[Declude.JunkMail] Declude Hijack
Is it possible to turn on Declude Hijack for a single domain? I read where I can list the ip addresses to allow to send unlimited messages however, with over 60 hosted domains this would be very time consuming. Thank you,Josh
RE: [Declude.JunkMail] AOL on SPAMCOP
SpamCop blocked the ActiveServerPages list at 15seconds.com (which is not a source of spam): List-Unsubscribe: mailto:[EMAIL PROTECTED] X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml? The problem with SpamCop is, it's only as reliable as it's users. It would appear that some of it's users are not very reliable. We could all report spam cop to spam cop and they'd probably block themselves ;) But we do use them in moderation. [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude.JunkMail@declude.com
Hello, All, If I have a FROMFILE type test in my GLOBAL.CFG... FROMFILE fromfile D:\iMail\declude\JunkMail.FromFile.txt x 12 0 ...and I have some entries in the corresponding flat text file like below... # JunkMail.FromFile.txt # # == Add Points To Total Weight == # # -- Strings In User Names -nexustechgroup.com ?nexustechgroup.com- # -- Strings In Host Names @bounce. @bounceto. -platinum. # -- Host Names .1001specials.net @12expbr.com .1ah5won.com .4pitasake.com When FROMFILE does its thing is it going to search the FROM address in a CONTAINS type manner (which would allow all of the above entries to have a chance of blocking spam) or does it only search the FROM address in an ENDSWITH type manner (where only the Host Names listed above would actually have a chance of blocking spam)? I have a feeling it only does an ENDSWITH but I wanted to make sure. Thanks, Much! Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Hijack
Is it possible to turn on Declude Hijack for a single domain? We don't like that, because it allows spammers a way to bypass Declude Hijack. However, you can use a line ALLOWADDR [EMAIL PROTECTED] to allow an E-mail address to send unlimited E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude.JunkMail@declude.com
FROMFILE fromfile D:\iMail\declude\JunkMail.FromFile.txt x 12 0 # -- Strings In Host Names @bounce. @bounceto. -platinum. This will work. When FROMFILE does its thing is it going to search the FROM address in a CONTAINS type manner (which would allow all of the above entries to have a chance of blocking spam) or does it only search the FROM address in an ENDSWITH type manner (where only the Host Names listed above would actually have a chance of blocking spam)? I have a feeling it only does an ENDSWITH but I wanted to make sure. It works like CONTAINS. So @bounce. would catch an E-mail from [EMAIL PROTECTED]. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] AOL implementing SPF
Check this out http://zdnet.com.com/2100-1104-5145065.html -Dave Doherty Skywaves, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] strange log with minweight
Title: strange log with minweight hi, on loglevel high i found some stranges lines for some of my counterbalance filters. in those filters i use minweight -45. so i expect somthing like Filter: Set min weight to -45 but i found: 1/22/2004 14:54:26 Qd5ff0626008e60e7 Filter: Set min weight to . 01/22/2004 14:54:28 Qd5ff0626008e60e7 Triggered CONTAINS filter KEINSPAMHART on spamtest1 [weight--20; spamtest1 01/22/2004 14:54:28 Qd5ff0626008e60e7 Filter: Set min weight to . 01/22/2004 14:54:28 Qd5ff0626008e60e7 Triggered CONTAINS filter KEINSPAMWEICH on spamtest2 [weight--15; spamtest2 is it not possible to use minweight with negativ weights? mfg i.a. gez. markus guhl *** lds nrw dez. 235 tel.: 0211 9449 2578 fax.: 0211 9449 8344 mailto:[EMAIL PROTECTED] ***
[Declude.JunkMail] BADHEADERS code 8400000a
Scott, I've been laying low on this one for a while, but BADHEADERS hits for not having a proper To address is commonly producing false positives on my system with personal E-mail, some of which will cause the messages to be held. The issue here (just in case it was forgotten) is that Microsoft allows seemingly all of their mail clients to send without specifying a To address, in which case this test gets tripped. This happens mostly on newsletters or BCC blasts, but it also happens on personal E-mail on occasion, and it is very highly associated with legit E-mail instead of spam (at least on my system). When sending from an Exchange Web mail client, the BASE64 test also gets tripped, so this can be problematic based on associations as well. Would you please remove this from hitting, or at least give us an entry to turn it off? Thanks, Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] please help. Imail spool directory filling up
Title: Message Thanks to everyone who responded with some advice to my problem, even including one phone call. It appears the problem began when I added the "FORGINGVIRUS bagel" line to my virus.cfg file. Following Scott's advice, andupdating to the newest interim release has fixed the problem. Thanks once again. Jeffrey Jeffrey Di Gregorio Systems Administrator Pacific School of Religion 510-849-8283 My spool directory just started filling up recently and Imail is not delivering any messages to local mailboxes. It appears to be sending messages outbound. I am using Imail v 7.07 with declude junkmail and virus 1.77 i12. I have moved all the Q*, D* files from the spool directory to another directory and tried again, but the spool directory is only filling up once again. Any help or ideas would be greatly appreciated. Thanks, Jeffrey Jeffrey Di Gregorio Systems Administrator Pacific School of Religion 510-849-8283
[Declude.JunkMail] Decoding a html attachment
How would you decode the zipped attachment to see what it is doing? It is a java script. The attachment (unzipped) was attached to an junkmail with a bunch of gibberish in the HTML body. John Tolmachoff Engineer/Consultant/Owner eServices For You politicking.zip Description: Zip compressed data
Re: [Declude.JunkMail] strange log with minweight
on loglevel high i found some stranges lines for some of my counterbalance filters. in those filters i use minweight -45. so i expect somthing like Filter: Set min weight to -45 but i found: 1/22/2004 14:54:26 Qd5ff0626008e60e7 Filter: Set min weight to . You can safely ignore that. is it not possible to use minweight with negativ weights? It is possible to use negative weights. The problem is actually due to a bug in the logging, where it is not reporting the correct value (but the MINWEIGHT option works properly). This will be fixed for the next interim release. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Hijack
Would you have to specify individual address or could you specify domain? ie. ALLOWADDR @domain.com Thank you, Joshua Hughes Sunline Team 941-206-7870 888-512-6100 http://www.sunline.net/ - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 10:42 AM Subject: Re: [Declude.JunkMail] Declude Hijack Is it possible to turn on Declude Hijack for a single domain? We don't like that, because it allows spammers a way to bypass Declude Hijack. However, you can use a line ALLOWADDR [EMAIL PROTECTED] to allow an E-mail address to send unlimited E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Decoding a html attachment
How would you decode the zipped attachment to see what it is doing? It is a java script. The attachment (unzipped) was attached to an junkmail with a bunch of gibberish in the HTML body. This one would be difficult. Unless you have good math skills and a lot of patience, you would need to either run the code or write a program to do it. In this case, it turns out to generate HTML code that goes to a page at http://www.casinos-money.com . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Hijack
Would you have to specify individual address or could you specify domain? You would need to specify individual addresses. The ALLOWADDR option requires a full E-mail address. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] restricted mailing?
Title: Message Hey guys, I asked this on Imail's list as well, but thought I'd see what Declude users do/think: What I'd like to be able to do, is block all mail to a certain account, except from those addresses specified via AUTOWHITELIST. Kind of a 'parental control'. Let's say I give my daughter an email address, I only want to allow mail from family + friends, but those I specify in her contacts list within the webmail, so using Declude's AUTOWHITELIST ON, I can weight all mail coming in to her mailbox, say, 100 or so, waaay above delete range, but because of the address, it would be delivered. Does that make sense? Is anyone else doing this? Paul
RE: [Declude.JunkMail] New MS updates Bug Report emails making the rounds
Title: Message Doug, that looks very, very much like SWEN. TrendMicro records 3 variants: http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=qvirus=SWENalt=SWEN Andrew. -Original Message-From: Doug Anderson [mailto:[EMAIL PROTECTED] Sent: Thursday, January 22, 2004 8:13 AMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: [Declude.JunkMail] New MS updates Bug Report emails making the rounds Thought I'd warn everyone Some different/newer (I haven't seen it before) versions of two emails arefloating around #1 From Microsoft Corporation Network Security to Commercial customer No subject Attachment "UPGRADE88.exe" It claims to be updates from microsoft. #2 From Internet Delivery Service To Net Recipient Subject Bug Report Text : I'm sorry the message returned below could not be delivered to the following addresses: Attachment "ctge.exe" They making the rounds. There wereolder versions, that we were catchingbut they've changed it a bit So watch out. Headers are #1 Received: from FE-mail03.sfg.albacom.net [213.217.149.83] by mail.ameripride.org with ESMTP (SMTPD32-8.05) id A2A9E2A0166; Thu, 22 Jan 2004 00:50:17 -0600Received: from wyadonm (217.220.55.169) by FE-mail03.sfg.albacom.net (7.0.009) id 400CF7D10001F68F; Thu, 22 Jan 2004 07:48:41 +0100Date: Thu, 22 Jan 2004 07:48:41 +0100 (added by [EMAIL PROTECTED])Message-ID: [EMAIL PROTECTED] (added by [EMAIL PROTECTED])FROM: "Microsoft Corporation Network Security Center" [EMAIL PROTECTED]TO: "Commercial Customer" [EMAIL PROTECTED]SUBJECT: Mime-Version: 1.0Content-Type: multipart/mixed; boundary="nxjzttswpsxvy"X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 137, weight 0)X-RBL-Warning: ANTI-GIBBERISH: Message failed ANTI-GIBBERISH test (line 106, weight 0)X-Declude-Sender: [EMAIL PROTECTED] [213.217.149.83]X-Declude-Spoolname: D72a90e2a01660543.SMDX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: GIBBERISH, ANTI-GIBBERISH [0]X-Note: This E-mail was sent from FE-mail03.albacom.net ([213.217.149.83]).X-RCPT-TO: xxStatus: UX-UIDL: 373063459 (at the end of the email) Content-Type: application/x-msdownload; n a m e = " U P G R A D E 8 8 . e x e "Content-Transfer-Encoding: base64Content-Disposition: attachment #2 Received: from FE-mail04.sfg.albacom.net [213.217.149.84] by mail.ameripride.org with ESMTP (SMTPD32-8.05) id A3A6E3A0166; Thu, 22 Jan 2004 00:54:30 -0600Received: from xkxxp (217.220.55.169) by FE-mail04.sfg.albacom.net (7.0.009) id 400CB88400024360; Thu, 22 Jan 2004 07:52:18 +0100Date: Thu, 22 Jan 2004 07:52:18 +0100 (added by [EMAIL PROTECTED])Message-ID: [EMAIL PROTECTED] (added by [EMAIL PROTECTED])FROM: "Internet Delivery System" [EMAIL PROTECTED]TO: "Net Recipient" [EMAIL PROTECTED]SUBJECT: Bug ReportMime-Version: 1.0Content-Type: multipart/alternative;boundary="fxsnozzuqz"X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 137, weight 0)X-RBL-Warning: ANTI-GIBBERISH: Message failed ANTI-GIBBERISH test (line 106, weight 0)X-Declude-Sender: [EMAIL PROTECTED] [213.217.149.84]X-Declude-Spoolname: D73a60e3a0166e227.SMDX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: GIBBERISH, ANTI-GIBBERISH [0]X-Note: This E-mail was sent from FE-mail04.albacom.net ([213.217.149.84]).X-RCPT-TO: xxxStatus: UX-UIDL: 373063460 (at the end of the email) Content-Type: audio/x-wav; n a m e = " c t g e . e x e "Content-Transfer-Encoding: base64Content-Id: qfrsqcgf
Re: [Declude.JunkMail] BADHEADERS code 8400000a
I've been laying low on this one for a while, but BADHEADERS hits for not having a proper To address is commonly producing false positives on my system with personal E-mail, some of which will cause the messages to be held. The issue here (just in case it was forgotten) is that Microsoft allows seemingly all of their mail clients to send without specifying a To address, in which case this test gets tripped. This happens mostly on newsletters or BCC blasts, but it also happens on personal E-mail on occasion, and it is very highly associated with legit E-mail instead of spam (at least on my system). When sending from an Exchange Web mail client, the BASE64 test also gets tripped, so this can be problematic based on associations as well. Would you please remove this from hitting, or at least give us an entry to turn it off? What version of Declude JunkMail are you using? The latest interim release will not trigger the BADHEADERS test if there is a Bcc: header but no To: header (whereas previous versions would), since it is technically OK to have no To: header if there is a Bcc: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Habeas White list
Title: Message Hello, Is there way to block this kind of emails? I am using lite version of declude.. Cheers, John Received: from cmr-81-9-168-170.telecable.es [81.9.168.170] by Jctweb.com (SMTPD32-6.06) id AF0537AE00B2; Thu, 22 Jan 2004 10:49:09 -0600Received: from 228.223.118.96 by 81.9.168.170; Thu, 22 Jan 2004 07:41:23 +0300Message-ID: [EMAIL PROTECTED]X-Habeas-SWE-1: winter into springX-Habeas-SWE-2: brightly anticipatedX-Habeas-SWE-3: like Habeas SWE (tm)X-Habeas-SWE-4: Copyright 2002 Habeas (tm)X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of thisX-Habeas-SWE-6: email in exchange for a license for this HabeasX-Habeas-SWE-7: warrant mark warrants that this is a Habeas CompliantX-Habeas-SWE-8: Message (HCM) and not spam. Please report use of thisX-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.From: "Billie Hyde" [EMAIL PROTECTED]Reply-To: "Billie Hyde" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: Get Meds % [EMAIL PROTECTED] % Pnter.m.in - v|@GRa , S|o|ma - .Valium. Scores on stocks. ShS046nP Date: Thu, 22 Jan 2004 03:47:23 -0100X-Mailer: Mozilla/5.0 (X11; U; Linux i686; zh-TW; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1MIME-Version: 1.0Content-Type: multipart/alternative; boundary="--74494022607052460497"X-Priority: 5X-Declude-Sender: [EMAIL PROTECTED] [81.9.168.170]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: Whitelisted [0]X-Note: This E-mail was sent from cmr-81-9-168-170.telecable.es ([81.9.168.170]).X-RCPT-TO: [EMAIL PROTECTED]X-UIDL: 7Status: U (727) 328 - 7575www.jctweb.com
Re: [Declude.JunkMail] BADHEADERS code 8400000a
I'm using i20 currently. Note that IE and probably Exchange as well, will allow a CC field with no To and it would previously produce the same results, I mention this because you didn't mention the exception , only the BCC exception. People do of course send out to lists using the CC field, especially since IE doesn't show the BCC field by default. I definitely got an FP this morning on this using a BCC to multiple addresses: From [EMAIL PROTECTED] Thu Jan 22 11:09:35 2004 Received: from *.*.*.org [209.105.181.131] by *.com with ESMTP (SMTPD32-8.05) id A5BB61017C; Thu, 22 Jan 2004 11:09:31 -0500 X-Exclaimer-OnMessagePostCategorize-{71daf94f-e3fe-4bbf-865a-6309cc88575e}: C:\Program Files\eXclaimer\eXclaimer.dll - 2.0.4.67 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Transfer-Encoding: 7bit Content-Class: urn:content-classes:message Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C3E102.1D744C46 Subject: [11] Moms Date: Thu, 22 Jan 2004 11:09:29 -0500 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Moms thread-index: AcPg93uCfg9mp7t5Qme9dmWnmlCzmgACj/+A From: Patti Tripoli [EMAIL PROTECTED] X-MailPure: == X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected (weight 0). X-MailPure: HELOBOGUS: Failed, bogus connecting server name (weight 4). X-MailPure: BASE64: Failed, base64 encoded plain text or HTML (weight 3). X-MailPure: CONCEALED: Failed, concealed message (weight 1). X-MailPure: BADHEADERS: Failed, non-RFC compliant headers [840a] (weight 4). X-MailPure: SNIFFER-WHITE: Failed, listed in the White Rules category (weight 0). X-MailPure: WORDFILTER-BODY: Message failed WORDFILTER-BODY test (line 43, weight 1). X-MailPure: RECIPIENTS - [EMAIL PROTECTED] X-MailPure: == X-MailPure: Spam Score: 11 X-MailPure: Scan Time: 11:09:35 on 01/22/2004 X-MailPure: Spool File: Df5bb0061017ca15e.SMD X-MailPure: Server Name: *.*.*.org X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: *-*-*-*.*.*.net [*.*.*.*] X-MailPure: == X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: == X-Declude-Date: 01/22/2004 16:09:29 [0] X-RCPT-TO: [EMAIL PROTECTED] Status: R X-UIDL: 372977713 R. Scott Perry wrote: I've been laying low on this one for a while, but BADHEADERS hits for not having a proper To address is commonly producing false positives on my system with personal E-mail, some of which will cause the messages to be held. The issue here (just in case it was forgotten) is that Microsoft allows seemingly all of their mail clients to send without specifying a To address, in which case this test gets tripped. This happens mostly on newsletters or BCC blasts, but it also happens on personal E-mail on occasion, and it is very highly associated with legit E-mail instead of spam (at least on my system). When sending from an Exchange Web mail client, the BASE64 test also gets tripped, so this can be problematic based on associations as well. Would you please remove this from hitting, or at least give us an entry to turn it off? What version of Declude JunkMail are you using? The latest interim release will not trigger the BADHEADERS test if there is a Bcc: header but no To: header (whereas previous versions would), since it is technically OK to have no To: header if there is a Bcc: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Per domain problem
Thanks for the clarification. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, January 21, 2004 12:04 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Per domain problem My understanding, that once you have a directory for a domain, you must have a $default$.junkmail file in there, otherwise no action will be taken at all. The per-domain config file (\IMail\Declude\example.com\$default$.JunkMail file) is actually not required. If a per-user config file exists, Declude JunkMail will use it. Otherwise, it will check for a per-domain config file, and use that if it exists. If neither of those exists, the \IMail\Declude\$default$.JunkMail file will be used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Habeas White list
Is there way to block this kind of emails? I am using lite version of declude.. What you want to do here is not whitelist the spam. To do that, you can temporarily remove the WHITELIST HABEAS line in the \IMail\Declude\global.cfg file until Habeas sues the spammers. :) By removing the whitelist, the standard spam tests should catch the mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS code 8400000a
I'm using i20 currently. Note that IE and probably Exchange as well, will allow a CC field with no To and it would previously produce the same results, I mention this because you didn't mention the exception , only the BCC exception. People do of course send out to lists using the CC field, especially since IE doesn't show the BCC field by default. It does seem odd the way that RFCs allow the lone Bcc: header, but not a lone Cc: header. I definitely got an FP this morning on this using a BCC to multiple addresses: The problem here is that Microsoft forgot to add a Bcc: header. It's one of those weird things, that a Bcc: header is required even though one would think that a Bcc: header shouldn't be present (since it won't be completely b or blind if the header is there). But if there is to To: header, the Bcc: header should be there. However, it seems that little spam actually has this problem, so we will consider removing it from the BADHEADERS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist filter
Scott: With the new release- are these valid lines? Body Whitelist Contains some text REVDNS WhitelistEndswith .domain.com subject whitelist startswith [Whitelist] I guess if this is the case the new whitelist just replaces the weight and all other filter syntax hold. Right? Wrong? Regards, Kami
Re: [Declude.JunkMail] Decoding a html attachment
That does look troublesome...however... The following JavaScript function is very spammy and can be weighted moderately. The only things that should FP on such a thing are Web designers. I have never seen this used before, so even among Web designers it should be rare. BODY 5 CONTAINS string.fromcharcode( I left the parenthesis in so that you are protected from FP'ing on discussions of just the function. Also note the following example that I found on Google: http://www.dragonswest.com/Spam.html Ick. Someday not only will we need full MIME parsing, but also a full HTML and JavaScript decoder built in...For now though, this technique may very well prove more damaging than the non-obfuscated version if you use that body check. Matt R. Scott Perry wrote: How would you decode the zipped attachment to see what it is doing? It is a java script. The attachment (unzipped) was attached to an junkmail with a bunch of gibberish in the HTML body. This one would be difficult. Unless you have good math skills and a lot of patience, you would need to either run the code or write a program to do it. In this case, it turns out to generate HTML code that goes to a page at http://www.casinos-money.com . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist filter
With the new release- are these valid lines? BodyWhitelistContainssome text REVDNSWhitelistEndswith.domain.com subjectwhiteliststartswith[Whitelist] I guess if this is the case the new whitelist just replaces the weight and all other filter syntax hold. That is correct. With the latest interim release, you can use any of the above lines. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Clarification
I would like to see the SKIPIFWEIGHT option removed. If we had a conditional option to stop when a specific weight is reached, then there would be not need for SKIPIFWEIGHT. In addition, why would anyone use SKIPIFWEIGHT on less than every test...and why would anyone define one test with a different SKIPIFWEIGHT value than another test? This leads me back to a HOLDIFWEIGHT/DELETEIFWEIGHT logic which optionally stops processing when reached. Coming in late some my comments may be off. Scott has stated before that to stop all processing once a certain weight has been reached would be difficult and/or problematic. That is where SKIPIFWEIGHT comes in. I use SKIPIFWEIGHT on all body filters, as those are the most expensive in terms of CPU cost. I then have body filters listed in order, from most effective to least effective or specific target. Example, I have a custom body filter on my server for one client only. That is the last filter to run. Also, another reason to not stop processing is if you are doing log analysis and adjust filters or blocks based on that analysis. If you stop processing at say 35, but the message would have failed 5 other tests, those tests will then not show up in log analysis. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BADHEADERS code 8400000a
Very much appreciated. Back when I did a review of hits for this, I think it was over 95% FP's. Even if that isn't accurate, it's problematic enough to allow us to turn it off. Thanks, Matt R. Scott Perry wrote: I'm using i20 currently. Note that IE and probably Exchange as well, will allow a CC field with no To and it would previously produce the same results, I mention this because you didn't mention the exception , only the BCC exception. People do of course send out to lists using the CC field, especially since IE doesn't show the BCC field by default. It does seem odd the way that RFCs allow the lone Bcc: header, but not a lone Cc: header. I definitely got an FP this morning on this using a BCC to multiple addresses: The problem here is that Microsoft forgot to add a Bcc: header. It's one of those weird things, that a Bcc: header is required even though one would think that a Bcc: header shouldn't be present (since it won't be completely b or blind if the header is there). But if there is to To: header, the Bcc: header should be there. However, it seems that little spam actually has this problem, so we will consider removing it from the BADHEADERS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Clarification
Todd, Initially I didn't understand why the complexity was necessary, however it really is in this case. We do gain by having the ability to set SKIPIFWEIGHT according to individual tests, for instance, in my negatively weighted PSEUDO-WHITE test, I set the SKIPIFWEIGHT higher than elsewhere just in case something gets clobbered by the RBL's and other tests. Also, you might want to skip over a very large negatively weighted test if a different threshold has already been reached. What the settings in individual files gives us is added flexibility at the cost of a little extra complexity. Regarding the other Global settings that you mentioned, keep in mind that these would only be useful on servers where everything is treated the same way, and you could only chose one level to stop processing on, not two, because after you stop, you can't keep going :) It might be nice though to have a SKIPIFLOWWEIGHT test that would stop processing if something scored under a certain number of points, this way a negatively weighted pseudo-white file or a combination of tests could be used to save on processing with the rest of the filters. Need for this seems somewhat limited at the moment, but it would provide benefit if done properly. SKIPIFWEIGHT could also just simply be appended with two number fields, one high, and one low, and Scott could make that backwards compatible I'm sure. Matt Todd Holt wrote: I would like to see the SKIPIFWEIGHT option removed. If we had a conditional option to stop when a specific weight is reached, then there would be not need for SKIPIFWEIGHT. In addition, why would anyone use SKIPIFWEIGHT on less than every test...and why would anyone define one test with a different SKIPIFWEIGHT value than another test? This leads me back to a HOLDIFWEIGHT/DELETEIFWEIGHT logic which optionally stops processing when reached. Relating to Dave's comments below: Would it not be more flexible to move the actionIFWEIGHT options to the .junkmail file to take advantage of the available scoping options (system/domain/user)? This is also more consistent with the existing .junkmail options such as HEADER, WARN, DELETE, HOLD... Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Dave Doherty Sent: Wednesday, January 21, 2004 7:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Clarification Scott- I think this is a great idea. Once we know a message has passed the delete limit, why would we want to keep testing it in routine operations? Of course, we'd need to be able to turn it off when needed for debugging or whatever, but it would save a lot of processing time under normal conditions. My suggestion would be to define it in global.cfg (maybe QUITIFWEIGHT ?) and have it become active only when encountered in the junkmail file test sequence. That would let us group the positive tests first, then any tests we considered mandatory, then QUITIFWEIGHT would stop the processing at that point or any later point if the specified weight is met or exceeded. That would minimize the need for SKIPIFWEIGHT and other statements. My two cents worth, anyway. -Dave Doherty Skywaves, Inc. - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 11:41 AM Subject: RE: [Declude.JunkMail] Clarification Is there a test, in the works, that will end all processing of any further filters. Basically, exit all Declude processing, or is it best to use the SKIPWEIGHT, thanks, There isn't anything like that in the works now, but it is something that we may end up adding. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- =
Re: [Declude.JunkMail] restricted mailing?
Paul, This isn't something that I would generally try to promote because of the complexity of maintaining it in most cases, but for one's own daughter, it might make perfect sense. Something of course though would need to happen that caused her to get spam though, so it might not be necessary at all. You would need the Pro version to do this of course, and instead of weighting things to her address, what you would do is set up a weightrange test covering almost everything and then use actions (HOLD, ROUTETO or DELETE) in a per-user JunkMail file according to the Manual. Whitelisting will prevent an all inclusive weightrange test from taking action on an E-mail. Matt paul wrote: Message Hey guys, I asked this on Imail's list as well, but thought I'd see what Declude users do/think: What I'd like to be able to do, is block all mail to a certain account, except from those addresses specified via AUTOWHITELIST. Kind of a 'parental control'. Let's say I give my daughter an email address, I only want to allow mail from family + friends, but those I specify in her contacts list within the webmail, so using Declude's AUTOWHITELIST ON, I can weight all mail coming in to her mailbox, say, 100 or so, waaay above delete range, but because of the address, it would be delivered. Does that make sense? Is anyone else doing this? Paul -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[2]: [Declude.JunkMail] restricted mailing?
Hello Paul, Matt Thursday, January 22, 2004, 1:36:55 PM, you wrote: M Paul, M This isn't something that I would generally try to promote M because ofthe complexity of maintaining it in most cases, but for M one's owndaughter, it might make perfect sense. Something of course M though wouldneed to happen that caused her to get spam though, so M it might not benecessary at all. M You would need the Pro version to do this of course, and M instead ofweighting things to her address, what you would do is set M up aweightrange test covering almost everything and then use M actions (HOLD,ROUTETO or DELETE) in a per-user JunkMail file M according to theManual. Whitelisting will prevent an all inclusive M weightrange testfrom taking action on an E-mail. snip M What I'd like to be able to do, isblock all mail to a certain M account, except from those addressesspecified via AUTOWHITELIST. M Kind of a 'parental control'. Let's say Igive my daughter an email M address, I only want to allow mail fromfamily + friends, but those M I specify in her contacts list within thewebmail, so using M Declude's AUTOWHITELIST ON, I can weight all mailcoming in to her M mailbox, say, 100 or so, waaay above delete range, butbecause of M the address, it would be delivered. Does that make sense? We've been experimenting a PL (Private Listcode) methodology for these scenarios. Specifically, all messages for a particular user (domain usually) are blocked unless a PL code is present in the message. The PL code is a random sequence of characters like a password. The group that uses the code freely passes it around between them. Since no spammer has the code it can't be abused. The code usually goes into a signature. If the code becomes compromised then a new code is made up. We usually create a PL code in Sniffer, but the methodology works without it - In Declude you would use WHITELIST ANYWHERE plcode, and block everything else. Hope this helps, _M -- Best regards, Peter G McNeil (Madscientist, CodeDweller) President, MicroNeil Research Corporation. Chief SortMonster, www.SortMonster.com mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] restricted mailing?
This isn't something that I would generally try to promote because of the complexity of maintaining it in most cases, but for one's own daughter, it might make perfect sense. Something of course though would need to happen that caused her to get spam though, so it might not be necessary at all. True, at first, it wouldn't be much of an issue. You would need the Pro version to do this of course, and instead of weighting things to her address, what you would do is set up a weightrange test covering almost everything and then use actions (HOLD, ROUTETO or DELETE) in a per-user JunkMail file according to the Manual. Whitelisting will prevent an all inclusive weightrange test from taking action on an E-mail.Ok, I hadn't thought of the per-user configs, we are running pro here, so that's not an issue. I'm just wondering the pros to that as apposed to what I had mentioned before. Wouldn't having a list of recipients those that were under parental control be easier to manipulate? Sure, I have access to all Declude to make adjustments, but to make it as user-hands-off as possible, you wouldn't want to do it that way.. I guess what I'm asking is: Does Declude have a TO: key? like: mailfrom 15 is [EMAIL PROTECTED] is there a mailto 0 is [EMAIL PROTECTED]? I don't see this on the manual site. So a filter file would be defined as: parentalcontrols tofile d:\mail\imail\declude\parentlist.txt x 100 0 So message comes in, it's addressed to someone in the file, given a 100 weight, and deleted. UNLESS the address is on the users webmail contact list. I'm not trying to repeat the same thing over and over, but I'm not sure I'm describing this the way I'm trying to make it sound Did that make sense? LOL! Basically, does Declude allow you to scan for matches on the TO field? Thanks Matt! I'll look into the per user configurations as well. Paul
Re: [Declude.JunkMail] restricted mailing?
There's no "TO" filter, and no "FROM" filter either, only ALLRECIPS and MAILFROM (the SMTP Sender). I would like to have access to these things though because there are some patterns that can't be done by way of a HEADERS filter. Anyway, you could use a filter file, but personally, I would think the Web mail address book would be easier to maintain. It would though affect all of your users to have AUTOWHITELIST on, and that can be especially problematic on very large domains since spammers will BCC multiple recipients sometimes, and one might have an address to their Web mail address book. Small domains are not that big of a deal, just make sure that you don't list your own address in the address book because spammers will spoof the address they send to in the MAILFROM. The issue with all of this is that there's always the possibility of something being sent to multiple addresses on a domain, and having a whitelist setting or filter file affect that. Declude treats whitelists globally, and filters can't be used with weights anymore reliably in this case, you need to rely on per-user actions instead of weights. Seems that NOT functionality would also benefit this scenario (and many others). If you are only looking to do this for one person, I would suggest going the IMail rules route. That should be the most foolproof method, but again, don't add her own address in there. If you want to offer this widely as a configuration to customers, some others on this list have done just this, but using the whitelist setting connected to the address book. Pete's idea wasn't bad, but you'll probably have a hard time telling Grandma to insert a string with ==$FasdJyeW34df*== in every message :) I'm sure Pete's counterparts can figure that out though. Seems most appropriate to discussions relating to spam though. Matt paul wrote: This isn't something that I would generally try to promote because of the complexity of maintaining it in most cases, but for one's own daughter, it might make perfect sense. Something of course though would need to happen that caused her to get spam though, so it might not be necessary at all. True, at first, it wouldn't be much of an issue. You would need the Pro version to do this of course, and instead of weighting things to her address, what you would do is set up a weightrange test covering almost everything and then use actions (HOLD, ROUTETO or DELETE) in a per-user JunkMail file according to the Manual. Whitelisting will prevent an all inclusive weightrange test from taking action on an E-mail. Ok, I hadn't thought of the per-user configs, we are running pro here, so that's not an issue. I'm just wondering the pros to that as apposed to what I had mentioned before. Wouldn't having a list of recipients those that were under parental control be easier to manipulate? Sure, I have access to all Declude to make adjustments, but to make it as user-hands-off as possible, you wouldn't want to do it that way.. I guess what I'm asking is: Does Declude have a TO: key? like: mailfrom 15 is [EMAIL PROTECTED] is there a mailto 0 is [EMAIL PROTECTED]? I don't see this on the manual site. So a filter file would be defined as: parentalcontrols tofile d:\mail\imail\declude\parentlist.txt x 100 0 So message comes in, it's addressed to someone in the file, given a 100 weight, and deleted. UNLESS the address is on the users webmail contact list. I'm not trying to repeat the same thing over and over, but I'm not sure I'm describing this the way I'm trying to make it sound Did that make sense? LOL! Basically, does Declude allow you to scan for matches on the TO field? Thanks Matt! I'll look into the per user configurations as well. Paul -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Whitelist filter
Scott - Performance wise would one be better off maxing out the global config [200 entries] with WHITELISTS and then use WHITELIST in a filter file? OR the filter file exclusively? Thanks -Nick Hayer Date sent: Thu, 22 Jan 2004 12:59:49 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] Whitelist filter Send reply to: [EMAIL PROTECTED] With the new release- are these valid lines? BodyWhitelistContainssome text REVDNSWhitelistEndswith.domain.com subjectwhiteliststartswith[Whitelist] I guess if this is the case the new whitelist just replaces the weight and all other filter syntax hold. That is correct. With the latest interim release, you can use any of the above lines. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist filter
Performance wise would one be better off maxing out the global config [200 entries] with WHITELISTS and then use WHITELIST in a filter file? OR the filter file exclusively? The performance should be just about the same either way. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Habeas White list
Hi, May be I'm must lucky - but yesterday I had: HABEAS..50.04% HIL...1961.57% 5 messages with HABEAS headers - but 195 mails that failed HABEAS' infringer list. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Manual
Scott, I have been away for some time and have been trying to get caught up on the declude list (its the most active list I have). Seems that there is a lot of chatter on the mailing list right now with tests etc that are not in the manual. I am curious will a new manual be released, or does anyone have any good explanations of some of these tests on their sites? Hope someone can help. Darryl Koster --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Clarification
John- Doesn't SKIPIFWEIGHT also defeat the logging of the skipped tests? -Dave Doherty Skywaves, Inc. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 1:04 PM Subject: RE: [Declude.JunkMail] Clarification I would like to see the SKIPIFWEIGHT option removed. If we had a conditional option to stop when a specific weight is reached, then there would be not need for SKIPIFWEIGHT. In addition, why would anyone use SKIPIFWEIGHT on less than every test...and why would anyone define one test with a different SKIPIFWEIGHT value than another test? This leads me back to a HOLDIFWEIGHT/DELETEIFWEIGHT logic which optionally stops processing when reached. Coming in late some my comments may be off. Scott has stated before that to stop all processing once a certain weight has been reached would be difficult and/or problematic. That is where SKIPIFWEIGHT comes in. I use SKIPIFWEIGHT on all body filters, as those are the most expensive in terms of CPU cost. I then have body filters listed in order, from most effective to least effective or specific target. Example, I have a custom body filter on my server for one client only. That is the last filter to run. Also, another reason to not stop processing is if you are doing log analysis and adjust filters or blocks based on that analysis. If you stop processing at say 35, but the message would have failed 5 other tests, those tests will then not show up in log analysis. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manual
Seems that there is a lot of chatter on the mailing list right now with tests etc that are not in the manual. I am curious will a new manual be released, or does anyone have any good explanations of some of these tests on their sites? The general rule of thumb is that the manual is updated to include new tests (and other features) whenever a released version comes out. For betas (and interim releases), the features are discussed on the list. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Junk Mail Stats
Pardon my ignorance but what are people using to get the stats from junk mail? Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * HABEAS..50.04% HIL...1961.57% 5 messages with HABEAS headers - but 195 mails that failed HABEAS' infringer list. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] restricted mailing?
Title: Message Hi Paul, You may want to try my whitelist/blacklist program. It isa per user utility and has a strict mode where everything is blacklisted unless it is specifically whitelisted. I use it extensively and many other postmasters us it also. You can get more information and download it at: www.wamusa.com/wamcheck Thanks, Bill -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of paulSent: Thursday, January 22, 2004 11:16 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] restricted mailing? Hey guys, I asked this on Imail's list as well, but thought I'd see what Declude users do/think: What I'd like to be able to do, is block all mail to a certain account, except from those addresses specified via AUTOWHITELIST. Kind of a 'parental control'. Let's say I give my daughter an email address, I only want to allow mail from family + friends, but those I specify in her contacts list within the webmail, so using Declude's AUTOWHITELIST ON, I can weight all mail coming in to her mailbox, say, 100 or so, waaay above delete range, but because of the address, it would be delivered. Does that make sense? Is anyone else doing this? Paul
[Declude.JunkMail] Null Sender Messages to Multiple Recipients
Title: Message Hi: I noted the following on the SPF site: "In either case an MTA should reject messages from null senders that have more than one recipient." Imail only allows to either permit or deny null senders.But, the above statement sounds obvious - an automated bounce message would be directed to the ONE and only sender. Is this something worthwhile to test on? Best RegardsAndy SchmidtHM Systems Software, Inc.600 East Crescent Avenue, Suite 203Upper Saddle River, NJ 07458-1846Phone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206http://www.HM-Software.com/
[Declude.JunkMail] Joy!
As Jerry Pournelle has often said You may not get this level of service. http://www.theregister.com/content/55/35044.html I wonder if all the spammers have this guy on their 17 trillion addresses CD. I could only hope. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Junk Mail Stats
Hi, This was an excerpt from Dlanalyzer. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kratka Sent: Thursday, January 22, 2004 04:10 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Junk Mail Stats Pardon my ignorance but what are people using to get the stats from junk mail? Jeff Kratka --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Null Sender Messages to Multiple Recipients
I noted the following on the SPF site: In either case an MTA should reject messages from null senders that have more than one recipient. Imail only allows to either permit or deny null senders. But, the above statement sounds obvious - an automated bounce message would be directed to the ONE and only sender. Is this something worthwhile to test on? This is a tricky one. While the RFCs do not specify any reason for an E-mail with a null sender to have multiple recipients, the RFCs do not say that it is not allowed. Therefore, doing so can technically break RFC compliance. I just checked some spam we have here, and out of over 10,000 spams, it looks like only 1 used a null sender. So while this might make for an interesting test, it probably would not catch much spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelist file
Scott: So it seems like with the new Whitelist filter the whitelist file that was supposed to be listed in the $default$.junkmail is pretty much obsolete since we can do: mailfrom whitelistcontains [EMAIL PROTECTED] That should pretty much do the same thing.. and we can keep all of our whitelist actions in one place. right? Regards, Kami
Re: [Declude.JunkMail] Whitelist file
So it seems like with the new Whitelist filter the whitelist file that was supposed to be listed in the $default$.junkmail is pretty much obsolete since we can do: mailfrom whitelist contains mailto:[EMAIL PROTECTED][EMAIL PROTECTED] That should pretty much do the same thing.. and we can keep all of our whitelist actions in one place. right? Correct. However, WHITELISTFILE still has the advantage that it can be applied on a per-user/per-domain basis. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Clarification
If a filter is skipped by SKIPIFWEIGHT, at that point I am not concerned about logging that filter, as I do not want it to run. Remember, SKIPIFWEIGHT is only for filters. However, what if a message gets a high weight early, but then would get a negative weight from a filter? You took action before the message had a chance to get the negative weight. What if you are checking to see the effectiveness of one test compared to others? If processing is stopped short, that test may not be run on all messages. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, January 22, 2004 1:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Clarification John- Doesn't SKIPIFWEIGHT also defeat the logging of the skipped tests? -Dave Doherty Skywaves, Inc. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 1:04 PM Subject: RE: [Declude.JunkMail] Clarification I would like to see the SKIPIFWEIGHT option removed. If we had a conditional option to stop when a specific weight is reached, then there would be not need for SKIPIFWEIGHT. In addition, why would anyone use SKIPIFWEIGHT on less than every test...and why would anyone define one test with a different SKIPIFWEIGHT value than another test? This leads me back to a HOLDIFWEIGHT/DELETEIFWEIGHT logic which optionally stops processing when reached. Coming in late some my comments may be off. Scott has stated before that to stop all processing once a certain weight has been reached would be difficult and/or problematic. That is where SKIPIFWEIGHT comes in. I use SKIPIFWEIGHT on all body filters, as those are the most expensive in terms of CPU cost. I then have body filters listed in order, from most effective to least effective or specific target. Example, I have a custom body filter on my server for one client only. That is the last filter to run. Also, another reason to not stop processing is if you are doing log analysis and adjust filters or blocks based on that analysis. If you stop processing at say 35, but the message would have failed 5 other tests, those tests will then not show up in log analysis. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Clarification
1. Place negative weight tests first. 2. While testing effectiveness of a single test, place it first or turn off the stop processing flag for a period of time. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, January 22, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Clarification If a filter is skipped by SKIPIFWEIGHT, at that point I am not concerned about logging that filter, as I do not want it to run. Remember, SKIPIFWEIGHT is only for filters. However, what if a message gets a high weight early, but then would get a negative weight from a filter? You took action before the message had a chance to get the negative weight. What if you are checking to see the effectiveness of one test compared to others? If processing is stopped short, that test may not be run on all messages. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Dave Doherty Sent: Thursday, January 22, 2004 1:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Clarification John- Doesn't SKIPIFWEIGHT also defeat the logging of the skipped tests? -Dave Doherty Skywaves, Inc. - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 1:04 PM Subject: RE: [Declude.JunkMail] Clarification I would like to see the SKIPIFWEIGHT option removed. If we had a conditional option to stop when a specific weight is reached, then there would be not need for SKIPIFWEIGHT. In addition, why would anyone use SKIPIFWEIGHT on less than every test...and why would anyone define one test with a different SKIPIFWEIGHT value than another test? This leads me back to a HOLDIFWEIGHT/DELETEIFWEIGHT logic which optionally stops processing when reached. Coming in late some my comments may be off. Scott has stated before that to stop all processing once a certain weight has been reached would be difficult and/or problematic. That is where SKIPIFWEIGHT comes in. I use SKIPIFWEIGHT on all body filters, as those are the most expensive in terms of CPU cost. I then have body filters listed in order, from most effective to least effective or specific target. Example, I have a custom body filter on my server for one client only. That is the last filter to run. Also, another reason to not stop processing is if you are doing log analysis and adjust filters or blocks based on that analysis. If you stop processing at say 35, but the message would have failed 5 other tests, those tests will then not show up in log analysis. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Decoding a html attachment
I have never seen this used before, so even among Web designers it should be rare. That's a preferred syntax for Flash ActionScript. Can't tell you how often it's used in general, but it's all over one of our projects. So web shops, or those corresponding with same, should be wary. It has no reason to be in an HTML attachment, however; the combo is the red flag to me. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New MS updates Bug Report emails making the rounds
Thought I'd warn everyone Some different/newer (I haven't seen it before) versions of two emails arefloating around #1 From Microsoft Corporation Network Security to Commercial customer No subject Attachment "UPGRADE88.exe" It claims to be updates from microsoft. #2 From Internet Delivery Service To Net Recipient Subject Bug Report Text : I'm sorry the message returned below could not be delivered to the following addresses: Attachment "ctge.exe" They making the rounds. There wereolder versions, that we were catchingbut they've changed it a bit So watch out. Headers are #1 Received: from FE-mail03.sfg.albacom.net [213.217.149.83] by mail.ameripride.org with ESMTP (SMTPD32-8.05) id A2A9E2A0166; Thu, 22 Jan 2004 00:50:17 -0600Received: from wyadonm (217.220.55.169) by FE-mail03.sfg.albacom.net (7.0.009) id 400CF7D10001F68F; Thu, 22 Jan 2004 07:48:41 +0100Date: Thu, 22 Jan 2004 07:48:41 +0100 (added by [EMAIL PROTECTED])Message-ID: [EMAIL PROTECTED] (added by [EMAIL PROTECTED])FROM: "Microsoft Corporation Network Security Center" [EMAIL PROTECTED]TO: "Commercial Customer" [EMAIL PROTECTED]SUBJECT: Mime-Version: 1.0Content-Type: multipart/mixed; boundary="nxjzttswpsxvy"X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 137, weight 0)X-RBL-Warning: ANTI-GIBBERISH: Message failed ANTI-GIBBERISH test (line 106, weight 0)X-Declude-Sender: [EMAIL PROTECTED] [213.217.149.83]X-Declude-Spoolname: D72a90e2a01660543.SMDX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: GIBBERISH, ANTI-GIBBERISH [0]X-Note: This E-mail was sent from FE-mail03.albacom.net ([213.217.149.83]).X-RCPT-TO: xxStatus: UX-UIDL: 373063459 (at the end of the email) Content-Type: application/x-msdownload; n a m e = " U P G R A D E 8 8 . e x e "Content-Transfer-Encoding: base64Content-Disposition: attachment #2 Received: from FE-mail04.sfg.albacom.net [213.217.149.84] by mail.ameripride.org with ESMTP (SMTPD32-8.05) id A3A6E3A0166; Thu, 22 Jan 2004 00:54:30 -0600Received: from xkxxp (217.220.55.169) by FE-mail04.sfg.albacom.net (7.0.009) id 400CB88400024360; Thu, 22 Jan 2004 07:52:18 +0100Date: Thu, 22 Jan 2004 07:52:18 +0100 (added by [EMAIL PROTECTED])Message-ID: [EMAIL PROTECTED] (added by [EMAIL PROTECTED])FROM: "Internet Delivery System" [EMAIL PROTECTED]TO: "Net Recipient" [EMAIL PROTECTED]SUBJECT: Bug ReportMime-Version: 1.0Content-Type: multipart/alternative;boundary="fxsnozzuqz"X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 137, weight 0)X-RBL-Warning: ANTI-GIBBERISH: Message failed ANTI-GIBBERISH test (line 106, weight 0)X-Declude-Sender: [EMAIL PROTECTED] [213.217.149.84]X-Declude-Spoolname: D73a60e3a0166e227.SMDX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: GIBBERISH, ANTI-GIBBERISH [0]X-Note: This E-mail was sent from FE-mail04.albacom.net ([213.217.149.84]).X-RCPT-TO: xxxStatus: UX-UIDL: 373063460 (at the end of the email) Content-Type: audio/x-wav; n a m e = " c t g e . e x e "Content-Transfer-Encoding: base64Content-Id: qfrsqcgf