for a sample E-mail that you try sending? Upon further work I have shut down Junkmail and have virus running and things seems to be going ok. Any suggestion why junkmail stopped? My guess is that your DNS server is broken. If that happens, Declude JunkMail will have to wait until each timeout occurs, causing E-mail to stay in memory a long time. This can cause other problems, such as mail backing up. Everything started when I was receiving SMTP errors What were the exact messages you were seeing? if I turn off junkmail things seem to work better. Is that 100% better (as in performing identically or very close to the way that it had before this problem occured)? I have a DECLUDE text file but it is just showing where the virus scanner pops up a couple of errors (mostly errors creating or opening files) Is that the C:\Declude.log file you are referring to (where Declude will record if it can't figure out where to record log file entries to), or the actual log files (\IMail\spool\vir.log and \IMail\spool\dec.log)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reading the header..
Title: Reading the header.. Scott: In the following: X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7) I am under the assumption that the line number is the last or the first line that triggered the weight and the weight is total weight of the filter when it was done. If several lines are hit in the filter the header does not show it and the only way to see it is in the HIGH log mode. Right? Wrong? Regards, Kami
RE: [Declude.JunkMail] Reading the header..
Title: Reading the header.. Morning Kami. The weight is the line weight in the filter file, in this case the weight that line 346 lists. Correct that the X-RBL-Warning only shows one line caught if multiple, but I do not remember if the first or last caught. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, November 27, 2003 6:39 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Reading the header.. Scott: In the following: X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7) I am under the assumption that the line number is the last or the first line that triggered the weight and the weight is total weight of the filter when it was done. If several lines are hit in the filter the header does not show it and the only way to see it is in the HIGH log mode. Right? Wrong? Regards, Kami
RE: [Declude.JunkMail] Reading the header..
Title: Reading the header.. So really it is meaningless.. since it only says a single event when in fact multiple lines could have been hit in that filter and the final weight could be totally different? It would be good to be able to see the weight for each filter hit so one could actually see the final weight and what made the final weight.. it will be a great help in adjusting filters but the way it is really it is of no use.. Am I totally off on this one? Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Thursday, November 27, 2003 10:49 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Reading the header.. Morning Kami. The weight is the line weight in the filter file, in this case the weight that line 346 lists. Correct that the X-RBL-Warning only shows one line caught if multiple, but I do not remember if the first or last caught. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Thursday, November 27, 2003 6:39 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Reading the header.. Scott: In the following: X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7) I am under the assumption that the line number is the last or the first line that triggered the weight and the weight is total weight of the filter when it was done. If several lines are hit in the filter the header does not show it and the only way to see it is in the HIGH log mode. Right? Wrong? Regards, Kami
[Declude.JunkMail] 8 bit encoding
I have seen a lot of mail like this one scoring low on Declude: X-F: [EMAIL PROTECTED] Sat Nov 22 06:08:11 2003 Received: from tekes.fi [80.56.186.84] by njaccess.com (SMTPD32-6.06) id A394206D005E; Sat, 22 Nov 2003 06:08:04 -0500 Message-ID: [EMAIL PROTECTED] From: Sybil D. Neely [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Sun, 23 Nov 2003 02:23:38 + MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/html Content-Transfer-Encoding: 8bit X-RBL-Warning: FIVETENSRC: 84.186.56.80.blackholes.five-ten-sg.com. X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (96) X-RBL-Warning: ANTIGIBBERISH: Message failed ANTIGIBBERISH test (53) X-Declude-Sender: [EMAIL PROTECTED] [80.56.186.84] X-Declude-Spoolname: D439405e.SMD X-SpamWatch-Tests-Failed: EASYNET-DYNA, FIVETENSRC, IPNOTINMX, NOLEGITCONTENT, GIBBERISH, ANTIGIBBERISH, FOREIGN [6] X-SpamWatch-Country-Chain: NETHERLANDS-destination X-SpamWatch-ReverseLookUp: f186084.upc-f.chello.nl ([80.56.186.84]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 362076914 Status: U gyvpznjdrufwnxfont color=whiteufabnkxbdrisgjbimlhlrbqljb rjcvvcjzrgth gemotyrdifskfkauewcugfimk geqfppqbcqxaisvpolbcuds egbftgdihh ggbaxkcuiaztygdxdecibhfsovd/fontgartymfckjfrcjbrgasunzscmkk font color=whitesxevtgbewm gxzmadrqaaeupxrcwkircgel gxnjljpbfuvmgdkhfqhqdggjribadezeaag ukmfmpblojgimjotcdieisbz fgbzancgjeo gwyrtntfwaeeiqnqceziepk/fontgbpuzkbdzyzhlgbrgruzkohbxdbh bglaitqxdgqqLOgbbcsqudibzSEgfaigjrcnqeff gcmnbmjbwzlWEghoncnjlakguacIGgmtsdthcgucjfwxHT gsrlqukbgfidsmTHghvhfnnbvqvaE gjcfukdbhjnkancEgqjxxxtdqfsoASIgxcfhbbdpqglwER WgvrobgjcwercAYgrzdgrtbuom/bguqassadqplxbr gfunlxdcgwviIghththgcueaorT'Sgbdtyvqdoxr NgcrlcqzcntbOTgdjcisnccny Agquakrdruzooyp guyrrqdapeludlDIgojmghdsqcwenclETgetrjehclmmvbq .gotrbwzdisruzg..ggdxkotdikccrqd. ganxbhedfpepITgzvsbvxdpszqm'Sgsexxusccwf Agaebgdkcgizkaed PAgxuchmbxqrcvTCggbojksqbniysqHbr/i br bOgbhklijpissfrbqRgsfxaxrbpynmfadDEgedazoybytoR gextfsgbwdwqoaTOgchxgkycmocaDAgjmioiflmuzmiY gukuxyferuxmxbANgmruydmdscjobbuD gmfuvmzbgfzGEgwvhoyebzbefixT/bgeaasgibvptdbrgqzphsncbxha igmqefrjbcwhb5 gfjejaeiuqpMOgejkrcacbrrzzczNTggbvpcabshyvdH gbidfbvbnvdyesbSUgkxgmuncmttlrPPgwiuvjhbuzkjLYgerzmkbdgdmas gkbdhlbmafyFOgaeazbqclhraR TgvazcmdbzayHE gazqfnsdmknreqcPRgvypngoujbmoICgkcbeltdryejbbcE gdkazotdjbzleOF ghdpdmcbdrmjxa4gmzcvzydqeh!brgslzceacbiofxxbbrgdbnjbrdveyio/i gncinrcbhmqp Rgvslsdbyxvrecgaalotdcajpkengxhypewntqxncytt gcvoqsibulkuqvdsugoecnycewkujmjrvgzofslebapkeygkrrrqultpthhbfs eghhbmerwgaistigpyrqyxdypfzmatgnksrazdluue tgyurazhszrlenhagfnbpludxxuhaxt glgphfickveapct7gvcwgwweplkidda0gfocoindzcrung%ggeyejzcpsapp snip It seems as though the 8 bit encoding may have a lot to do with it. It trips both gibberish and antigibberish. Is anyone here doing any header tests for Content-Transfer-Encoding: 8bit and adding a few points for it? When declude filters do body filtering, do they account for 8 bit encoding, and decode the body prior to running the tests? Seems like we are getting a lot of 8 bit messages coming through lately. -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reading the header..
Title: Reading the header.. Yes, it would be helpful if it would list each line caught with. J John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Thursday, November 27, 2003 7:50 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Reading the header.. So really it is meaningless.. since it only says a single event when in fact multiple lines could have been hit in that filter and the final weight could be totally different? It would be good to be able to see the weight for each filter hit so one could actually see the final weight and what made the final weight.. it will be a great help in adjusting filters but the way it is really it is of no use.. Am I totally off on this one? Kami
RE: [Declude.JunkMail] 8 bit encoding
I have 2 filters for that: In my BASICFILTER: SUBJECT 10 ISBLANK In my GRAYFILTER4: BODY 25 STARTSWITH g It has been extremely effective on that. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scot Desort Sent: Thursday, November 27, 2003 8:01 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] 8 bit encoding I have seen a lot of mail like this one scoring low on Declude: X-F: [EMAIL PROTECTED] Sat Nov 22 06:08:11 2003 Received: from tekes.fi [80.56.186.84] by njaccess.com (SMTPD32-6.06) id A394206D005E; Sat, 22 Nov 2003 06:08:04 -0500 Message-ID: [EMAIL PROTECTED] From: Sybil D. Neely [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Sun, 23 Nov 2003 02:23:38 + MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/html Content-Transfer-Encoding: 8bit X-RBL-Warning: FIVETENSRC: 84.186.56.80.blackholes.five-ten-sg.com. X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (96) X-RBL-Warning: ANTIGIBBERISH: Message failed ANTIGIBBERISH test (53) X-Declude-Sender: [EMAIL PROTECTED] [80.56.186.84] X-Declude-Spoolname: D439405e.SMD X-SpamWatch-Tests-Failed: EASYNET-DYNA, FIVETENSRC, IPNOTINMX, NOLEGITCONTENT, GIBBERISH, ANTIGIBBERISH, FOREIGN [6] X-SpamWatch-Country-Chain: NETHERLANDS-destination X-SpamWatch-ReverseLookUp: f186084.upc-f.chello.nl ([80.56.186.84]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 362076914 Status: U gyvpznjdrufwnxfont color=whiteufabnkxbdrisgjbimlhlrbqljb rjcvvcjzrgth gemotyrdifskfkauewcugfimk geqfppqbcqxaisvpolbcuds egbftgdihh ggbaxkcuiaztygdxdecibhfsovd/fontgartymfckjfrcjbrgasunzscmkk font color=whitesxevtgbewm gxzmadrqaaeupxrcwkircgel gxnjljpbfuvmgdkhfqhqdggjribadezeaag ukmfmpblojgimjotcdieisbz fgbzancgjeo gwyrtntfwaeeiqnqceziepk/fontgbpuzkbdzyzhlgbrgruzkohbxdbh bglaitqxdgqqLOgbbcsqudibzSEgfaigjrcnqeff gcmnbmjbwzlWEghoncnjlakguacIGgmtsdthcgucjfwxHT gsrlqukbgfidsmTHghvhfnnbvqvaE gjcfukdbhjnkancEgqjxxxtdqfsoASIgxcfhbbdpqglwER WgvrobgjcwercAYgrzdgrtbuom/bguqassadqplxbr gfunlxdcgwviIghththgcueaorT'Sgbdtyvqdoxr NgcrlcqzcntbOTgdjcisnccny Agquakrdruzooyp guyrrqdapeludlDIgojmghdsqcwenclETgetrjehclmmvbq .gotrbwzdisruzg..ggdxkotdikccrqd. ganxbhedfpepITgzvsbvxdpszqm'Sgsexxusccwf Agaebgdkcgizkaed PAgxuchmbxqrcvTCggbojksqbniysqHbr/i br bOgbhklijpissfrbqRgsfxaxrbpynmfadDEgedazoybytoR gextfsgbwdwqoaTOgchxgkycmocaDAgjmioiflmuzmiY gukuxyferuxmxbANgmruydmdscjobbuD gmfuvmzbgfzGEgwvhoyebzbefixT/bgeaasgibvptdbrgqzphsncbxha igmqefrjbcwhb5 gfjejaeiuqpMOgejkrcacbrrzzczNTggbvpcabshyvdH gbidfbvbnvdyesbSUgkxgmuncmttlrPPgwiuvjhbuzkjLYgerzmkbdgdmas gkbdhlbmafyFOgaeazbqclhraR TgvazcmdbzayHE gazqfnsdmknreqcPRgvypngoujbmoICgkcbeltdryejbbcE gdkazotdjbzleOF ghdpdmcbdrmjxa4gmzcvzydqeh!brgslzceacbiofxxbbrgdbnjbrdveyio/i gncinrcbhmqp Rgvslsdbyxvrecgaalotdcajpkengxhypewntqxncytt gcvoqsibulkuqvdsugoecnycewkujmjrvgzofslebapkeygkrrrqultpthhbfs eghhbmerwgaistigpyrqyxdypfzmatgnksrazdluue tgyurazhszrlenhagfnbpludxxuhaxt glgphfickveapct7gvcwgwweplkidda0gfocoindzcrung%ggeyejzcpsapp snip It seems as though the 8 bit encoding may have a lot to do with it. It trips both gibberish and antigibberish. Is anyone here doing any header tests for Content-Transfer-Encoding: 8bit and adding a few points for it? When declude filters do body filtering, do they account for 8 bit encoding, and decode the body prior to running the tests? Seems like we are getting a lot of 8 bit messages coming through lately. -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Reading the header..
In the following: X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7) I am under the assumption that the line number is the last or the first line that triggered the weight and the weight is total weight of the filter when it was done. If several lines are hit in the filter the header does not show it and the only way to see it is in the HIGH log mode. It only shows one line number (the last one in the file that is triggered). The weight is the total weight for all lines that matched (not including the weight of the test itself, if any). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reading the header..
Great... If the weight is the total weight of the matches for the entire filter I am happy.. Because of this you can forget my demand for a million dollars a while back.. It is Thanksgiving and I am feeling generous.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, November 27, 2003 11:24 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Reading the header.. In the following: X-RBL-Warning: FILTER-BODY: Message failed FILTER-BODY test (line 346, weight 7) I am under the assumption that the line number is the last or the first line that triggered the weight and the weight is total weight of the filter when it was done. If several lines are hit in the filter the header does not show it and the only way to see it is in the HIGH log mode. It only shows one line number (the last one in the file that is triggered). The weight is the total weight for all lines that matched (not including the weight of the test itself, if any). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Subject and body is B
Any body else seeing messages where the subject is only b or bbb and the body is only b or bbb? Could this be a spammer checking for valid addresses? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject and body is B
John.. I have seen many of these.. Also.. Recently we are seeing a lot of email - same type of email- that are apparently coming from soldiers in Iraq.. It goes on and on but the story is almost the same. People receiving it say they have no idea what it is.. I am thinking that it is a new way to check for valid addresses.. Has anyone else seen this? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 27, 2003 12:56 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Subject and body is B Any body else seeing messages where the subject is only b or bbb and the body is only b or bbb? Could this be a spammer checking for valid addresses? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject and body is B
Every one I see comes from @aol.ca but is not from a AOL.ca server. Does any one know what the line would be for aol.ca in SPAMDOMAINS? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 27, 2003 9:56 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Subject and body is B Any body else seeing messages where the subject is only b or bbb and the body is only b or bbb? Could this be a spammer checking for valid addresses? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamDomains
Can somebody point me to a source for a SpamDomains text file so I can do some comparisons... Rich --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject and body is B
I just checked for the last 2 days, nope. On a related note, I see rushes where the spam has no body and the same header appears from multiple open relays all at the same time; I think it's broken spamware. -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2003 9:56 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Subject and body is B Any body else seeing messages where the subject is only b or bbb and the body is only b or bbb? Could this be a spammer checking for valid addresses? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to use URL file from Imail with Declude ??
I update the URL file in Imail by sending all not recognized SPAM to a mailbox then running the spam_sedeer utility Now, can Declude filter E-mail based on that file ?? I am new to Declude, just testing it for two days now It seems good but have some emails that are not caught with Declude, and they are caught with email URL Filter. Any help would be appreciated.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject and body is B
On a related note, I see rushes where the spam has no body and the same header appears from multiple open relays all at the same time; I think it's broken spamware. You mean like this: (That is the entire D file.) --- Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500 htmltitleI will not defame New Orleans I am not authorized to fire substitute teachers sX6092303Z94n123210404D97Ig6q00/title head/headbody bgcolor=#ffdiv align=centercenterfont color=white size=1 I will not defame New Orleans I will not defame New Orleansbr I am not authorized to fire substitute teachers I will not defame New Orleansbr I will not defame New Orleans I am not authorized to fire substitute teachersbr /fonttable border=1 bgcolor=#ff bordercolor=#00 bordercolordark=#c0c0c0 bordercolorlight=#808080tr td bgcolor=#f3f3f3CENTERbr a href=strurl$a/cablee/ font face=tahoma color=#ff size=5buDigital Cable Filters/u/b/font brbrfont face=tahoma size=2 b5th Generation Filters Not A_vailable Anywhere Else/b/font brBRfont color=#a0Even gets Pay Per View Channels!/font/B brbrfont face=tahoma size=2You must be a subscriber to your Cable Company's Digital Servicebr You must be able to order pay-per veiw movies through the remote controlbr/font/CENTER brCENTERFONT face=tahoma size=2/FONTbrbr font face=tahoma size=2bu/u/b/fontbfont color=#ffBrand New Technology/font/b/FONT brbrfont size=5bCheck It Out Here!/a/bbrbrbrfont color=#00 size=2a href=strurl$out/To_get off our list/a/font/CENTER/FONT/td/tr/table font color=white size=1I will not defame New OrleansI will not defame New OrleansHq24EW7Y22ED10eL34J0BR z8952481A706u26TK815o0XW8MAg3v7BRf1361496N65WH76I will not defame New Orleans7l3B7XVdo03g49p9UyI392BBR 42cJJT9rp874676I am not authorized to fire substitute teachers151260U4J56589VU6K0e5T7e12W2lBR 8L83Uf747I will not defame New Orleans9Yz8VkqV4984585X6SD127A97l3B7XVBR do03g49p9UyI392I am not authorized to fire substitute teachersB42cJJT9rp874676151260U4JBR 56589VU6K0e5T7e12W2l8L83Uf7479Yz8VkI am not authorized to fire substitute teachersbr qV4984585X6SD127A97lI will not defame New Orleansbr 3B7XVdo03g49p9UyI392B42cJJT9rp8BRI am not authorized to fire substitute teachers I will not defame New OrleansBR /font/center/div/body/html X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?24.117.148.25 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c200020]. X-RBL-Warning: BASICFILTER: Message failed BASICFILTER test (line 1, weight 15) X-Declude-Sender: [EMAIL PROTECTED] [24.117.148.25] X-Declude-Spoolname: D89b3050e01467eff.SMD X-RBL-Warning: Total weight: 33 X-Tests-Failed: SPAMCOP, BADHEADERS, BASICFILTER X-Note: This E-mail was sent from 24-117-148-25.cpe.cableone.net ([24.117.148.25]). --- John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??
2 things you can do with filters. (Only available in JunkMail Pro.) 1. Have Imail add a header for the URL list and then filter on that header and add weight. 2. Create a URLFILTER filter file in Declude from the Imail URL list. You can do this by using Excel. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, November 27, 2003 11:04 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How to use URL file from Imail with Declude ?? I update the URL file in Imail by sending all not recognized SPAM to a mailbox then running the spam_sedeer utility Now, can Declude filter E-mail based on that file ?? I am new to Declude, just testing it for two days now It seems good but have some emails that are not caught with Declude, and they are caught with email URL Filter. Any help would be appreciated.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DLAnalyzer
Is there need for a separate support list, or do you want it sent to you? One thing I am noticing about the GUI is that it does not always clear previous settings. Example, if I had set to filter by domain, but now do not want to, just be removing the domain in the GUI does not always remove it form the config file. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Wednesday, November 26, 2003 6:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DLAnalyzer John, Those are excellent suggestions and have been made by several folks. Both of thos suggestions are going to be in the next intermediate release. Darrell John Tolmachoff (Lists) writes: Feature request: Ability to save config file as. Ability to run program with a saved named config file. This would allow you to create different configuration files with the GUI, and then run reports based on different configuration files. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Tuesday, November 25, 2003 8:01 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] DLanalyzer The latest version of DLAnalyzer was released last week. The current version is 2.0R. Many new features were added including a GUI based configuration utility to ease configuration. There are many other reports it can generate besides the one listed below (Domain Summaries Incoming/Outgoing, Advanced Reports On Users, etc) You can download a copy of DLAnalyzer at http://www.dlanalyzer.com Darrell ISPhuset Nordic AS writes: Where can i find this versjon of DLAnalyzer(v2.0.B.I) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: 25. november 2003 16:13 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] EasyNet Replacements Well, Here is how my replacement tests are doing (turned off EasyNet at noon): DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For Argos.net Report Start Time: 11/24/2003 00:00:00 Report End Time: 11/24/2003 23:59:59 Total Messages: 12,777 Messages That Failed: 8,475 Spam Percentage: 66.33% TEST # FAILED Percentage AHBL..7555.91% AHBLDOMAINS630.49% AHBLEXEMPT.310.24% AHBLPROXIES...4683.66% AHBLSOURCES...2912.28% NJABL...2,317...18.13% NJABLDUL..2021.58% NJABLPROXIES1,370...10.72% NJABLRELAYS...1090.85% NJABLSOURCES..2552.00% SORBS...2,199...17.21% SORBS-DUL...1,578...12.35% SORBS-HTTP5124.01% SORBS-MISC.690.54% SORBS-SMTP.110.09% SORBS-SOCKS...6164.82% SORBS-SPAM2652.07% SORBS-ZOMBIE...150.12% EASYNET-DNSBL...1,1579.06% EASYNET-DOMAINS...2501.96% EASYNET-DYNA1,409...11.03% EASYNET-PROXIES...7826.12% BLITZEDALL2762.16% BONDEDSENDER..1881.47% CBL.3,179...24.88% DSBL3,530...27.63% DSBLMULTI..710.56% KUNDENSERVER...120.09% MAILPOLICE-PORN310.24% ORDB...770.60% SPAMCOP.4,028...31.53% SPAMHAUS..7966.23% RDNSBL1791.40% BADHEADERS..2,224...17.41% BASE644713.69% BCC4...690.54% BCC6...410.32% BCC8...290.23% COMMENTS..5364.20% HELOBOGUS...1,963...15.36% MAILFROM..2051.60% REVDNS..1,701...13.31% SPAMDOMAINS.1,612...12.62% SPAMHEADERS.1,329...10.40% SPAMROUTING...9627.53% Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can
RE: [Declude.JunkMail] Subject and body is B
Hmm, nope, but I have also seen broken headers like you provided, but never with so much misplaced stuff in the header; from what Scott has previously mentioned, I would guess that the way your sample message is broken is that somewhere in the hops a mailserver put in an extraneous CR/LF. The usual broken message I see has a complete and well-formed header, but no body at all. These messages are always sent from dsl/cable connections that are open relays, never a mail server. Perhaps Kami has seen this behaviour; I think it was he that suggested the BODY ISBLANK filter test. Andrew 8) -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Subject and body is B On a related note, I see rushes where the spam has no body and the same header appears from multiple open relays all at the same time; I think it's broken spamware. You mean like this: (That is the entire D file.) --- Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500 htmltitleI will not defame New Orleans --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??
Ok, on the first option, how it would work ?? Because the manual says that Declude JunkMail run earlier that Imail filters... So even if I add the Imail header, Declude will not detect it. Or there is a way to change that scanning order ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 27, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How to use URL file from Imail with Declude ?? 2 things you can do with filters. (Only available in JunkMail Pro.) 1. Have Imail add a header for the URL list and then filter on that header and add weight. 2. Create a URLFILTER filter file in Declude from the Imail URL list. You can do this by using Excel. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, November 27, 2003 11:04 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How to use URL file from Imail with Declude ?? I update the URL file in Imail by sending all not recognized SPAM to a mailbox then running the spam_sedeer utility Now, can Declude filter E-mail based on that file ?? I am new to Declude, just testing it for two days now It seems good but have some emails that are not caught with Declude, and they are caught with email URL Filter. Any help would be appreciated.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Subject and body is B
Yes, the BODY ISBLANK has done well for me. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 27, 2003 12:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Subject and body is B Hmm, nope, but I have also seen broken headers like you provided, but never with so much misplaced stuff in the header; from what Scott has previously mentioned, I would guess that the way your sample message is broken is that somewhere in the hops a mailserver put in an extraneous CR/LF. The usual broken message I see has a complete and well-formed header, but no body at all. These messages are always sent from dsl/cable connections that are open relays, never a mail server. Perhaps Kami has seen this behaviour; I think it was he that suggested the BODY ISBLANK filter test. Andrew 8) -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Subject and body is B On a related note, I see rushes where the spam has no body and the same header appears from multiple open relays all at the same time; I think it's broken spamware. You mean like this: (That is the entire D file.) --- Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500 htmltitleI will not defame New Orleans --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How to use URL file from Imail with Declude ??
This is the order: Imail Kill.lst and control access. Imail Anti-Spam Declude Hijack Declude Virus Declude JunkMail Imail Statistics Imail Rules The URL file in Imail is part of Imail Anti-Spam, and is therefore run before Declude. What you are referring to is the Imail rules kept in rule.ima files, which is used after all scanning and upon sending to the actual mail box. Therefore, it works. :) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, November 27, 2003 12:40 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How to use URL file from Imail with Declude ?? Ok, on the first option, how it would work ?? Because the manual says that Declude JunkMail run earlier that Imail filters... So even if I add the Imail header, Declude will not detect it. Or there is a way to change that scanning order ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 27, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] How to use URL file from Imail with Declude ?? 2 things you can do with filters. (Only available in JunkMail Pro.) 1. Have Imail add a header for the URL list and then filter on that header and add weight. 2. Create a URLFILTER filter file in Declude from the Imail URL list. You can do this by using Excel. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, November 27, 2003 11:04 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How to use URL file from Imail with Declude ?? I update the URL file in Imail by sending all not recognized SPAM to a mailbox then running the spam_sedeer utility Now, can Declude filter E-mail based on that file ?? I am new to Declude, just testing it for two days now It seems good but have some emails that are not caught with Declude, and they are caught with email URL Filter. Any help would be appreciated.. Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] missing log part and funny mail
Hi, My questionis part Declude JM and part IMail but I assumed this would be the best place. A student gets a funny mail from a user claiming to be [EMAIL PROTECTED]. This e-mail address does not exist. Having a look at the logs it seems this message was created by IMail1.exe so it probably was a user using the webinterface, which covers about 90% of our userbase. :-( If it was indeed a user using the webinterface,how was that user able to change the "from" address as there is no field for it in the web interface. As we do not log the webinterface usage, I have just changed that,I don't know who was logged it at that time. Which log do I need to enable to find out which user sent this message, wil just enabling the log for the webinterface be enough? The option "Ignore source address in security check" is enabled, should I disable this? Why is that option in IMail at all, it this a common problem? What is really puzzling it that at the same time there is a gap in the log for Declude JM. The Imail log and the Declude virus log show this message being parsed but the JM part never saw it. Nor did it see several messages after that. There is a gap of almost 2 minutes in the JM log. Anybody anyidea what happened, what would cause something like this? I'm using IMail 8.03 and Declude 1.75 Declude virus LogLevel MID Declude JM LogLevel LOW log1127:20031127 091726 127.0.0.1 SMTP (03CC01FA) finished C:\IMail\spool\Qb314003e011cf42d.SMD status=120031127 091728 127.0.0.1 SMTP (03CC01FB) processing C:\IMail\spool\Q31afc5b0770.GSC20031127 091728 127.0.0.1 SMTP (03CC01FB) ERR tio.nl not local mondeling from [EMAIL PROTECTED]20031127 091728 127.0.0.1 SMTP (03CC01FB) Creating message from Postmaster20031127 091728 127.0.0.1 SMTP (03D00049) processing C:\IMail\spool\Q03cc01fb06fa.GSE20031127 091728 127.0.0.1 SMTP (03CC01FB) finished C:\IMail\spool\Q31afc5b0770.GSC status=220031127 091728 127.0.0.1 SMTP (03D00049) ldeliver student.tio.nl r.modderman-main (1) 123420031127 091728 127.0.0.1 SMTP (03D00049) finished C:\IMail\spool\Q03cc01fb06fa.GSE status=120031127 091732 127.0.0.1 SMTP (03CC01FC) processing C:\IMail\spool\Q31b0d3403c8.GSC[..]20031127 091914 127.0.0.1 SMTPD (005C00AC) [212.61.73.64] C:\IMail\spool\Db381005c00aca037.SMD 440220031127 091916 127.0.0.1 SMTP (03CC0200) processing C:\IMail\spool\Qb381005c00aca037.SMD vir1127:11/27/2003 09:17:25 Qb314003e011cf42d Scanned: Virus Free [MIME: 2 1625]11/27/2003 09:17:27 Q31afc5b0770 Scanned: Virus Free [MIME: 1 246]11/27/2003 09:17:31 Q31b0d3403c8 Scanned: Virus Free [MIME: 1 235] dec1127:11/27/2003 09:17:26 Qb314003e011cf362 L1 Message OK11/27/2003 09:17:26 Qb314003e011cf362 L2 Message OK11/27/2003 09:17:26 Qb314003e011cf42d L1 Message OK11/27/2003 09:17:26 Qb314003e011cf42d L2 Message OK11/27/2003 09:19:04 Qb376005200fc75dc L1 Message OK11/27/2003 09:19:10 Qb37b005900ac8608 L1 Message OK11/27/2003 09:19:16 Qb381005c00aca037 L1 Message OK Groetjes, Bonno Bloksma Back up my hard drive? How do I put it in reverse?
RE: [Declude.JunkMail] Subject and body is B
Hi; I suggested body blank but frankly it has never been hit. I think it is because an email body is NEVER blank.. It always has some code.. I remember exchanging a blank email with Scott that was not detected with ISBLANK and that was his comment. Perhaps the test is run by doing a Length count of characters in the body and if they send a blank HTML email the body is never blank. Interesting that John has seen good result.. I don't remember seeing any.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, November 27, 2003 3:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Subject and body is B Yes, the BODY ISBLANK has done well for me. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, November 27, 2003 12:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] Subject and body is B Hmm, nope, but I have also seen broken headers like you provided, but never with so much misplaced stuff in the header; from what Scott has previously mentioned, I would guess that the way your sample message is broken is that somewhere in the hops a mailserver put in an extraneous CR/LF. The usual broken message I see has a complete and well-formed header, but no body at all. These messages are always sent from dsl/cable connections that are open relays, never a mail server. Perhaps Kami has seen this behaviour; I think it was he that suggested the BODY ISBLANK filter test. Andrew 8) -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Subject and body is B On a related note, I see rushes where the spam has no body and the same header appears from multiple open relays all at the same time; I think it's broken spamware. You mean like this: (That is the entire D file.) -- - Received: from DAYTON [24.117.148.25] by mail.domain.net with ESMTP (SMTPD32-8.04) id A9B350E0146; Thu, 27 Nov 2003 00:20:51 -0500 htmltitleI will not defame New Orleans --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Version / Internmediate Policy
I know I'm late in responding to this thread . . but my comment is, if the interim releases are only to fix specific problems, and there is no public announcement or release notesas to what those fixes are, then how is a person toknow whetherhe does or does not need a particular interim release? If there's a bug in a beta related to logging, for example, I may not know about that bug until I need to check logging for information or detail, and then find thatitisn't there. If an interim release fixesthe bug, it'd be nice to know aboutthat before I have a need for the missing logging info. Or whatever. Glenn Z. - Original Message - From: R. Scott Perry To: [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 5:53 PM Subject: RE: [Declude.JunkMail] Version / Internmediate Policy Having the release notes include minor comments about interim releases,which will then be combined into one major note for a beta release, shouldclear up a lot confusion and give us some idea of the features to come.It will also help us to figure if we want to implement a certain interimrelease or not...I think the issue here is that people are starting to treat the interim releases as betas. With a beta, it is appropriate to know exactly what has been added and fixed, and decide whether or not you want to upgrade to it.But interim releases aren't designed to be run by people unless they [1] are experiencing a problem with the latest release/beta that needs to be fixed ASAP, or [2] have a very important need for a new feature. If we add a new feature to an interim release, we don't want people knowing about it unless it is something they need (not want). If someone needs to see the release notes for an interim release before using it, they shouldn't be using it. The value of the fix and/or new feature they need should outweigh the need to see release notes. -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailservers.Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.Find out what you've been missing: Ask about our free 30-day evaluation.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Version / Internmediate Policy
Yep, has happened to me a few times during beta testing. I'm investigating some issue, invest time to dig through logs, report the problem - just to be told oh, that was fixed in interim release xx. Duh! Thank's for warning me. -- Original Message -- From: Glenn \\ WCNet [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 27 Nov 2003 17:13:00 -0600 I know I'm late in responding to this thread . . but my comment is, if the interim releases are only to fix specific problems, and there is no public announcement or release notes as to what those fixes are, then how is a person to know whether he does or does not need a particular interim release? If there's a bug in a beta related to logging, for example, I may not know about that bug until I need to check logging for information or detail, and then find that it isn't there. If an interim release fixes the bug, it'd be nice to know about that before I have a need for the missing logging info. Or whatever. Glenn Z. - Original Message - From: R. Scott Perry To: [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 5:53 PM Subject: RE: [Declude.JunkMail] Version / Internmediate Policy Having the release notes include minor comments about interim releases, which will then be combined into one major note for a beta release, should clear up a lot confusion and give us some idea of the features to come. It will also help us to figure if we want to implement a certain interim release or not... I think the issue here is that people are starting to treat the interim releases as betas. With a beta, it is appropriate to know exactly what has been added and fixed, and decide whether or not you want to upgrade to it. But interim releases aren't designed to be run by people unless they [1] are experiencing a problem with the latest release/beta that needs to be fixed ASAP, or [2] have a very important need for a new feature. If we add a new feature to an interim release, we don't want people knowing about it unless it is something they need (not want). If someone needs to see the release notes for an interim release before using it, they shouldn't be using it. The value of the fix and/or new feature they need should outweigh the need to see release notes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Version / Internmediate Policy
Yep, has happened to me a few times during beta testing. I'm investigating some issue, invest time to dig through logs, report the problem - just to be told oh, that was fixed in interim release xx. Duh! Thank's for warning me. Remember, though, that it was the same way back with just betas and released versions -- after a beta came out, if you reported a bug that we already knew about and had fixed, our answer would be Oh, we know about that, the next beta will take care of it. That would be worse -- you lose the same as you do with interim releases (investing time to analyze and report the problem), but also don't get a fix right away. Yes, it would be nice if we had a list of bug fixes for this very purpose (Known bugs). That is something we will look into. If it is done, though, it will most likely just be These are the bugs that are fixed in the latest interim release, without specifying which interim release fixed it, and the list could be updated less frequently than the interim releases come out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DLAnalyzer
John, Any anomly you find with the program please send me an email [EMAIL PROTECTED] and describe the process to reproduce. Any bugs that are found will be corrected quickly. Thanks Darrell John Tolmachoff (Lists) writes: Is there need for a separate support list, or do you want it sent to you? One thing I am noticing about the GUI is that it does not always clear previous settings. Example, if I had set to filter by domain, but now do not want to, just be removing the domain in the GUI does not always remove it form the config file. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Wednesday, November 26, 2003 6:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] DLAnalyzer John, Those are excellent suggestions and have been made by several folks. Both of thos suggestions are going to be in the next intermediate release. Darrell John Tolmachoff (Lists) writes: Feature request: Ability to save config file as. Ability to run program with a saved named config file. This would allow you to create different configuration files with the GUI, and then run reports based on different configuration files. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Tuesday, November 25, 2003 8:01 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] DLanalyzer The latest version of DLAnalyzer was released last week. The current version is 2.0R. Many new features were added including a GUI based configuration utility to ease configuration. There are many other reports it can generate besides the one listed below (Domain Summaries Incoming/Outgoing, Advanced Reports On Users, etc) You can download a copy of DLAnalyzer at http://www.dlanalyzer.com Darrell ISPhuset Nordic AS writes: Where can i find this versjon of DLAnalyzer(v2.0.B.I) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: 25. november 2003 16:13 To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] EasyNet Replacements Well, Here is how my replacement tests are doing (turned off EasyNet at noon): DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For Argos.net Report Start Time: 11/24/2003 00:00:00 Report End Time: 11/24/2003 23:59:59 Total Messages: 12,777 Messages That Failed: 8,475 Spam Percentage: 66.33% TEST # FAILED Percentage AHBL..7555.91% AHBLDOMAINS630.49% AHBLEXEMPT.310.24% AHBLPROXIES...4683.66% AHBLSOURCES...2912.28% NJABL...2,317...18.13% NJABLDUL..2021.58% NJABLPROXIES1,370...10.72% NJABLRELAYS...1090.85% NJABLSOURCES..2552.00% SORBS...2,199...17.21% SORBS-DUL...1,578...12.35% SORBS-HTTP5124.01% SORBS-MISC.690.54% SORBS-SMTP.110.09% SORBS-SOCKS...6164.82% SORBS-SPAM2652.07% SORBS-ZOMBIE...150.12% EASYNET-DNSBL...1,1579.06% EASYNET-DOMAINS...2501.96% EASYNET-DYNA1,409...11.03% EASYNET-PROXIES...7826.12% BLITZEDALL2762.16% BONDEDSENDER..1881.47% CBL.3,179...24.88% DSBL3,530...27.63% DSBLMULTI..710.56% KUNDENSERVER...120.09% MAILPOLICE-PORN310.24% ORDB...770.60% SPAMCOP.4,028...31.53% SPAMHAUS..7966.23% RDNSBL1791.40% BADHEADERS..2,224...17.41% BASE644713.69% BCC4...690.54% BCC6...410.32% BCC8...290.23% COMMENTS..5364.20% HELOBOGUS...1,963...15.36% MAILFROM..2051.60% REVDNS..1,701...13.31% SPAMDOMAINS.1,612...12.62% SPAMHEADERS.1,329...10.40% SPAMROUTING...9627.53% Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an
RE: [Declude.JunkMail] EasyNet Replacements
These are the ones I am testing right now. Any comments? NJABL ip4rdnsbl.njabl.org 127.0.0.2 7 0 NJABLPROXIESip4rdnsbl.njabl.org 127.0.0.9 7 0 CBL ip4rcbl.abuseat.org 127.0.0.2 7 0 AHBLOPENip4rdnsbl.ahbl.org 127.0.0.2 7 0 AHBLPROXY ip4rdnsbl.ahbl.org 127.0.0.3 7 0 AHBLSPAMip4rdnsbl.ahbl.org 127.0.0.4 7 0 AHBLSUPPORT ip4rdnsbl.ahbl.org 127.0.0.7 7 0 AHBLGOODip4rexemptions.ahbl.org 127.0.0.2 -10 0 AHBLGOOD: This zone is not a blocking zone! This is a whitelist zone. Do not use it to block mail or you will risk blocking alot of legit e-mail. If you have the ability to setup a DNSbl whitelist, then this is the zone you want to use with it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, November 25, 2003 7:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] EasyNet Replacements Well, Here is how my replacement tests are doing (turned off EasyNet at noon): DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For Argos.net Report Start Time: 11/24/2003 00:00:00 Report End Time: 11/24/2003 23:59:59 Total Messages: 12,777 Messages That Failed: 8,475 Spam Percentage: 66.33% TEST # FAILED Percentage AHBL..7555.91% AHBLDOMAINS630.49% AHBLEXEMPT.310.24% AHBLPROXIES...4683.66% AHBLSOURCES...2912.28% NJABL...2,317...18.13% NJABLDUL..2021.58% NJABLPROXIES1,370...10.72% NJABLRELAYS...1090.85% NJABLSOURCES..2552.00% SORBS...2,199...17.21% SORBS-DUL...1,578...12.35% SORBS-HTTP5124.01% SORBS-MISC.690.54% SORBS-SMTP.110.09% SORBS-SOCKS...6164.82% SORBS-SPAM2652.07% SORBS-ZOMBIE...150.12% EASYNET-DNSBL...1,1579.06% EASYNET-DOMAINS...2501.96% EASYNET-DYNA1,409...11.03% EASYNET-PROXIES...7826.12% BLITZEDALL2762.16% BONDEDSENDER..1881.47% CBL.3,179...24.88% DSBL3,530...27.63% DSBLMULTI..710.56% KUNDENSERVER...120.09% MAILPOLICE-PORN310.24% ORDB...770.60% SPAMCOP.4,028...31.53% SPAMHAUS..7966.23% RDNSBL1791.40% BADHEADERS..2,224...17.41% BASE644713.69% BCC4...690.54% BCC6...410.32% BCC8...290.23% COMMENTS..5364.20% HELOBOGUS...1,963...15.36% MAILFROM..2051.60% REVDNS..1,701...13.31% SPAMDOMAINS.1,612...12.62% SPAMHEADERS.1,329...10.40% SPAMROUTING...9627.53% Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 8 bit encoding
Scot, The 8 bit encoding doesn't have anything to do with why it passes ANTI-GIBBERISH. It appears that this test got tripped on the ANTI filter because of a qa string (with the space, line 53 of that filter). I believe that 8 bit encoding isn't going to be very safe to filter on, though it is worth looking at. This might be a great opportunity to take a combination of an X-Mailer and Content-Transfer-Encoding in a filter so that if say Outlook Express and 8bit both occur, then it is spam. A theory like this would need to be tested though. The new filtering capabilities also could allow you to change GIBBERISH so that it could hit twice and assess more score on two hits (limited with MAXPOINTS). This also needs testing though because while this would probably not be an issue for regular people messages, some of the FP's from automated sources might very well fail multiple times like spam can. This E-mail is from a spammer that several have commented on. For the interim, he is easily targeted with a filter for: BODY 15BEGINSWITH g I'm actually going to test a filter out with a file that I created sometime ago which checks for fake HTML tags which has every combination of non-HTML two letter code in it preceded by a less than sign. This filter actually led me to what became GIBBERISH, though I can't remember why I abandoned it. As a BEGINSWITH filter it shouldn't be too demanding on processing, and it should be very unlikely to FP. I'll be sure to release it if it works out. BTW, I'm not sure exactly what your scores are on your system, but with what this message failed in terms of tests and filters, it would have definitely been held as spam on my system. 4 - EASYNET-DYNA 4 - FIVETEN-SRC 3 - FOREIGN 0 - REVDNS = 10 - Total (my hold weight) It might have failed other tests that I am using locally as well. I don't like giving too much credit for the negative weight tests, only three points are possible on my system and I give nothing for REVDNS. I would be scoring EASYNET-DYNA higher except that I also use another DUL test in addition to my DYNAMIC filter which all look for the same thing. FIVETEN can be problematic, though the .2 test isn't nearly as bad as the .4 test. I know that FIVETEN scores a lot of FP's, but it's a very important test for me as they pick up a lot of stuff that others don't for some reason and I can deal with them blacklisting places like Yahoo and some legit newsletters since I score it relatively low. Another test that you might want to think about using would be: SUBJECT 2 ISBLANK This is fairly rare with ham, and probably safe to add one or two points to (on a fail weight of 10). I think that spammers have rightly figured that it can be more harm than good by including even a randomized subject because it is one more thing to track, and a blank subject probably peaks one's interest enough to still open it to see what it is instead of just deleting it without a thought. Matt Scot Desort wrote: I have seen a lot of mail like this one scoring low on Declude: X-F: [EMAIL PROTECTED] Sat Nov 22 06:08:11 2003 Received: from tekes.fi [80.56.186.84] by njaccess.com (SMTPD32-6.06) id A394206D005E; Sat, 22 Nov 2003 06:08:04 -0500 Message-ID: [EMAIL PROTECTED] From: Sybil D. Neely [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Date: Sun, 23 Nov 2003 02:23:38 + MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/html Content-Transfer-Encoding: 8bit X-RBL-Warning: FIVETENSRC: 84.186.56.80.blackholes.five-ten-sg.com. X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (96) X-RBL-Warning: ANTIGIBBERISH: Message failed ANTIGIBBERISH test (53) X-Declude-Sender: [EMAIL PROTECTED] [80.56.186.84] X-Declude-Spoolname: D439405e.SMD X-SpamWatch-Tests-Failed: EASYNET-DYNA, FIVETENSRC, IPNOTINMX, NOLEGITCONTENT, GIBBERISH, ANTIGIBBERISH, FOREIGN [6] X-SpamWatch-Country-Chain: NETHERLANDS-destination X-SpamWatch-ReverseLookUp: f186084.upc-f.chello.nl ([80.56.186.84]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 362076914 Status: U gyvpznjdrufwnxfont color=whiteufabnkxbdrisgjbimlhlrbqljb rjcvvcjzrgth gemotyrdifskfkauewcugfimk geqfppqbcqxaisvpolbcuds egbftgdihh ggbaxkcuiaztygdxdecibhfsovd/fontgartymfckjfrcjbrgasunzscmkk font color=whitesxevtgbewm gxzmadrqaaeupxrcwkircgel gxnjljpbfuvmgdkhfqhqdggjribadezeaag ukmfmpblojgimjotcdieisbz fgbzancgjeo gwyrtntfwaeeiqnqceziepk/fontgbpuzkbdzyzhlgbrgruzkohbxdbh bglaitqxdgqqLOgbbcsqudibzSEgfaigjrcnqeff gcmnbmjbwzlWEghoncnjlakguacIGgmtsdthcgucjfwxHT gsrlqukbgfidsmTHghvhfnnbvqvaE gjcfukdbhjnkancEgqjxxxtdqfsoASIgxcfhbbdpqglwER WgvrobgjcwercAYgrzdgrtbuom/bguqassadqplxbr gfunlxdcgwviIghththgcueaorT'Sgbdtyvqdoxr NgcrlcqzcntbOTgdjcisnccny Agquakrdruzooyp guyrrqdapeludlDIgojmghdsqcwenclETgetrjehclmmvbq
Re: [Declude.JunkMail] EasyNet Replacements
I haven't tested these, however I would very much appreciate knowing from your tests or those of others two things in particular: NJABL and AHBLSPAM - Do they FP on a lot of legit advertisements? AHBLGOOD - Is this absolutely trustworthy and what types of servers does it list? Thanks, Matt John Tolmachoff (Lists) wrote: These are the ones I am testing right now. Any comments? NJABL ip4rdnsbl.njabl.org 127.0.0.2 7 0 NJABLPROXIESip4rdnsbl.njabl.org 127.0.0.9 7 0 CBL ip4rcbl.abuseat.org 127.0.0.2 7 0 AHBLOPENip4rdnsbl.ahbl.org 127.0.0.2 7 0 AHBLPROXY ip4rdnsbl.ahbl.org 127.0.0.3 7 0 AHBLSPAMip4rdnsbl.ahbl.org 127.0.0.4 7 0 AHBLSUPPORT ip4rdnsbl.ahbl.org 127.0.0.7 7 0 AHBLGOODip4rexemptions.ahbl.org 127.0.0.2 -10 0 AHBLGOOD: This zone is not a blocking zone! This is a whitelist zone. Do not use it to block mail or you will risk blocking alot of legit e-mail. If you have the ability to setup a DNSbl whitelist, then this is the zone you want to use with it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, November 25, 2003 7:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] EasyNet Replacements Well, Here is how my replacement tests are doing (turned off EasyNet at noon): DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For Argos.net Report Start Time: 11/24/2003 00:00:00 Report End Time: 11/24/2003 23:59:59 Total Messages: 12,777 Messages That Failed: 8,475 Spam Percentage: 66.33% TEST # FAILED Percentage AHBL..7555.91% AHBLDOMAINS630.49% AHBLEXEMPT.310.24% AHBLPROXIES...4683.66% AHBLSOURCES...2912.28% NJABL...2,317...18.13% NJABLDUL..2021.58% NJABLPROXIES1,370...10.72% NJABLRELAYS...1090.85% NJABLSOURCES..2552.00% SORBS...2,199...17.21% SORBS-DUL...1,578...12.35% SORBS-HTTP5124.01% SORBS-MISC.690.54% SORBS-SMTP.110.09% SORBS-SOCKS...6164.82% SORBS-SPAM2652.07% SORBS-ZOMBIE...150.12% EASYNET-DNSBL...1,1579.06% EASYNET-DOMAINS...2501.96% EASYNET-DYNA1,409...11.03% EASYNET-PROXIES...7826.12% BLITZEDALL2762.16% BONDEDSENDER..1881.47% CBL.3,179...24.88% DSBL3,530...27.63% DSBLMULTI..710.56% KUNDENSERVER...120.09% MAILPOLICE-PORN310.24% ORDB...770.60% SPAMCOP.4,028...31.53% SPAMHAUS..7966.23% RDNSBL1791.40% BADHEADERS..2,224...17.41% BASE644713.69% BCC4...690.54% BCC6...410.32% BCC8...290.23% COMMENTS..5364.20% HELOBOGUS...1,963...15.36% MAILFROM..2051.60% REVDNS..1,701...13.31% SPAMDOMAINS.1,612...12.62% SPAMHEADERS.1,329...10.40% SPAMROUTING...9627.53% Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EasyNet Replacements
NJABL and AHBLSPAM - Do they FP on a lot of legit advertisements? AHBLGOOD - Is this absolutely trustworthy and what types of servers does it list? I ran across AHBLGOOD and am testing it to see what happens. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] EASYNET tests going away December 1
Scott if we comment out a test in global.cfg and leave its action in default.junkmail will there be any problems ? errors, performance issues, ... - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:52 PM Subject: [Declude.JunkMail] EASYNET tests going away December 1 FYI. Here's a copy of their E-mail. -Scott --- The easynet blacklists/spamfilters (blackholes.easynet.nl, proxies.blackholes.easynet.nl, dynablock.easynet.nl, spamdomains.blackholes.easynet.nl, and the easynet spamlists) will be discontinued starting Dec 1 2003. The zonefiles and associated files will be 'zero-sized' on that day. The domains will continue to resolve for a long time, but they will contain nothing more than the test records (127.0.0.2 and example.com), so they will not catch anything. Holy Crap! - Yep. FAQ? - Sure. Are you being DDos'ed out of existence? - Nope. They probably tried. We didn't even notice it. Are you being sued? - Nope. They probably tried. We didn't even notice it. Are you being threatened? - Frankly, we will miss that part. Are you tired? - Damn right. Are you giving up? - That is not the right word. There are plenty of fine blacklists, and new ones spring up every day. The wirehub/easynet lists served their purpose, but others may serve that purpose equally well. Isn't this all kinda sudden? - Yes. Sometimes, you just know that it's time to say goodbye. And the moment you know it, you must do it. Running blacklists on anything less than 100% motivation and energy is not how it should be done. Anything else? - Sure. These blacklists were maintained by a single person, all of them. Every day. Listings, delistings, finding new DSL/cable ranges, finding new open proxies, writing better scripts, handling all email, running statistics, publishing overviews, providing rsync areas, DNS tranfers. You name it. TINW. There's an I. And I want my life back, at least a little ;) Life? - Yes. Maybe not as we know it. Over the past 3-4 years, the maintainer of these lists has worked 7 days a week, 10-12 hours a day running these lists and handling all tasks and email associated with them. Not a single day has passed without at least processing delisting requests (the bare minimum). And then there was the day job (which was really nothing more than running an ISP's server farm - peanuts, it's FreeBSD). Is that all? - There's more to it, but the details do not really concern you. Let's just say that the integrity of these lists might have been in jeopardy in the long run. There are two cardinal sins when it comes to blacklists: 1. putting/keeping someone on them who should not be - 2. not putting someone on them who really should be. Avoiding '1' is a matter of discipline and a thick skin. Avoiding '2' is a matter of being totally independent from all pressures surrounding you. Avoiding '2' has become increasingly difficult, and we'd rather stop with our integrity fully intact and our reputation unharmed. That is about now. Well, next week. We? - Yes, dropping that habit will take some time ;) Will you be back? - Probably. Lurking. Will you miss us? - Depends on how well target practice goes. Should we give up The Good Fight? - Hell no, we're winning. There's plenty of enthusiasm, and there are plenty of new and old blacklists doing fine work. Take your pick. Keep fighting. Fight for your spam laws. Educate. Annoy. Sue if you must. It's up to you now. Is there anything we can do? - Yes. Spread the word, please. Post to your local/national abuse groups, inform anyone you know who uses these lists, update your configurations. Nothing will break after Dec 1, but there will come a day when these names (including the old Wirehub ones, which still resolve) will cease to resolve. This will probably be announced. Will the lists be back under a different name? - Probably not. It started out as 'doing some extra work to stop spam', because .. well .. FreeBSD and such, plenty of time left. And why not donate that work to the Internet community as well. In the long run. it turned out to be 'getting some sleep and maybe something to eat between emails and zone updates'. Sometimes, enough is just enough. Can't you just maintain one or two of the lists? - What did I just say? I have a question! - The email address will probably work throughout December. It may drop dead after that. Hope I won't. Goodbye all. It was invigorating, it was fun, it was necessary. Don't give up. Ben. -- easynet.nl abuse handling dept. -- [EMAIL PROTECTED] - blacklists/dnsbls: http://abuse.easynet.nl/spamstats.html - - aup: http://www.nl.easynet.net/pub/av/aup/nl (dutch) -- - aup: http://www.nl.easynet.net/pub/av/aup/en (english) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Re: [Declude.JunkMail] EasyNet Replacements
NJABL for the most part is like ORDB. They test open relays and list them. Folks that are listed can easily request to be de-listed, but of course they are not removed if njabl finds them relaying still. Darrell Matthew Bramble writes: I haven't tested these, however I would very much appreciate knowing from your tests or those of others two things in particular: NJABL and AHBLSPAM - Do they FP on a lot of legit advertisements? AHBLGOOD - Is this absolutely trustworthy and what types of servers does it list? Thanks, Matt John Tolmachoff (Lists) wrote: These are the ones I am testing right now. Any comments? NJABL ip4r dnsbl.njabl.org 127.0.0.2 7 0 NJABLPROXIES ip4r dnsbl.njabl.org 127.0.0.9 7 0 CBL ip4r cbl.abuseat.org 127.0.0.2 7 0 AHBLOPEN ip4r dnsbl.ahbl.org 127.0.0.2 7 0 AHBLPROXY ip4r dnsbl.ahbl.org 127.0.0.3 7 0 AHBLSPAM ip4r dnsbl.ahbl.org 127.0.0.4 7 0 AHBLSUPPORT ip4r dnsbl.ahbl.org 127.0.0.7 7 0 AHBLGOOD ip4r exemptions.ahbl.org 127.0.0.2 -10 0 AHBLGOOD: This zone is not a blocking zone! This is a whitelist zone. Do not use it to block mail or you will risk blocking alot of legit e-mail. If you have the ability to setup a DNSbl whitelist, then this is the zone you want to use with it. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, November 25, 2003 7:13 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] EasyNet Replacements Well, Here is how my replacement tests are doing (turned off EasyNet at noon): DLAnalyzer(v2.0.B.I) Report Generated At 11/25/2003 12:19:41 AM For Argos.net Report Start Time: 11/24/2003 00:00:00 Report End Time: 11/24/2003 23:59:59 Total Messages: 12,777 Messages That Failed: 8,475 Spam Percentage: 66.33% TEST # FAILED Percentage AHBL..7555.91% AHBLDOMAINS630.49% AHBLEXEMPT.310.24% AHBLPROXIES...4683.66% AHBLSOURCES...2912.28% NJABL...2,317...18.13% NJABLDUL..2021.58% NJABLPROXIES1,370...10.72% NJABLRELAYS...1090.85% NJABLSOURCES..2552.00% SORBS...2,199...17.21% SORBS-DUL...1,578...12.35% SORBS-HTTP5124.01% SORBS-MISC.690.54% SORBS-SMTP.110.09% SORBS-SOCKS...6164.82% SORBS-SPAM2652.07% SORBS-ZOMBIE...150.12% EASYNET-DNSBL...1,1579.06% EASYNET-DOMAINS...2501.96% EASYNET-DYNA1,409...11.03% EASYNET-PROXIES...7826.12% BLITZEDALL2762.16% BONDEDSENDER..1881.47% CBL.3,179...24.88% DSBL3,530...27.63% DSBLMULTI..710.56% KUNDENSERVER...120.09% MAILPOLICE-PORN310.24% ORDB...770.60% SPAMCOP.4,028...31.53% SPAMHAUS..7966.23% RDNSBL1791.40% BADHEADERS..2,224...17.41% BASE644713.69% BCC4...690.54% BCC6...410.32% BCC8...290.23% COMMENTS..5364.20% HELOBOGUS...1,963...15.36% MAILFROM..2051.60% REVDNS..1,701...13.31% SPAMDOMAINS.1,612...12.62% SPAMHEADERS.1,329...10.40% SPAMROUTING...9627.53% Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] EASYNET tests going away December 1
Since the tests will be dead, remove them is best. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Thursday, November 27, 2003 6:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] EASYNET tests going away December 1 Scott if we comment out a test in global.cfg and leave its action in default.junkmail will there be any problems ? errors, performance issues, ... - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:52 PM Subject: [Declude.JunkMail] EASYNET tests going away December 1 FYI. Here's a copy of their E-mail. -Scott --- The easynet blacklists/spamfilters (blackholes.easynet.nl, proxies.blackholes.easynet.nl, dynablock.easynet.nl, spamdomains.blackholes.easynet.nl, and the easynet spamlists) will be discontinued starting Dec 1 2003. The zonefiles and associated files will be 'zero-sized' on that day. The domains will continue to resolve for a long time, but they will contain nothing more than the test records (127.0.0.2 and example.com), so they will not catch anything. Holy Crap! - Yep. FAQ? - Sure. Are you being DDos'ed out of existence? - Nope. They probably tried. We didn't even notice it. Are you being sued? - Nope. They probably tried. We didn't even notice it. Are you being threatened? - Frankly, we will miss that part. Are you tired? - Damn right. Are you giving up? - That is not the right word. There are plenty of fine blacklists, and new ones spring up every day. The wirehub/easynet lists served their purpose, but others may serve that purpose equally well. Isn't this all kinda sudden? - Yes. Sometimes, you just know that it's time to say goodbye. And the moment you know it, you must do it. Running blacklists on anything less than 100% motivation and energy is not how it should be done. Anything else? - Sure. These blacklists were maintained by a single person, all of them. Every day. Listings, delistings, finding new DSL/cable ranges, finding new open proxies, writing better scripts, handling all email, running statistics, publishing overviews, providing rsync areas, DNS tranfers. You name it. TINW. There's an I. And I want my life back, at least a little ;) Life? - Yes. Maybe not as we know it. Over the past 3-4 years, the maintainer of these lists has worked 7 days a week, 10-12 hours a day running these lists and handling all tasks and email associated with them. Not a single day has passed without at least processing delisting requests (the bare minimum). And then there was the day job (which was really nothing more than running an ISP's server farm - peanuts, it's FreeBSD). Is that all? - There's more to it, but the details do not really concern you. Let's just say that the integrity of these lists might have been in jeopardy in the long run. There are two cardinal sins when it comes to blacklists: 1. putting/keeping someone on them who should not be - 2. not putting someone on them who really should be. Avoiding '1' is a matter of discipline and a thick skin. Avoiding '2' is a matter of being totally independent from all pressures surrounding you. Avoiding '2' has become increasingly difficult, and we'd rather stop with our integrity fully intact and our reputation unharmed. That is about now. Well, next week. We? - Yes, dropping that habit will take some time ;) Will you be back? - Probably. Lurking. Will you miss us? - Depends on how well target practice goes. Should we give up The Good Fight? - Hell no, we're winning. There's plenty of enthusiasm, and there are plenty of new and old blacklists doing fine work. Take your pick. Keep fighting. Fight for your spam laws. Educate. Annoy. Sue if you must. It's up to you now. Is there anything we can do? - Yes. Spread the word, please. Post to your local/national abuse groups, inform anyone you know who uses these lists, update your configurations. Nothing will break after Dec 1, but there will come a day when these names (including the old Wirehub ones, which still resolve) will cease to resolve. This will probably be announced. Will the lists be back under a different name? - Probably not. It started out as 'doing some extra work to stop spam', because .. well .. FreeBSD and such, plenty of time left. And why not donate that work to the Internet community as well. In the long run. it turned out to be 'getting some sleep and maybe something to eat between emails and zone updates'. Sometimes, enough is just enough. Can't you just maintain one or two of the lists? - What did I just say? I have a question! - The email address will probably work
RE: [Declude.JunkMail] Version / Internmediate Policy
These are the bugs that are fixed in the latest interim release, without specifying which interim release fixed it Thanks - that would be a great help. Typically, beta testers come to expect an extra level of support, since they are sticking their heads out for the developer's benefit. To let us run into (occasionally severe) problems knowingly can sometimes be unnerving. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude does not see email
Title: Message Some more grist for the mill, and a question or two for Scott... I've seen the same behaviour in our implementation: the inbound e-mail is received and doesn't look mangled, but has no declude headers. Until recently, there was no declude log lines, either. I'm running IMail v8.02 on Windows 2000 Server SP4 etc, and am now running declude.exe 1.76i28; today I saw an HTML style spam come through with no declude headers. The log did have one line for this message: 11/27/2003 15:23:41 Q875e044a00daa57c Could not lock D:\IMail\spool\Q875e044a00daa57c.SMD; timed out (j=2). My query for Scott is: as of interim 28, declude.exe now always logs something if the message couldn't be handled, correct? So perhaps there is a grammar or pattern in the log wecan use to find these error messages? As for my server configuration, I also have no particular software that I think should havevied for a lock on the file; my antivirus software skips all of the files with IMailmessage extensions. The only things that could have tripped over the file are W2K itself, IMail, and declude.exe ... Andrew. -Original Message-From: Keith Johnson [mailto:[EMAIL PROTECTED] Sent: Monday, November 24, 2003 5:42 AMTo: [EMAIL PROTECTED]Subject: FW: [Declude.JunkMail] Declude does not see email Scott, This issue of Declude (1.76i and Imail 8.04)not seeing email has picked up tremendously in the past week or so. We are starting to see this a lot in our own email as well as our customers reporting it. It seems to be happening in both html and plain text formated emails. Is there anything I can do in my settings to aid this as I am fearful of viruses getting thru (more so than spam)? Thanks, Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Fri 11/21/2003 12:10 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.JunkMail] Declude does not see email I am curious to know if others are experiencing this as well.Daily I receive 3-4 spam that show no sign of Declude ever being ran.Searching the IMail log file shows the email arriving and the SPAM logfile for IMail shows an entry for the email but Declude does not show it.Are you running IMail v8? There seems to be a problem with IMail v8 whereit will occasionally "forget" to call Declude. We haven't been able toreproduce the problem, but from the log files that we have seen, it appearsthat Declude isn't even started. -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailservers.Declude Virus: Catches known viruses and is the leader in mailservervulnerability detection.Find out what you've been missing: Ask about our free 30-day evaluation.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %TESTSFAILED%
In the case of IPNOTINMX and NOLEGITCONTENT, it works just the opposite. If the messages fails, no weight is added or subtracted. If the test passes, the negative weight is subtracted. Therefore, if one of those tests is listed under %TESTSFAILED%, it means nothing was done. Likewise, the actions for those tests should be INGNORE or LOG only, as again if the tests failed means nothing. Only if the messages passes the test is weight subtracted. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of serge Sent: Thursday, November 27, 2003 7:57 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] %TESTSFAILED% Scott I do not think it is a good idea to hide tests like ipnotinmx, because we wont know their weight contribution we need a hidetest when weight =0, but that will show the negative value when passed test something like %weightnot0test% variable with all tests that contributed to the total weight (negative, positive, passed, or failed) this will show ipnotinmx and nonlegitcontent type tests whey they pass Hope you understand what i'm trying to say - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 19, 2003 7:01 PM Subject: Re: [Declude.JunkMail] %TESTSFAILED% Any progress/word on when certain tests can be excluded from this variable? This will be in the next release. :) The next release will allow for an option HIDETESTS in the global.cfg file (the default setting will be HIDETESTS CATCHALLMAILS IPNOTINMX NOLEGITCONTENT), which will prevent those tests from showing up in the X-Spam-Tests-Failed: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.