Re[2]: [Declude.JunkMail] High % of spam from this IP range:
64.119.192.0/19 = iwayhosting.com covers all those Been in my banned ip list for a while now. Rick Rountree *** REPLY SEPARATOR *** On 12/6/2003 at 3:04 PM George Kulman wrote: Marc Don't forget 64.119.208.0/24 George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Catuogno Sent: Saturday, December 06, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] High % of spam from this IP range: 64.119.209.70 64.119.210.70 64.119.222.157 64.119.194.100 64.119.210.70 64.119.217.134 64.119.222.156 64.119.222.157 Out of about 40 held messages this morning these IP's were in about 10 of them. I'm going to add the following to a weighted (10) IP file so it will pass my delete weight if it fails just about any other test. A 64.119.209.0/24 64.119.210.0/24 64.119.222.0/24 64.119.194.0/24 64.119.217.0/24 After closer inspection, some of these ranges are already in one file, sigh... I hate spam... Maybe it's the blizzard, but I just felt like sharing this with all of you. Those of you on the east with me, stay safe and warm. Marc --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
I figure that each individual E-mail on my system has about a 0.6% chance of being stolen and delivered by the queue. Matt: I have spent a lot of my years in the field of mathematics. A study done a while back and it is related to data-mining stated.. men buy baby diapers and orange juice on Tuesdays more than any other day of the week. While it sounds interesting it is real hard to make any use of it. :) -- I am either very lucky or the 0.6% is only concentrating itself to my mailbox. On our very small volume server I got 2 last night and that is only me - others are probably getting it and not letting us know. Attached is an email that IMail added its headers but Declude never saw. I get about 2-3 daily. Regards, Kami ---BeginMessage--- Title: brakeman piocr The Digital Power Filter works on 99% of Digital Cable Boxes. Simple to hook up, it will be giving you the Viewing pleasure that you want right away. http://www.ulikeit.biz/promo.php?id=93827 exclude http://www.ulikeit.biz/remove.php?id=93827 ---End Message---
RE: [Declude.JunkMail] Declude not taking action
Apologies if this has already been mentioned, but this may be a quick easy way to find out exactly what messages(and quantity of messages) never got scanned by Declude on a per server basis: If you have Declude configured to add anything consistent to the headers, like an x-note: or whatever else, you can use the 'copy all mail to a box' feature of Imail, then write a processing rule on the copy box to delete all mail in the copy box that has the x-note: data from Declude header. Then, you can periodically check that box to see how many are being missed, because the only mail that will end up in that box will be mail that Declude never tried to scan. There are perhaps other ways to use domain proc rules to do this as well but this would be my preferred method. -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2003 1:35 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude not taking action I figure that each individual E-mail on my system has about a 0.6% chance of being stolen and delivered by the queue. Matt: I have spent a lot of my years in the field of mathematics. A study done a while back and it is related to data-mining stated.. men buy baby diapers and orange juice on Tuesdays more than any other day of the week. While it sounds interesting it is real hard to make any use of it. :) -- I am either very lucky or the 0.6% is only concentrating itself to my mailbox. On our very small volume server I got 2 last night and that is only me - others are probably getting it and not letting us know. Attached is an email that IMail added its headers but Declude never saw. I get about 2-3 daily. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Test suggestion request for comments...
Scott, you have probably seen requests like this before, however, I think this would be a great way to support most corporate and some ISP e-mail domains with a negative weight based test: HELO RDNS domain match -5 HELO RDNS MAILFROM domain match -10 HELO RDNS domain match IPINMX -10 (yes, IP-in-MX) HELO RDNS MAILFROM domain match IPINMX -15 or ENDALLTESTS I say domain meaning just the last two segments of the FQHN, that portion that is registered with domain registrar. Since all of these tests are already run by Declude, if a bit of logic could be added to support a test like this, I think it could help us get a lot of legitimate mail delivered with fewer held due to FPs. Also, if people feel that the last test above is a very good indicator of legitimate e-mail, then if this test is run first (before all other tests), and there is a match with the last test shown above, and there was variable to ENDALLTESTS (and deliver), then this would also cut down on processing requirements. Thoughts anyone...? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Test suggestion request for comments...
Bill.. This goes well along the line of the subject that was discussed a while back and one that could help a great deal. Right now we are concentrating on negative aspects of the email - to minimize FP and even further reduce CPU we should give some attention to some positive aspects as well. If we can identify the positive attributes correctly we can further tighten our filters and be more generous with weighing the negative attributes. A discussion on positive traits could be a good start I second the motion. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, December 07, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Test suggestion request for comments... Scott, you have probably seen requests like this before, however, I think this would be a great way to support most corporate and some ISP e-mail domains with a negative weight based test: HELO RDNS domain match -5 HELO RDNS MAILFROM domain match -10 HELO RDNS domain match IPINMX -10 (yes, IP-in-MX) HELO RDNS MAILFROM domain match IPINMX -15 or ENDALLTESTS I say domain meaning just the last two segments of the FQHN, that portion that is registered with domain registrar. Since all of these tests are already run by Declude, if a bit of logic could be added to support a test like this, I think it could help us get a lot of legitimate mail delivered with fewer held due to FPs. Also, if people feel that the last test above is a very good indicator of legitimate e-mail, then if this test is run first (before all other tests), and there is a match with the last test shown above, and there was variable to ENDALLTESTS (and deliver), then this would also cut down on processing requirements. Thoughts anyone...? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude not taking action
Not related to your problem but do yourself a favor block @mcsi.net only thing I ever seen from there is spam. Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries -- KR I figure that each individual E-mail on my system has about a 0.6% KR chance of being stolen and delivered by the queue. KR Matt: KR I have spent a lot of my years in the field of mathematics. A study done a KR while back and it is related to data-mining stated.. men buy baby diapers KR and orange juice on Tuesdays more than any other day of the week. KR While it sounds interesting it is real hard to make any use of it. :) -- I KR am either very lucky or the 0.6% is only concentrating itself to my KR mailbox. KR On our very small volume server I got 2 last night and that is only me - KR others are probably getting it and not letting us know. KR Attached is an email that IMail added its headers but Declude never saw. KR I get about 2-3 daily. KR Regards, KR Kami -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New concept in phishing..
Now this one is an interesting concept... Reverse psychology at its best.. Let us check see if your card is stolen.. IP Listed: 203.126.160.62 Regards, Kami Subject: [55~]ALERT: YOUR PERSONAL INFORMATION HAS BEEN STOLENDate: Thu, 04 Dec 03 05:33:41 GMTX-Mailer: Microsoft Outlook, Build 10.0.2616MIME-Version: 1.0Content-Type: multipart/alternative;boundary="8D5C_C0.D_1E.6_DBF"X-Priority: 3X-MSMail-Priority: NormalX-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e].X-RBL-Warning: HELOBOGUS: Domain 12.4.218.129 has no MX or A records.X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected.X-RBL-Warning: IPLINKED: Message failed IPLINKED test (line 227, weight 0)X-RBL-Warning: FILTER-HEADER: Message failed FILTER-HEADER test (line 91, weight 20)X-RBL-Warning: FILTER-SUBJECT: Message failed FILTER-SUBJECT test (line 105, weight 5)X-Declude-Sender: [EMAIL PROTECTED] [65.31.87.210]X-Declude-Spoolname: D6c86057c00920cf6.SMDX-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus.X-Weight: 55X-Note: Sent from Reverse DNS: CPE-65-31-87-210.wi.rr.comX-Hello: 12.4.218.129 == Due to a recent increase in online Debit/Credit card fraud we are offering a new service that will check if your private information has been compromised. This check will be absolutly free for the first card checked any additional cards will require membership. We will check online hangouts of credit card thieves to see if your information has been posted including websites, chatrooms, forums, and private places we have obtained access to. Click HERE to check your info for FREE ==
[Declude.JunkMail] TESTFAILEDWITHWEIGHTS
Would it be possible to have the TESTFAILEDWITHWEIGHTS variable to not show the score for WEIGHT type test such as WEIGHT10 or WEIGHT20? It appears that the WEIGHT10 test has added 10 points to the score by the way the variable appears. -Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude not taking action
Kami Razvan wrote: I have spent a lot of my years in the field of mathematics. A study done a while back and it is related to data-mining stated.. men buy baby diapers and orange juice on Tuesdays more than any other day of the week. Sure it's useful, what it says is that there is something else going on here at least on your system. It could be possible that this can happen during the entire duration of processing the queue instead of the instant where it is initiated. It could be related to using some of IMail 8's filters before handing off to Declude, for instance the address verification which can produce delays of many seconds and make your window much wider. And of course the frequency of running your spool and your processor load can affect this, though to a smaller degree than your experience suggests. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude not taking action
Dave, It appears that the E-mail getting delivered improperly is the result of IMail stealing a copy and processing it apart from Declude. In the example that I provided, Declude deleted the copy that it got because it scored too high, but IMail delivered a copy before it was scanned by Declude. Matt Dave Marchette wrote: Apologies if this has already been mentioned, but this may be a quick easy way to find out exactly what messages(and quantity of messages) never got scanned by Declude on a per server basis: If you have Declude configured to add anything consistent to the headers, like an x-note: or whatever else, you can use the 'copy all mail to a box' feature of Imail, then write a processing rule on the copy box to delete all mail in the copy box that has the x-note: data from Declude header. Then, you can periodically check that box to see how many are being missed, because the only mail that will end up in that box will be mail that Declude never tried to scan. There are perhaps other ways to use domain proc rules to do this as well but this would be my preferred method. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTFAILEDWITHWEIGHTS
Use the HIDETESTS option to remove the weight-based tests from your output. I believe it is used in the Global.cfg as follows: HIDETESTS WEIGHT10 HIDETESTS WEIGHT20 Of course Scott might also want to change the way that weight-based tests are reported, but this will remove some of the extraneous data. Matt Daniel Grotjan wrote: Would it be possible to have the TESTFAILEDWITHWEIGHTS variable to not show the score for WEIGHT type test such as WEIGHT10 or WEIGHT20? It appears that the WEIGHT10 test has added 10 points to the score by the way the variable appears. -Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTFAILEDWITHWEIGHTS
Scott, what we need is %TESTWITHWEIGHT% intead of %TESTFAILEDWITHWEIGHTS% so it will list test like ipnotinmx when they pass, and contribute to the total weight, instead of when they fail. you said i was coming in the next release, did you mean %TESTFAILEDWITHWEIGHTS% ? - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 08, 2003 12:46 AM Subject: Re: [Declude.JunkMail] TESTFAILEDWITHWEIGHTS Use the HIDETESTS option to remove the weight-based tests from your output. I believe it is used in the Global.cfg as follows: HIDETESTS WEIGHT10 HIDETESTS WEIGHT20 Of course Scott might also want to change the way that weight-based tests are reported, but this will remove some of the extraneous data. Matt Daniel Grotjan wrote: Would it be possible to have the TESTFAILEDWITHWEIGHTS variable to not show the score for WEIGHT type test such as WEIGHT10 or WEIGHT20? It appears that the WEIGHT10 test has added 10 points to the score by the way the variable appears. -Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
Gotcha. But do the headers of the copy that Imail delivered\stole have any Declude markings in the header? -Original Message- From: Matthew Bramble [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2003 4:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude not taking action Dave, It appears that the E-mail getting delivered improperly is the result of IMail stealing a copy and processing it apart from Declude. In the example that I provided, Declude deleted the copy that it got because it scored too high, but IMail delivered a copy before it was scanned by Declude. Matt Dave Marchette wrote: Apologies if this has already been mentioned, but this may be a quick easy way to find out exactly what messages(and quantity of messages) never got scanned by Declude on a per server basis: If you have Declude configured to add anything consistent to the headers, like an x-note: or whatever else, you can use the 'copy all mail to a box' feature of Imail, then write a processing rule on the copy box to delete all mail in the copy box that has the x-note: data from Declude header. Then, you can periodically check that box to see how many are being missed, because the only mail that will end up in that box will be mail that Declude never tried to scan. There are perhaps other ways to use domain proc rules to do this as well but this would be my preferred method. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Hijack Question
OK, I have an idea. Scott, can we disable HOLD1, and if so would that affect HOLD2 operation? 99.5% of messages held by HOLD1 end up passing. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of George Kulman Sent: Saturday, December 06, 2003 1:36 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Hijack Question John, This is probably more than you wanted but I didn't want to post Scott's explanation out of context. I had a HiJack / Junkmail situation in August. This related to mail where I am the secondary MX. HiJack was doing a very effective job of trapping volume SPAM but I noticed that SPAM was slipping through after being released from HOLD1 and even in the process of being transferred to HOLD2. I had an off-line exchange with Scott and according to him, under these circumstances, the mail released from HOLD1 will NOT be processed by JunkMail. Here's Scott's explanation: Declude Hijack is involved with these E-mails because IMail reports them as external addresses, so Declude Hijack sees E-mails to these domains as being outgoing mail (when in reality they are incoming mail). As a result, if someone sends too much E-mail from one IP to these domain(s), it will be held. That's an interesting side-effect that we had not anticipated. We did decide to have Declude Hijack take priority over Declude JunkMail, because it would save a lot of CPU time during attacks, and the thought was that outgoing E-mail would not need to be scanned by Declude JunkMail. Scott, in response to a follow up message stated that the email would be Virus scanned. Unfortunately, this caused me to discontinue using HiJack since the spam handling was more important than the CPU cycles saved by having HiJack trap the spam up front. Really too bad, it was catching a lot of spam. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, December 06, 2003 2:02 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Hijack Question When Hijack releases a message from HOLD1, does it go right back to spool, or does it then get scanned for Virus and JunkMail? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
There is only one Q file per message. If Declude locks it, Imail can do nothing with it. In the cases I have seen, there is a line in the log stating could not lock file. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Sunday, December 07, 2003 4:42 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude not taking action Dave, It appears that the E-mail getting delivered improperly is the result of IMail stealing a copy and processing it apart from Declude. In the example that I provided, Declude deleted the copy that it got because it scored too high, but IMail delivered a copy before it was scanned by Declude. Matt Dave Marchette wrote: Apologies if this has already been mentioned, but this may be a quick easy way to find out exactly what messages(and quantity of messages) never got scanned by Declude on a per server basis: If you have Declude configured to add anything consistent to the headers, like an x-note: or whatever else, you can use the 'copy all mail to a box' feature of Imail, then write a processing rule on the copy box to delete all mail in the copy box that has the x-note: data from Declude header. Then, you can periodically check that box to see how many are being missed, because the only mail that will end up in that box will be mail that Declude never tried to scan. There are perhaps other ways to use domain proc rules to do this as well but this would be my preferred method. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] TESTFAILEDWITHWEIGHTS
That should be as follows per Scott: HIDETESTS WEIGHT10 WEIGHT20 (andsoforth) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Sunday, December 07, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] TESTFAILEDWITHWEIGHTS Use the HIDETESTS option to remove the weight-based tests from your output. I believe it is used in the Global.cfg as follows: HIDETESTS WEIGHT10 HIDETESTS WEIGHT20 Of course Scott might also want to change the way that weight-based tests are reported, but this will remove some of the extraneous data. Matt Daniel Grotjan wrote: Would it be possible to have the TESTFAILEDWITHWEIGHTS variable to not show the score for WEIGHT type test such as WEIGHT10 or WEIGHT20? It appears that the WEIGHT10 test has added 10 points to the score by the way the variable appears. -Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude not taking action
Matthew, I have confirmed that this occurred on my server 4 times on Thursday. That works out to 1/10 of 1%. A lot more than your figure. Like I stated before, this is a concern as it let a virus through. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Saturday, December 06, 2003 4:40 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude not taking action I did some math related to my machine assuming 1/5 of a second window for this bug to appear, and on 5,000 E-mails a day, and 24 runs of the queue. I figured that on average, this would only happen once every 360 days. It's actually quite remarkable that this was caught, and I can see why this bug has been around for so long without being detected. I figure that each individual E-mail on my system has about a 0.6% chance of being stolen and delivered by the queue. I'm not very worried considering, however, Ipswitch should certainly move to take care of their problem. Matt R. Scott Perry wrote: We've already tracked it down about as far as it can go. IMail's process that handles the queue run is processing E-mails between the time that they are saved to the hard drive (or unlocked) by the SMTPD process and the time that Declude is able to re-lock the files. We are trying to think of possible workarounds. However, since this is happening at a time that Declude isn't even running, it gets very tricky. Unfortunately, it looks like there isn't much that we can do here. There are some measures we could take that would help to some extent, but not enough to significantly reduce the problem. In testing here on a server at 100% CPU usage, it could take over a full second from the time that SMTPD32.exe unlocked the Q*.SMD file (to be technical, renamed the T*.SMD file to Q*.SMD) until the time that Declude.exe was fully loaded (versus about 50ms at 0% CPU). Normally, the time to start a process isn't a problem -- almost all of that 1 second of time is being used by other processes. But there is a delay of about 1 second where there isn't any chance for Declude to lock the Q*.SMD file. During this time, the file is vulnerable to being stolen by queue management. On a server with 86,400 E-mails/day (to make math easier, that's 1 per second), a server with 0% CPU and a 30-minute queue timer would have 48 queue runs in a day, with about a 5% chance that any given queue run would steal an unprocessed E-mail. At that rate, you aren't likely to notice any unprocessed E-mails. But at 100% CPU usage, there's nearly a 100% chance that any queue run will steal at least one unprocessed E-mail. The good news, though, is that this should be very easy for Ipswitch to fix. Specifically, the function that they use to determine if there are any Q*.SMD files waiting to be re-tried includes the time that the file was created. They can check to see if it is less than 10 minutes old; if so, they can skip that file. Since 10 minutes is the minimum amount of time between queue runs, E-mail that was received in the past 10 minutes does not need to be re-tried. If they are worried that it would take up to 20 minutes for an E-mail to be re-tried for the first time when the queue timer was set to 10 minutes, they could make the check for 1 minute (giving Declude ample time to start, and ensuring that first re-tries are done within 11 minutes). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] TESTFAILEDWITHWEIGHTS
I have tried this and it did not work. I already have IPNOTINMX and NOLEGITCONTENT set up for this and they are not appearing in the TESTFAILEDWITHWEIGHTS variable. I added my weight test to it and they still appear. It is formatted as follows in my global.cfg HIDETESTS IPNOTINMX NOLEGITCONTENT WEIGHT10 WEIGHT20 Are weight test supposed to never be hidden, or is there something wrong on my end? I have checked and recheck my global.cfg and it looks correct to me, at least as I understand it. -Daniel -- Original Message -- From: Matthew Bramble [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sun, 07 Dec 2003 19:46:17 -0500 Use the HIDETESTS option to remove the weight-based tests from your output. I believe it is used in the Global.cfg as follows: HIDETESTS WEIGHT10 HIDETESTS WEIGHT20 Of course Scott might also want to change the way that weight-based tests are reported, but this will remove some of the extraneous data. Matt Daniel Grotjan wrote: Would it be possible to have the TESTFAILEDWITHWEIGHTS variable to not show the score for WEIGHT type test such as WEIGHT10 or WEIGHT20? It appears that the WEIGHT10 test has added 10 points to the score by the way the variable appears. -Daniel --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.