RE: [Declude.JunkMail] odd behavior
Ill repost here what I posted on the Imail list. The problem is within Imail, not Declude. Declude does not log a line using SMTPD, Imail does. The line showing the whitelisting is a Imail SMTPD line, end of story as far as Declude is concerned. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 24, 2005 6:41 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] [IMail Forum] odd behavior Doug, It is likely that this is due to the AUTOWHITELIST ON setting and the recipient having their own E-mail address listed in their Web mail address book. Either that or something that says [EMAIL PROTECTED] (Declude's version of a wildcard match for that domain). Matt Doug Anderson wrote: That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.log LOGLEVEL LOW HOP 0 HIDETESTSCATCHALLMAILS IPNOTINMX NOLEGITCONTENT XINHEADERX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. XINHEADERX-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] XINHEADERX-Country-Chain: %COUNTRYCHAIN% XOUTHEADERX-Note: E-mail scanned by Declude-JunkMail for spam by CRC. XSENDERON XSPOOLNAMEON XINHEADERX-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]). PREWHITELISTON AUTOWHITELIST ON WHITELISTAUTH . . WHITELIST IP 192.168.0.182 WHITELIST IP 192.168.0.85 WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 1194 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.126 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 201 02:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD 02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list 02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 L2 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 L3 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=0]: CATCHALLMAILS=IGNORE 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org maria.snyder-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org reggie.licari-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) ldeliver mail.ameripride.org richard.boudreau-main (1) [EMAIL PROTECTED] 972 02:22 07:41 SMTP-(3664039604421990) finished d:\IMail\spool\Q3664039604421990.SMD status=1 - Original Message - From: Travis Rabe To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 1:09 PM Subject: RE: [IMail Forum] odd behavior What do the logs show you? T From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Doug Anderson Sent: Thursday, February 24,
Re: [Declude.JunkMail] odd behavior
Hi John, I think you missed a thread Doug and I exchanged. He explained that he combined the IMail and Declude logs below to show everything in regards to the message. The following two lines are from his Declude logs showing that the message was whitelisted by Declude: 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 3:08 AM Subject: RE: [Declude.JunkMail] odd behavior Ill repost here what I posted on the Imail list. The problem is within Imail, not Declude. Declude does not log a line using SMTPD, Imail does. The line showing the whitelisting is a Imail SMTPD line, end of story as far as Declude is concerned. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, February 24, 2005 6:41 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] [IMail Forum] odd behavior Doug,It is likely that this is due to the AUTOWHITELIST ON setting and the recipient having their own E-mail address listed in their Web mail address book. Either that or something that says [EMAIL PROTECTED] (Declude's version of a wildcard match for that domain).MattDoug Anderson wrote: That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.logLOGLEVEL LOWHOP 0HIDETESTSCATCHALLMAILS IPNOTINMX NOLEGITCONTENTXINHEADERX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.XINHEADERX-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%]XINHEADERX-Country-Chain: %COUNTRYCHAIN%XOUTHEADERX-Note: E-mail scanned by Declude-JunkMail for spam by CRC.XSENDERONXSPOOLNAMEONXINHEADERX-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]).PREWHITELISTONAUTOWHITELIST ONWHITELISTAUTH . . WHITELIST IP 192.168.0.182WHITELIST IP 192.168.0.85WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 119402:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.12602:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 20102:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 L2 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN COUNTRY=WARN WEIGHT10PLUS=SUBJECT CATCHALLMAILS=IGNORE 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 L3 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed
[Declude.JunkMail] Body filter adding extra 10 points
Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINSSTRICTLY CONFIDENTIAL BODY20 CONTAINSSTRICTLY CONFIDENTIAL URGENT BODY20 CONTAINSSTRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] odd behavior
So it looks like BOTH Imail (via trusted addresses) and Declude (via Autowhitelist) were whitelisting this message. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Friday, February 25, 2005 9:32 AMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] odd behavior Hi John, I think you missed a thread Doug and I exchanged. He explained that he combined the IMail and Declude logs below to show everything in regards to the message. The following two lines are from his Declude logs showing that the message was whitelisted by Declude: 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED]Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 3:08 AM Subject: RE: [Declude.JunkMail] odd behavior Ill repost here what I posted on the Imail list. The problem is within Imail, not Declude. Declude does not log a line using SMTPD, Imail does. The line showing the whitelisting is a Imail SMTPD line, end of story as far as Declude is concerned. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Thursday, February 24, 2005 6:41 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] [IMail Forum] odd behavior Doug,It is likely that this is due to the AUTOWHITELIST ON setting and the recipient having their own E-mail address listed in their Web mail address book. Either that or something that says [EMAIL PROTECTED] (Declude's version of a wildcard match for that domain).MattDoug Anderson wrote: That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.logLOGLEVEL LOWHOP 0HIDETESTSCATCHALLMAILS IPNOTINMX NOLEGITCONTENTXINHEADERX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.XINHEADERX-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%]XINHEADERX-Country-Chain: %COUNTRYCHAIN%XOUTHEADERX-Note: E-mail scanned by Declude-JunkMail for spam by CRC.XSENDERONXSPOOLNAMEONXINHEADERX-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]).PREWHITELISTONAUTOWHITELIST ONWHITELISTAUTH . . WHITELIST IP 192.168.0.182WHITELIST IP 192.168.0.85WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 119402:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.12602:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED]02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 20102:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE REVDNS=WARN TLD=WARN
RE: [Declude.JunkMail] Body filter adding extra 10 points
Goran, 1. Do you have a copy of the actual email header ? 2. Is this Qbca31d68008ed51d the only test that failed ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 10:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINSSTRICTLY CONFIDENTIAL BODY20 CONTAINSSTRICTLY CONFIDENTIAL URGENT BODY20 CONTAINSSTRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1007 (20050223) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Errors in virus log
Im using Declude v2.05 on Imail 8.15. I see the below error for each message in the virus log. 02/25/2005 11:05:26 Q4cb81c81018c9f59 Couldn't find console; starting... (2). 02/25/2005 11:05:26 Q4cb81c81018c9f59 Error starting deccon.exe: 2 02/25/2005 11:05:28 Q4cb81c81018c9f59 Scanned: Virus Free [MIME: 1 3353] 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Couldn't find console; starting... (2). 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Error starting deccon.exe: 2 02/25/2005 11:05:40 Q4ccd1c84018c9f5b MIME file: [text/html][quoted-printable; Length=1139 Checksum=93723] 02/25/2005 11:05:41 Q4ccd1c84018c9f5b Scanned: Virus Free [MIME: 2 1708] 02/25/2005 11:05:52 Q4ca001d002309f4d Couldn't find console; starting... (2). 02/25/2005 11:05:52 Q4ca001d002309f4d Error starting deccon.exe: 2 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [text/HTML][*DEFAULT*; Length=26995 Checksum=2039562] 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [EMAIL PROTECTED] [base64; Length=26139 Checksum=3515058] 02/25/2005 11:05:53 Q4ca001d002309f4d Scanned: Virus Free [MIME: 3 57993] 02/25/2005 11:06:57 Q4d21207b018a9f70 Couldn't find console; starting... (2). 02/25/2005 11:06:57 Q4d21207b018a9f70 Error starting deccon.exe: 2 02/25/2005 11:06:57 Q4d21207b018a9f70 MIME file: [message/disposition-notification][7bit; Length=174 Checksum=18255] 02/25/2005 11:06:58 Q4d21207b018a9f70 Scanned: Virus Free [MIME: 2 531] What do the messages Couldnt find console and Error starting deccon.exe mean? I was seeing the same errors with Declude v1.82 so I upgraded to v2.05 this morning to see if they would go away. Thanks! -Jeff
Re: [Declude.JunkMail] Body filter adding extra 10 points
Maybe the filtertest itself have an additional weight of 10? Then there should be a line like FILTER-NIGERIAN-SCAM filter c:\declude\nigerian.txt x 10 0 in your global.cfg Heinrich --- This E-mail was scanned for viruses by CAD-FEM GmbH * This message and any attachment are confidential. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. For further information about CADFEM please see our website: http://www.cadfem.de. ** --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Body filter adding extra 10 points
David, 4 e-mails with the same text failed. This is what came back to me as part of the SpamAttach.eml file. Do you need anything else? Subject:RE: Governance Working Group Call To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: 16 Feb 2005 at 17:25:07 Tests Failed: IPNOTINMX [0], REVDNS [4], SIZE-S [0], FILTER-NIGERIAN-SCAM [12], FILTER-PORN [12] Weight: 23 Spool File: Dc8371a990086d99d.SMD To view the E-mail, just click the attachment. Headers: Received: from xxx.xxx.ca [xxx.xxx.xxx.xx] by mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id A8381A990086; Wed, 16 Feb 2005 17:24:56 -0500 Received: by TQSEMAIL with Internet Mail Service (5.5.2657.72) id XVPK2RLX; Wed, 16 Feb 2005 17:28:57 -0500 Message-ID: [EMAIL PROTECTED] From: Michel J. Carter [EMAIL PROTECTED] To: 'Douglas Barrett' [EMAIL PROTECTED], + another dozen TOs Cc: to 2 CC Subject: RE: Governance Working Group Call Date: Wed, 16 Feb 2005 17:28:46 -0500 X-MS-TNEF-Correlator: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C51476.DB426E2C Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, February 25, 2005 10:59 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Goran, 1. Do you have a copy of the actual email header ? 2. Is this Qbca31d68008ed51d the only test that failed ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 10:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY 2 CONTAINSSTRICTLY CONFIDENTIAL BODY 20 CONTAINSSTRICTLY CONFIDENTIAL URGENT BODY 20 CONTAINSSTRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1007 (20050223) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Errors in virus log
In your global.cfg and/or virus.cfg, you have CONSOLE ON. Change that to # CONSOLE ON to comment it out. Also delete hijack.cfg if are not running hijack. Ralph From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz Sent: Friday, February 25, 2005 11:09 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Errors in virus log Im using Declude v2.05 on Imail 8.15. I see the below error for each message in the virus log. 02/25/2005 11:05:26 Q4cb81c81018c9f59 Couldn't find console; starting... (2). 02/25/2005 11:05:26 Q4cb81c81018c9f59 Error starting deccon.exe: 2 02/25/2005 11:05:28 Q4cb81c81018c9f59 Scanned: Virus Free [MIME: 1 3353] 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Couldn't find console; starting... (2). 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Error starting deccon.exe: 2 02/25/2005 11:05:40 Q4ccd1c84018c9f5b MIME file: [text/html][quoted-printable; Length=1139 Checksum=93723] 02/25/2005 11:05:41 Q4ccd1c84018c9f5b Scanned: Virus Free [MIME: 2 1708] 02/25/2005 11:05:52 Q4ca001d002309f4d Couldn't find console; starting... (2). 02/25/2005 11:05:52 Q4ca001d002309f4d Error starting deccon.exe: 2 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [text/HTML][*DEFAULT*; Length=26995 Checksum=2039562] 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [EMAIL PROTECTED] [base64; Length=26139 Checksum=3515058] 02/25/2005 11:05:53 Q4ca001d002309f4d Scanned: Virus Free [MIME: 3 57993] 02/25/2005 11:06:57 Q4d21207b018a9f70 Couldn't find console; starting... (2). 02/25/2005 11:06:57 Q4d21207b018a9f70 Error starting deccon.exe: 2 02/25/2005 11:06:57 Q4d21207b018a9f70 MIME file: [message/disposition-notification][7bit; Length=174 Checksum=18255] 02/25/2005 11:06:58 Q4d21207b018a9f70 Scanned: Virus Free [MIME: 2 531] What do the messages Couldnt find console and Error starting deccon.exe mean? I was seeing the same errors with Declude v1.82 so I upgraded to v2.05 this morning to see if they would go away. Thanks! -Jeff
RE: [Declude.JunkMail] Body filter adding extra 10 points
Can you post the line in your global.cfg file FILTER-NIGERIAN-SCAM I am guessing you may have an extra 10 point being added there that should not be. Lets have a look. Thanks David www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 11:20 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points David, 4 e-mails with the same text failed. This is what came back to me as part of the SpamAttach.eml file. Do you need anything else? Subject:RE: Governance Working Group Call To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: 16 Feb 2005 at 17:25:07 Tests Failed: IPNOTINMX [0], REVDNS [4], SIZE-S [0], FILTER-NIGERIAN-SCAM [12], FILTER-PORN [12] Weight: 23 Spool File: Dc8371a990086d99d.SMD To view the E-mail, just click the attachment. Headers: Received: from xxx.xxx.ca [xxx.xxx.xxx.xx] by mail1.gonetworks.net with ESMTP (SMTPD32-8.13) id A8381A990086; Wed, 16 Feb 2005 17:24:56 -0500 Received: by TQSEMAIL with Internet Mail Service (5.5.2657.72) id XVPK2RLX; Wed, 16 Feb 2005 17:28:57 -0500 Message-ID: [EMAIL PROTECTED] From: Michel J. Carter [EMAIL PROTECTED] To: 'Douglas Barrett' [EMAIL PROTECTED], + another dozen TOs Cc: to 2 CC Subject: RE: Governance Working Group Call Date: Wed, 16 Feb 2005 17:28:46 -0500 X-MS-TNEF-Correlator: [EMAIL PROTECTED] MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: multipart/mixed; boundary=_=_NextPart_000_01C51476.DB426E2C Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, February 25, 2005 10:59 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Goran, 1. Do you have a copy of the actual email header ? 2. Is this Qbca31d68008ed51d the only test that failed ? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 10:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY 2 CONTAINSSTRICTLY CONFIDENTIAL BODY 20 CONTAINSSTRICTLY CONFIDENTIAL URGENT BODY 20 CONTAINSSTRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1007 (20050223) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1007 (20050223) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Errors in virus log
1. In the delcude folder if you are not running Hijackrename the file hijack.cfg to hijack.bak 2. Open your global.cfg comment out the line CONSOLE ON David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff FrantzSent: Friday, February 25, 2005 11:09 AMTo: declude.junkmail@declude.comSubject: [Declude.JunkMail] Errors in virus log Im using Declude v2.05 on Imail 8.15. I see the below error for each message in the virus log. 02/25/2005 11:05:26 Q4cb81c81018c9f59 Couldn't find console; starting... (2). 02/25/2005 11:05:26 Q4cb81c81018c9f59 Error starting deccon.exe: 2 02/25/2005 11:05:28 Q4cb81c81018c9f59 Scanned: Virus Free [MIME: 1 3353] 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Couldn't find console; starting... (2). 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Error starting deccon.exe: 2 02/25/2005 11:05:40 Q4ccd1c84018c9f5b MIME file: [text/html][quoted-printable; Length=1139 Checksum=93723] 02/25/2005 11:05:41 Q4ccd1c84018c9f5b Scanned: Virus Free [MIME: 2 1708] 02/25/2005 11:05:52 Q4ca001d002309f4d Couldn't find console; starting... (2). 02/25/2005 11:05:52 Q4ca001d002309f4d Error starting deccon.exe: 2 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [text/HTML][*DEFAULT*; Length=26995 Checksum=2039562] 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [EMAIL PROTECTED] [base64; Length=26139 Checksum=3515058] 02/25/2005 11:05:53 Q4ca001d002309f4d Scanned: Virus Free [MIME: 3 57993] 02/25/2005 11:06:57 Q4d21207b018a9f70 Couldn't find console; starting... (2). 02/25/2005 11:06:57 Q4d21207b018a9f70 Error starting deccon.exe: 2 02/25/2005 11:06:57 Q4d21207b018a9f70 MIME file: [message/disposition-notification][7bit; Length=174 Checksum=18255] 02/25/2005 11:06:58 Q4d21207b018a9f70 Scanned: Virus Free [MIME: 2 531] What do the messages Couldnt find console and Error starting deccon.exe mean? I was seeing the same errors with Declude v1.82 so I upgraded to v2.05 this morning to see if they would go away. Thanks! -Jeff__ NOD32 1.1007 (20050223) Information __This message was checked by NOD32 antivirus system.http://www.nod32.com
RE: [Declude.JunkMail] Body filter adding extra 10 points
Nope sorry, FILTER-NIGERIAN-SCAMfilter C:\IMail\Declude\Filters\Kami\Filter_Nigerian.txt X 0 0 Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Heinrich Richter Sent: Friday, February 25, 2005 11:16 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Body filter adding extra 10 points Maybe the filtertest itself have an additional weight of 10? Then there should be a line like FILTER-NIGERIAN-SCAM filter c:\declude\nigerian.txt x 10 0 in your global.cfg Heinrich --- This E-mail was scanned for viruses by CAD-FEM GmbH * This message and any attachment are confidential. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. For further information about CADFEM please see our website: http://www.cadfem.de. ** --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Body filter adding extra 10 points
Can you post the entire filter? My copy of Kami's filter shows: BODY 12 CONTAINS STRICTLY CONFIDENTIAL - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 9:44 AM Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINS STRICTLY CONFIDENTIAL BODY20 CONTAINS STRICTLY CONFIDENTIAL URGENT BODY20 CONTAINS STRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Errors in virus log
Thanks! Deleting the hijack.cfg did it. -Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ralph Krausse Sent: Friday, February 25, 2005 11:20 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Errors in virus log In your global.cfg and/or virus.cfg, you have CONSOLE ON. Change that to # CONSOLE ON to comment it out. Also delete hijack.cfg if are not running hijack. Ralph From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Frantz Sent: Friday, February 25, 2005 11:09 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Errors in virus log Im using Declude v2.05 on Imail 8.15. I see the below error for each message in the virus log. 02/25/2005 11:05:26 Q4cb81c81018c9f59 Couldn't find console; starting... (2). 02/25/2005 11:05:26 Q4cb81c81018c9f59 Error starting deccon.exe: 2 02/25/2005 11:05:28 Q4cb81c81018c9f59 Scanned: Virus Free [MIME: 1 3353] 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Couldn't find console; starting... (2). 02/25/2005 11:05:40 Q4ccd1c84018c9f5b Error starting deccon.exe: 2 02/25/2005 11:05:40 Q4ccd1c84018c9f5b MIME file: [text/html][quoted-printable; Length=1139 Checksum=93723] 02/25/2005 11:05:41 Q4ccd1c84018c9f5b Scanned: Virus Free [MIME: 2 1708] 02/25/2005 11:05:52 Q4ca001d002309f4d Couldn't find console; starting... (2). 02/25/2005 11:05:52 Q4ca001d002309f4d Error starting deccon.exe: 2 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [text/HTML][*DEFAULT*; Length=26995 Checksum=2039562] 02/25/2005 11:05:52 Q4ca001d002309f4d MIME file: [EMAIL PROTECTED] [base64; Length=26139 Checksum=3515058] 02/25/2005 11:05:53 Q4ca001d002309f4d Scanned: Virus Free [MIME: 3 57993] 02/25/2005 11:06:57 Q4d21207b018a9f70 Couldn't find console; starting... (2). 02/25/2005 11:06:57 Q4d21207b018a9f70 Error starting deccon.exe: 2 02/25/2005 11:06:57 Q4d21207b018a9f70 MIME file: [message/disposition-notification][7bit; Length=174 Checksum=18255] 02/25/2005 11:06:58 Q4d21207b018a9f70 Scanned: Virus Free [MIME: 2 531] What do the messages Couldnt find console and Error starting deccon.exe mean? I was seeing the same errors with Declude v1.82 so I upgraded to v2.05 this morning to see if they would go away. Thanks! -Jeff
RE: [Declude.JunkMail] Body filter adding extra 10 points
Not sure if I am missing something John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 7:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY 2 CONTAINSSTRICTLY CONFIDENTIAL BODY 20 CONTAINSSTRICTLY CONFIDENTIAL URGENT BODY 20 CONTAINSSTRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] odd behavior
Yep, Dan is correct. I saw the first line about whitelist which was a Imail SMTPD line and stopped there. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Horne Sent: Friday, February 25, 2005 7:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] odd behavior So it looks like BOTH Imail (via trusted addresses) and Declude (via Autowhitelist) were whitelisting this message. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Friday, February 25, 2005 9:32 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] odd behavior Hi John, I think you missed a thread Doug and I exchanged. He explained that he combined the IMail and Declude logs below to show everything in regards to the message. The following two lines are from his Declude logs showing that the message was whitelisted by Declude: 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 02/22/2005 07:41:14 Q3664039604421990 Skipping4 E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] Darin. - Original Message - From: John Tolmachoff (Lists) To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 3:08 AM Subject: RE: [Declude.JunkMail] odd behavior Ill repost here what I posted on the Imail list. The problem is within Imail, not Declude. Declude does not log a line using SMTPD, Imail does. The line showing the whitelisting is a Imail SMTPD line, end of story as far as Declude is concerned. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, February 24, 2005 6:41 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] [IMail Forum] odd behavior Doug, It is likely that this is due to the AUTOWHITELIST ON setting and the recipient having their own E-mail address listed in their Web mail address book. Either that or something that says [EMAIL PROTECTED] (Declude's version of a wildcard match for that domain). Matt Doug Anderson wrote: That's the thing, I have one white list file (hate whitelists) and ameripride is not in it Did anything change in declude junkmail lately in reguards to whitelists (I just upgrade 2 nights ago)? All I have for references to whitelist are : $default.junkmail WHITELISTFILE D:\Imail\Declude\AWHITELST.txt #note AWhitelst.txt does not include ameripride.org Global.cfg CODE LOGFILE d:\declude\logfiles\dec.log LOGLEVEL LOW HOP 0 HIDETESTSCATCHALLMAILS IPNOTINMX NOLEGITCONTENT XINHEADERX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. XINHEADERX-Spam-Tests-Failed: %TESTSFAILED% [%WEIGHT%] XINHEADERX-Country-Chain: %COUNTRYCHAIN% XOUTHEADERX-Note: E-mail scanned by Declude-JunkMail for spam by CRC. XSENDERON XSPOOLNAMEON XINHEADERX-Note: This E-mail was sent from %REVDNS% ([%REMOTEIP%]). PREWHITELISTON AUTOWHITELIST ON WHITELISTAUTH . . WHITELIST IP 192.168.0.182 WHITELIST IP 192.168.0.85 WHITELIST IP 192.168.0.86 #Servers on local network (not exposed to public) that send emails (status reports) - Original Message - From: E. Shanbrom (Ipswitch) To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 2:48 PM Subject: Re: [IMail Forum] odd behavior Says ameripride.org is on the whitelist (decludes not IMail's) Eric S - Original Message - From: Doug Anderson To: IMail_Forum@list.ipswitch.com Sent: Thursday, February 24, 2005 3:03 PM Subject: Re: [IMail Forum] odd behavior Trying to figure out why it's white listed. 02:22 07:40 SMTPD(3664039604421990) [192.168.0.135] connect 221.127.179.32 port 1194 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] HELO 67.130.17.126 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] MAIL FROM: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] RCPT TO: [EMAIL PROTECTED] 02:22 07:41 SMTPD(3664039604421990) [221.127.179.32] d:\IMail\spool\D3664039604421990.SMD 201 02:22 07:41 SMTP-(3664039604421990) processing d:\IMail\spool\Q3664039604421990.SMD 02:22 07:41 SMTPD(3664039604421990) [ameripride.org] in white list 02/22/2005 07:41:11 Q3664039604421990 Scanned: Virus Free 02/22/2005 07:41:14 Q3664039604421990 L1 Message OK 02/22/2005 07:41:14 Q3664039604421990 Tests failed [weight=25]: BADHEADERS=WARN CMDSPACE=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE
RE: [Declude.JunkMail] Body filter adding extra 10 points
Disregard this post, hit the wrong button. Darn keyboard virus. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, February 25, 2005 9:53 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Not sure if I am missing something John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 7:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINSSTRICTLY CONFIDENTIAL BODY20 CONTAINSSTRICTLY CONFIDENTIAL URGENT BODY20 CONTAINSSTRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Body filter adding extra 10 points
Could it have been set to body contains 12.. on 2/16 and subsequently changed to body contains 2.. sometime after the email was processes? It's the only explanation that I can see... - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 11:17 AM Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Here it is Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, February 25, 2005 12:00 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Body filter adding extra 10 points Can you post the entire filter? My copy of Kami's filter shows: BODY 12 CONTAINS STRICTLY CONFIDENTIAL - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 9:44 AM Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINS STRICTLY CONFIDENTIAL BODY20 CONTAINS STRICTLY CONFIDENTIAL URGENT BODY20 CONTAINS STRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Body filter adding extra 10 points
Scott, Since I do the editing on the filter files and I do not remember doing this . I have been doing a bunch of work on COMBO filters but not on tweaking that filter. Now it is possible that I did tweak it and I do not remember doing it but ... I will ask around the office as well I sent a test mail to myself with STRICTLY CONFIDENTIAL in the body and got a FILTER-NIGERIAN-SCAM [2] so it is working correctly now. I am going to watch what it is doing and maybe replace the filter with your multiline one. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, February 25, 2005 1:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Body filter adding extra 10 points Could it have been set to body contains 12.. on 2/16 and subsequently changed to body contains 2.. sometime after the email was processes? It's the only explanation that I can see... - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 11:17 AM Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Here it is Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, February 25, 2005 12:00 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Body filter adding extra 10 points Can you post the entire filter? My copy of Kami's filter shows: BODY 12 CONTAINS STRICTLY CONFIDENTIAL - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 9:44 AM Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINS STRICTLY CONFIDENTIAL BODY20 CONTAINS STRICTLY CONFIDENTIAL URGENT BODY20 CONTAINS STRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Body filter adding extra 10 points
Goran and Scott... John probably hit the nail on the head. I was going to make the same comment, actually. Since you have the message, turn on HIGH or DEBUG level logging and send the message to yourself. I bet that there are other tests in that same filter file that are triggered, and that the line you're concerned with is the *last* filter that is triggered, and thus there are 1 or more other filters that are triggered which total 10 points. With HIGH or DEBUG level logging, you will see a line in the Declude decMMDD.log file for every filter line that is triggered. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Friday, February 25, 2005 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Scott, Since I do the editing on the filter files and I do not remember doing this . I have been doing a bunch of work on COMBO filters but not on tweaking that filter. Now it is possible that I did tweak it and I do not remember doing it but ... I will ask around the office as well I sent a test mail to myself with STRICTLY CONFIDENTIAL in the body and got a FILTER-NIGERIAN-SCAM [2] so it is working correctly now. I am going to watch what it is doing and maybe replace the filter with your multiline one. Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, February 25, 2005 1:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Body filter adding extra 10 points Could it have been set to body contains 12.. on 2/16 and subsequently changed to body contains 2.. sometime after the email was processes? It's the only explanation that I can see... - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 11:17 AM Subject: RE: [Declude.JunkMail] Body filter adding extra 10 points Here it is Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, February 25, 2005 12:00 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Body filter adding extra 10 points Can you post the entire filter? My copy of Kami's filter shows: BODY 12 CONTAINS STRICTLY CONFIDENTIAL - Original Message - From: Goran Jovanovic [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 9:44 AM Subject: [Declude.JunkMail] Body filter adding extra 10 points Hi, I am seeing very strange behaviour with one of my body filters. These are the only three entries with STRICTLY CONFIDENTIAL: BODY2 CONTAINS STRICTLY CONFIDENTIAL BODY20 CONTAINS STRICTLY CONFIDENTIAL URGENT BODY20 CONTAINS STRICTLY CONFIDENTIAL BUSINESS PROPOSAL From the Declude Log: 02/16/2005 16:36:04 Qbca31d68008ed51d Triggered BODY CONTAINS filter FILTER-NIGERIAN-SCAM on STRICTLY CONFIDENTIAL [weight-12; strictly confidential to you a]. And the actual message text which is a plain text message: I would appreciate your keeping the fact of this meeting strictly confidential to you alone. So the question is how did an extra 10 points get added to this? Declude 1.82 on IMail. Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail
[Declude.JunkMail] Spammed on port 2525
I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language...
[Declude.JunkMail] casino spam
Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
Re: [Declude.JunkMail] casino spam
I've seen several kinds of spam increase in the last day. - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 4:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
Re: [Declude.JunkMail] casino spam
Kyle, When willyou stop signing up for those gambling sites, you know you can't win? :) No reported increase on our side. David B www.declude.com - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 5:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
RE: [Declude.JunkMail] casino spam
Whats funny is I did sign up for an account a couple of weeks ago and I still havent won. I did it for the free set of poker chips. Thats what I figured. Its strange everything will be going fine for a few weeks then for some reason we get a small flood of something. Like casino. What I hate is that these messages getting through fail sniffer but thats it no other tests. Kyle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, February 25, 2005 4:51 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] casino spam Kyle, When willyou stop signing up for those gambling sites, you know you can't win? :) No reported increase on our side. David B www.declude.com - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 5:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
Re: [Declude.JunkMail] casino spam
Which can under certain circumstances be correct. If you had signed up with the websitethen declude is correct in identifying them as legitimate email. It is possible we could set up some additional filters to help with a specific type of Spam. David B www.declude.com - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 6:00 PM Subject: RE: [Declude.JunkMail] casino spam Whats funny is I did sign up for an account a couple of weeks ago and I still havent won. I did it for the free set of poker chips. Thats what I figured. Its strange everything will be going fine for a few weeks then for some reason we get a small flood of something. Like casino. What I hate is that these messages getting through fail sniffer but thats it no other tests. Kyle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David BarkerSent: Friday, February 25, 2005 4:51 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] casino spam Kyle, When willyou stop signing up for those gambling sites, you know you can't win? :) No reported increase on our side. David B www.declude.com - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 5:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
RE: [Declude.JunkMail] casino spam
Ive actually noticed an increase specifically in gambling site spam myself. Paul Navarre Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
Re[2]: [Declude.JunkMail] casino spam
On Friday, February 25, 2005, 5:50:45 PM, Glenn wrote: GW I've seen several kinds of spam increase in the last day. We're seeing a new porn campaign, a new kiddie porn campaign, a ramp-up of the current M$ software rip-off (media-theft) spam. We've seen a bit of a pick-up in the casino stuff too - particularly a campaign that encourages you to make a boatload of money running your own online casino etc... Almost enough to call it a spam storm but not quite... http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] casino spam
On Friday, February 25, 2005, 6:11:58 PM, David wrote: DB Which can under certain circumstances be correct. If you had DB signed up with the website then declude is correct in identifying DB them as legitimate email. It is possible we could set up some DB additional filters to help with a specific type of Spam. Most of the time what is happening is that the IPs for these (and often even the URI) have not been picked up by other services yet so the total weight doesn't get pushed over the threshold. We see these events as apparent false positives in our MDLP analysis (the red mark at the end of the SNIFFER test is mostly new spam that only SNF is seeing, not actually FPs) http://www.sortmonster.com/MDLP/MDLP-Example-Long.html An interesting test that might help is to keep track of connect (source) IPs that are new - or relatively new. This same mechanism is part of the requested Delay New IPs feature... but even before then, our research suggests that a test that provides a weight based on how new an IP source is could be quite helpful... So, for example: Days --- Weight 0 --- 64 1 --- 32 2 --- 16 4 --- 8 5 --- 4 6 --- 2 7 --- 1 8+--- 0 Based on a spam threshold of 100. On many systems a Day Zero IP along with SNF would be enough to filter the message out. After a couple of days other BLs are likely to take over. Just a thought ;-) _M --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spammed on port 2525
Here's what I am using for a mail server located at 192.168.1.1 for this example. IMail is configured to listen on port 587, but to the outside world it appears as both port 25 and 587. Even though one would think that you didn't have to NAT 587 to 587, in this case you do because of the other rules for that IP (or so I was told). I assume that you are configured differently and that does matter, so you might want to share that before making the edits yourself. ip nat inside source static tcp 192.168.1.1 25 192.168.1.1 25 extendable no-alias ip nat inside source static tcp 192.168.1.1 587 192.168.1.1 25 extendable no-alias ip nat inside source static tcp 192.168.1.1 587 192.168.1.1 587 extendable no-alias I assume that you know how to config term your router. If not, it won't be straight forward without a crib sheet or experienced help to guide you through it rather than risk messing it up. Matt Scott Fisher wrote: I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language... -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] casino spam
You can solve this problem by simply blacklisting British Columbia. Seriously though, it's strange how much of this stuff comes from there. In the penny stock world, this province also gained quite the reputation for fraud in the past. I won't mention the strip clubs. Andrew might be able to shed some light on that one...or maybe even all of those things :) Matt Paul Navarre wrote: Ive actually noticed an increase specifically in gambling site spam myself. Paul Navarre Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] Spammed on port 2525
See my thoughts on the Imail forum on 587. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, February 25, 2005 4:50 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Spammed on port 2525 Here's what I am using for a mail server located at 192.168.1.1 for this example. IMail is configured to listen on port 587, but to the outside world it appears as both port 25 and 587. Even though one would think that you didn't have to NAT 587 to 587, in this case you do because of the other rules for that IP (or so I was told). I assume that you are configured differently and that does matter, so you might want to share that before making the edits yourself. ip nat inside source static tcp 192.168.1.1 25 192.168.1.1 25 extendable no-alias ip nat inside source static tcp 192.168.1.1 587 192.168.1.1 25 extendable no-alias ip nat inside source static tcp 192.168.1.1 587 192.168.1.1 587 extendable no-alias I assume that you know how to config term your router. If not, it won't be straight forward without a crib sheet or experienced help to guide you through it rather than risk messing it up. Matt Scott Fisher wrote: I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language... -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
Re: [Declude.JunkMail] Spammed on port 2525
SMTP AUTH on port 587 isn't required by the RFC...it just simply makes a whole ton of sense in most setups. Considering that this is a standard port, and it will most likely find its way through broadband provider's blocks since it is reserved for this use and likely to be restricted to authenticated E-mail in most cases in the near future, it is advisable to use it all other things being equal. Considering that Scott is already promoting port 2525 and having configured some of his clients for that, there is no harm in continuing the practice in lieu of support for SMTP AUTH-only connections on this port in his mail server. I am guessing that in the future we will also see E-mail clients fail over from port 25 to 587 automatically, making support for this transparent and hands-free. That is not likely at all to happen with port 2525, and it would seem that port 2525 is more likely to be blocked as a security measure. The choice is really about what you already have and how far into the future you wish to plan for/speculate about. Matt John Tolmachoff (Lists) wrote: See my thoughts on the Imail forum on 587. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Friday, February 25, 2005 4:50 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Spammed on port 2525 Here's what I am using for a mail server located at 192.168.1.1 for this example. IMail is configured to listen on port 587, but to the outside world it appears as both port 25 and 587. Even though one would think that you didn't have to NAT 587 to 587, in this case you do because of the other rules for that IP (or so I was told). I assume that you are configured differently and that does matter, so you might want to share that before making the edits yourself. ip nat inside source static tcp 192.168.1.1 25 192.168.1.1 25 extendable no-alias ip nat inside source static tcp 192.168.1.1 587 192.168.1.1 25 extendable no-alias ip nat inside source static tcp 192.168.1.1 587 192.168.1.1 587 extendable no-alias I assume that you know how to config term your router. If not, it won't be straight forward without a crib sheet or experienced help to guide you through it rather than risk messing it up. Matt Scott Fisher wrote: I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language... -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] casino spam
I added this to my ipfile today: 66.154.124.0/2966.154.124.0/29gamingpen.comadded 02-25-05 gamingpen, playerjuice and gamestrek all .com. Also in kind of a spammy neighborhood with several SBL entries near: 66.154.111.0/2466.154.111.0/24agooba.comadded 02-17-05SBL1370966.154.112.0/2466.154.112.0/24erfooble.comadded 02-05-05SBL2037866.154.113.0/2466.154.113.0/24gamblingadded 02-05-05SBL20539 - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 4:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle
Re: [Declude.JunkMail] casino spam
If you do a lookup on ARIN, you will find that this netblock is delegated by BChosting, which is a subdivision of AssertiveNetworks. All of their IP space is treated as suspect by our system. You might also note their address...Vancouver, British Columbia... http://ws.arin.net/cgi-bin/whois.pl?queryinput=66.154.96.0 There is a smattering of legitimate traffic from AssertiveNetworks, but most of what you will see is in fact spam. Matt Scott Fisher wrote: I added this to my ipfile today: 66.154.124.0/2966.154.124.0/29gamingpen.comadded 02-25-05 gamingpen, playerjuice and gamestrek all .com. Also in kind of a spammy neighborhood with several SBL entries near: 66.154.111.0/2466.154.111.0/24agooba.comadded 02-17-05SBL13709 66.154.112.0/2466.154.112.0/24erfooble.comadded 02-05-05SBL20378 66.154.113.0/2466.154.113.0/24gamblingadded 02-05-05SBL20539 - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 4:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Spammed on port 2525
I'll forward to my network person. He talks Cisco much better than I. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 6:49 PM Subject: Re: [Declude.JunkMail] Spammed on port 2525 Here's what I am using for a mail server located at 192.168.1.1 for this example. IMail is configured to listen on port 587, but to the outside world it appears as both port 25 and 587. Even though one would think that you didn't have to NAT 587 to 587, in this case you do because of the other rules for that IP (or so I was told). I assume that you are configured differently and that does matter, so you might want to share that before making the edits yourself. ip nat inside source static tcp 192.168.1.1 25 192.168.1.1 25 extendable no-aliasip nat inside source static tcp 192.168.1.1 587 192.168.1.1 25 extendable no-aliasip nat inside source static tcp 192.168.1.1 587 192.168.1.1 587 extendable no-aliasI assume that you know how to config term your router. If not, it won't be straight forward without a crib sheet or experienced help to guide you through it rather than risk messing it up.MattScott Fisher wrote: I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language...-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] Spammed on port 2525
I'd picked 2525 before I really knew about 25. What really irks me is that Imail has made no provisions to accomodate a port 587. It can't be two hard to accomodate another SMTP port... most of the code is that same as the port 25 code... This has been an issue for over a year and no word from Ipswitch. I was very surprised to see spam coming in on the port 2525. It looked to be from Zombie proxies at least 15 different. So somebody out there is trying different port numbers. - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 7:22 PM Subject: Re: [Declude.JunkMail] Spammed on port 2525 SMTP AUTH on port 587 isn't required by the RFC...it just simply makes a whole ton of sense in most setups. Considering that this is a standard port, and it will most likely find its way through broadband provider's blocks since it is reserved for this use and likely to be restricted to authenticated E-mail in most cases in the near future, it is advisable to use it all other things being equal. Considering that Scott is already promoting port 2525 and having configured some of his clients for that, there is no harm in continuing the practice in lieu of support for SMTP AUTH-only connections on this port in his mail server. I am guessing that in the future we will also see E-mail clients fail over from port 25 to 587 automatically, making support for this transparent and hands-free. That is not likely at all to happen with port 2525, and it would seem that port 2525 is more likely to be blocked as a security measure.The choice is really about what you already have and how far into the future you wish to plan for/speculate about.MattJohn Tolmachoff (Lists) wrote: See my thoughts on the Imail forum on 587. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Friday, February 25, 2005 4:50 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Spammed on port 2525 Here's what I am using for a mail server located at 192.168.1.1 for this example. IMail is configured to listen on port 587, but to the outside world it appears as both port 25 and 587. Even though one would think that you didn't have to NAT 587 to 587, in this case you do because of the other rules for that IP (or so I was told). I assume that you are configured differently and that does matter, so you might want to share that before making the edits yourself. ip nat inside source static tcp 192.168.1.1 25 192.168.1.1 25 extendable no-aliasip nat inside source static tcp 192.168.1.1 587 192.168.1.1 25 extendable no-aliasip nat inside source static tcp 192.168.1.1 587 192.168.1.1 587 extendable no-aliasI assume that you know how to config term your router. If not, it won't be straight forward without a crib sheet or experienced help to guide you through it rather than risk messing it up.MattScott Fisher wrote: I use port 2525 to bypass port 25 blocking for my employees. I was just checking my logs and I've been receiving spam on port 2525 Can anyone share the necessary Cisco IOS commands to let the Cisco router do port translation? P.S. IOS isn't my primary language... -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] casino spam
gambling, strip clubs, isBC the Nevada of Canada? - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 8:35 PM Subject: Re: [Declude.JunkMail] casino spam If you do a lookup on ARIN, you will find that this netblock is delegated by BChosting, which is a subdivision of AssertiveNetworks. All of their IP space is treated as suspect by our system. You might also note their address...Vancouver, British Columbia... http://ws.arin.net/cgi-bin/whois.pl?queryinput=66.154.96.0There is a smattering of legitimate traffic from AssertiveNetworks, but most of what you will see is in fact spam.MattScott Fisher wrote: I added this to my ipfile today: 66.154.124.0/2966.154.124.0/29gamingpen.comadded 02-25-05 gamingpen, playerjuice and gamestrek all .com. Also in kind of a spammy neighborhood with several SBL entries near: 66.154.111.0/2466.154.111.0/24agooba.comadded 02-17-05SBL1370966.154.112.0/2466.154.112.0/24erfooble.comadded 02-05-05SBL2037866.154.113.0/2466.154.113.0/24gamblingadded 02-05-05SBL20539 - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 4:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle-- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] casino spam
So its not just me getting it. I thought maybe it was pay back for not betting enough when I play. Gamestrek is the biggest one I am seeing. Thanks for the info didnt know about British Columbia. Scott is the MAILFROM-IP.txt filter ok to use since you did all the work? If it is do I just add the statements you posted Kyle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Friday, February 25, 2005 8:43 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] casino spam gambling, strip clubs, isBC the Nevada of Canada? - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 8:35 PM Subject: Re: [Declude.JunkMail] casino spam If you do a lookup on ARIN, you will find that this netblock is delegated by BChosting, which is a subdivision of AssertiveNetworks. All of their IP space is treated as suspect by our system. You might also note their address...Vancouver, British Columbia... http://ws.arin.net/cgi-bin/whois.pl?queryinput=66.154.96.0 There is a smattering of legitimate traffic from AssertiveNetworks, but most of what you will see is in fact spam. Matt Scott Fisher wrote: I added this to my ipfile today: 66.154.124.0/2966.154.124.0/29gamingpen.comadded 02-25-05 gamingpen, playerjuice and gamestrek all .com. Also in kind of a spammy neighborhood with several SBL entries near: 66.154.111.0/2466.154.111.0/24agooba.comadded 02-17-05SBL13709 66.154.112.0/2466.154.112.0/24erfooble.comadded 02-05-05SBL20378 66.154.113.0/2466.154.113.0/24gamblingadded 02-05-05SBL20539 - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 4:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
Re: [Declude.JunkMail] casino spam
Kyle, On a side note gamestrek . com has been getting caughton SURBL multi for most of the day today. Doing URI lookup's in the URI RBL'shasbeenvery effectivefor us incatching a lot of the new spam campaigns. Darrell ---Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 10:44 PM Subject: RE: [Declude.JunkMail] casino spam So its not just me getting it. I thought maybe it was pay back for not betting enough when I play. Gamestrek is the biggest one I am seeing. Thanks for the info didnt know about British Columbia. Scott is the MAILFROM-IP.txt filter ok to use since you did all the work? If it is do I just add the statements you posted Kyle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott FisherSent: Friday, February 25, 2005 8:43 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] casino spam gambling, strip clubs, isBC the Nevada of Canada? - Original Message - From: Matt To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 8:35 PM Subject: Re: [Declude.JunkMail] casino spam If you do a lookup on ARIN, you will find that this netblock is delegated by BChosting, which is a subdivision of AssertiveNetworks. All of their IP space is treated as suspect by our system. You might also note their address...Vancouver, British Columbia... http://ws.arin.net/cgi-bin/whois.pl?queryinput=66.154.96.0There is a smattering of legitimate traffic from AssertiveNetworks, but most of what you will see is in fact spam.MattScott Fisher wrote: I added this to my ipfile today: 66.154.124.0/2966.154.124.0/29gamingpen.comadded 02-25-05 gamingpen, playerjuice and gamestrek all .com. Also in kind of a spammy neighborhood with several SBL entries near: 66.154.111.0/2466.154.111.0/24agooba.comadded 02-17-05SBL1370966.154.112.0/2466.154.112.0/24erfooble.comadded 02-05-05SBL2037866.154.113.0/2466.154.113.0/24gamblingadded 02-05-05SBL20539 - Original Message - From: Kyle Fisher To: Declude.JunkMail@declude.com Sent: Friday, February 25, 2005 4:40 PM Subject: [Declude.JunkMail] casino spam Has anyone noticed in the past week an increase in casino, or party poker, etc.. spam? Kyle -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
