Re: [Declude.JunkMail] Deculde hanging
Usually in situations like this you ran into a killer message. When Declude restarts it will copy all of the files from the work directory into the review directory. You can slowly copy those messages to track down the killer message and than when you find the message submit it to Declude for review. Darrel -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Ferrell Ard wrote: We are running Declude 4.4.0 with IMail 9.10 Yesterday, Declude hung using just of 1 GB Memory processing 501 4 times. Is there anthing that we can do to help identify what email (out of the 501) that caused the hang? Our recovery was to kill the Declude PID and restart the service. Thanks very much Ferrell Ard --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Deculde hanging
Ferrell, On several systems I maintain its not uncommon for me to see Declude using that much memory. There are a lot of factors for that: threads, mail volume being processed, etc. We have ran into a periodic issue where the process will exceed the 2GB limit and crash, but that has been very rare since we restart he services on a weekly basis now. However, what you describe with it happening multiple times per day really sounds like a killer message. Was there any messages in the error folder? Also, how much ram do you have in your box? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Ferrell Ard wrote: Darrel I took all files in the Review folder and processed them thru without any of them hanging Declude.. I too was hoping to find the message by this process. One thing I did notice was that -- just as soon as the Declude service was restarted, the memory used jumped to 1GB IMMEDIATELY (don't know if that helps or not). Ferrell - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, November 06, 2008 9:02 AM Subject: Re: [Declude.JunkMail] Deculde hanging Usually in situations like this you ran into a killer message. When Declude restarts it will copy all of the files from the work directory into the review directory. You can slowly copy those messages to track down the killer message and than when you find the message submit it to Declude for review. Darrel -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Ferrell Ard wrote: We are running Declude 4.4.0 with IMail 9.10 Yesterday, Declude hung using just of 1 GB Memory processing 501 4 times. Is there anthing that we can do to help identify what email (out of the 501) that caused the hang? Our recovery was to kill the Declude PID and restart the service. Thanks very much Ferrell Ard --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] URIBL vs. SURBL
I get good hits from both lists with invURIBL. uribl.com is more aggressive (IMO) than surbl. I query SURBL first and than uribl second. Even with that config (and skip weights set) I still get more hits on URIBL. F:\Logs\invURIBLgrep -i message body found in multi.uribl.com uribl-logfile1017.txt | wc -l 2030 F:\Logs\invURIBLgrep -i message body found in multi.surbl.org uribl-logfile1017.txt | wc -l 1328 Check your test points for URIBL.com. They have been know to block dns serves that have high query rates since they now offer a data feed service. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt wrote: Hi, I checked two of my systems and noticed that apparently multi.uribl.com does not have any hits for its black and red lists EVER? I find that hard to believe. My systems DOES check SURBL first, and only would pass a good message to URIBL. Is it really possible that URIBL is fully redundant to SURBL (I would have expected SOME overlap, but not 100%). Does anyone have any experience with multi.uribl.com? Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Blacklist / Whitelist
They (Barracuda) ask that you register with them your DNS server that you will be querying from. I suspect at some point if the volume gets out of hand they may restrict the service to those who entered in their DNS servers. -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Barker wrote: Try this: #http://www.barracudacentral.org/rbl/ (PUBLIC) BARRACUDA IP4Rb.barracudacentral.org 127.0.0.2 2 0 David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Friday, October 17, 2008 2:13 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New Blacklist / Whitelist I'd like to try the Barracuda test. What would the line be for global.cfg? thanks Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Friday, October 17, 2008 1:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New Blacklist / Whitelist David Dodell wrote: b) http://www.barracudacentral.org/rbl Hadn't seen this one mentioned? Any experiences? Effective? False Positives? I'm giving this one a try ... I know Barracuda is a large manufacturer of hardware spam firewalls ... reputable company --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Did you implement it yet? If yes, how is it working for you? How many points would you score the test? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Changes
The diags.txt file is created as infomation whent he declude proc service is restarted. One thign you need to check is do you have a DNSOVERRIDE set in your declude.cfg file? Declude by default (as long as there is no DNSOVERRIDE) will use the IP of the DNS server in Imail Admin interface. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Todd Richards wrote: Hi everyone - I moved my primary internal DNS server to a new location last night (seeing up another site in the WAN), and had planned on using the other DNS servers. However, since moving it my spam has been high. I changed the DNS to the other server in the diags.txt, and the invURIBL.exe.config (for invURIBL). That helped, but am still getting some more that I don't normally get. I just realized that there was a setting in IMail Admin too, so that just got changed. Anything else that you can think of that I need to check/change? Also, regarding the diags.txt and the invURIBL config files, is it possible to set more than one DNS server? Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Crashing
Do you have autoreview enabled? If so when Declude crashes on restart it will copy the files (work dir) back into the proc for processing. These types of crashes are most likely assuming no changes to your system a result of a bad message. If you disable autoreview and the crashes stop you can slowly copy the messages from the review folder into the proc to find which is the message that crashes Declude. Darrell Mark Strother wrote: For the past few hours we’ve had a real problem with Declude crashing and I can’t figure it out. We’re using SmarterMail 4.1 and Declude 4.1.14A. I’ve disabled all external plugins and filters and disabled the viruschecking so it’s not related to that. I’ve cleared out all the queued messages, restarted everything and it crashes again within minutes. I’ve done that several times. Once I managed to get Declude running for about 10 minutes but then it crashed again. I’m not sure what else to do. For now I’ve had to disable Declude. I’ve turned up all logging to the highest level and don’t see anything of note except ‘Error in envelope file’. Can anyone provide some help or point in the right direction? We’ve been running Declude for 2 or so years and we do see the occasional crash but typically Windows restarts the service and everything is fine. In the case it just crashes over and over. Mark --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Firewall rule question
Scott, Here are my thoughts.. My question is... Is/Has anyone else tried this approach If so is impact on the amount of mail your server had to process? Yes, I have taken this approach for the absolute worst offenders. Mostly the most abusive senders. This however has very limited impact over the longer term as the IP space will shift to others etc. IMO - I just add them into a declude ipfile with an excessive weight and am done with it. It's (for me) less of an administrative burden than modifying firewall rules or ACL's. In regards to efficiency it's always more efficient to block at the ip layer (looking at the packet's src ip) than at the application layer (processing the message) Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fosseen wrote: This is not directly a Declude questions, but yet still does apply. I am getting a Top Rate Controlled by IP report from my Barracuda box that is acting as a pre-filter to my Declude server. What I am noticing in the reports is that the top 20 IP addresses are in 8-10 /24 ip blocks. I have started a firewall rule in my upstream firewall and have started adding IP address ranges to drop packets. Each IP address so far typically tries to send between 5k-15k messages a day. Each IP block make up about 30k-80k message. My though is by blocking the worst offenders at the firewall I should be able to reduce the load on my SPAM equipment. My question is... Is/Has anyone else tried this approach If so is there an impact on the amount of mail your server had to process? The second part of the question would have to deal with the overhead to process a message via RBL. Would the firewall approach to blocking IP addresses of known bulk spammers, or is Declude going to be just as efficient with testing via RBL. Thanks _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ Tech support: Type A: at the prompt. Customer: How do you spell that? - actual call to computer tech support _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Backscatter
Ruben, One thing you can do is create a from filter that looks for the null sender and than do a copyfile action on it if it did not match the backscatter filter. This way you will be able to see which messages did not get filtered to improve the back scatter filter for your system. Darrell Mon Mariola - Rubén wrote: Using DLAnalizer I could see that, the filter backscatter, detects only 66% of messages incorrect. Of the remaining 33%, 10% are good messages, especially automatic responses of Outlook. Can anyone explain how I can improve the filter backscatter? The biggest problem is that I can not see the messages are not filtered, since that no longer exist in my server, to analyze the content. Some clients continue receiving hundreds of messages daily. Can I make some other process to avoid these messages? I use SmarterMail 4.x A greeting. Ruben Marti. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Undeliverable mails
Glen, This is fairly normal. When spammers send out campaigns they pretty much use spoofed addresses. Unfortunately your address as well as others in your domain have been used thus you are receiving the back scatter. On some of the servers I maintain for clients we have seen waves of undeliverables at a rates in excess of 1000 messages per minute. Depending on how bad the storm is I typically will put in place a from filter that deletes the null sender for a period of time. David (Declude) has posted some filters in the customer portal that deals with this, but I have not tested them at this time. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Cybercorp Computers -- Glen Spidal wrote: I’m on imail 9 with declude. I have users sending coments like this: We just got hit with something big- you might want to check things out. I received 28 delivery failure notices- postmaster dameon. in 2 minutes! Didn't open anything- just was looking to see if I had any new mail. I notice the spam folder also contains them! I had one user get 600 of these in two days. Any advice? Glen Spidal Hillsboro, Oregon 97123 PH: 503-648-1133 -- FX: 503-648-4651 [EMAIL PROTECTED] www.cybercorpinc.com http://www.cybercorpinc.com/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No Reverse DNS pointer?
1) If a mail server is configured without a reverse DNS pointer, is enough to prevent email from reaching AOL, Yahoo, Hotmail, etc? AOL indicates they will do this, on occasion I have seen this, but not all the time. 2) Do you block email coming from mail servers with no reverse DNS? No, but I do apply a small amount of weight to it. If you did an outright block you would end up blocking a lot of legit mail. Darfrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Everyone, I have two questions: 1) If a mail server is configured without a reverse DNS pointer, is that enough to prevent email from reaching AOL, Yahoo, Hotmail, etc? 2) Do you block email coming from mail servers with no reverse DNS? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking certain character sets
Ferrell, After you added that charset to the declude.cfg file did you restart the decludeproc service? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Ferrell Ard wrote: David Thanks very much. I added to the Declude.cfgBANCHARSETkoi8-r after I upgraded to 4.4.0 They are still coming thru. Is there anything else that I need to do? This is what I'm still getting *From: =?koi8-r?B?58XOzsHEycog98HTyczYxdfJ3g==?= [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* Subject: X-IMail-SPAM =?koi8-r?B?58/S0d3JxSDQ1dTF18vJIQ==?= * Thanks very much Ferrell Ard - Original Message - *From:* David Barker mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Tuesday, April 08, 2008 10:12 AM *Subject:* RE: [Declude.JunkMail] Need help in setting up filter please You can use the settings in Declude.cfg to stop certain character sets. David B *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Ferrell Ard *Sent:* Tuesday, April 08, 2008 7:41 AM *To:* Declude *Subject:* [Declude.JunkMail] Need help in setting up filter please We are getting a lot of email that has the code for character set in the From The from always starts with =?koi8-r? Does anyone have a filter that might help me eliminate these. From: =?koi8-r?B?8dLP08zB1yD30d7F08zB18/Xyd4=?= xqs Thanks very much Ferrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Reasons to renew
Michael, Judging by that screen cap you are having a rough time to say the least. I am sure you have exhausted a ton of options, but have you turned off DEP for Declude? I have seen repeated crashes like that on a system which did not exclude Declude under DEP. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Michael Hardrick wrote: Greetings All, I hate to be a “Naysayer”, but I will not be renewing Declude. I don’t usually write negative reviews, but this is an exception. I’ve lost several customers due to our inability to get Declude to function. I’ve been using the product since about 2000. The past three years have been dismal. Between spools filling up, system crashes, CPU loads at 100%, Memory Leaks, Application Errors, Application Hangs, GP Faults, etc... Declude support was always there… to point the finger back at me and the server. Bad DNS servers, Bad Memory, Bad CPUs, or something wrong with the version of Windows I was running. I purchased a HP Proliant (2CPUs, 6-146GB HDD, 4-GB RAM, Win2k3) and thought that would resolve the issues. The server I have running must have cron jobs to reboot the server every morning at 5AM and restart the declude service every two hours. We login into the server daily to clear pop-up errors off the server. http://www.tnweb.com/images/declude-error1.png This is the only way to keep the server running. I keep a very limited amount of traffic on the server. No need to push the envelope. Regards, Mike Hardrick TNWEB *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Craig Edmonds *Sent:* Thursday, April 03, 2008 3:37 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Reasons to renew I second that. I am not trying to brown nose or anything here but without declude we would be completely screwed. In 3 years with declude I think I have only had to email them once with a support query and that was answered pretty much within an hour. Sure, some spam gets through now and again but there have been times where I have mucked about with the declude config settings and the spam floodgates opened and boy, my clients noticed the difference and were thanking me the next day. I have no problem renewing my subscriptions every year. Kindest Regards Craig Edmonds 123 Marbella Internet _www.123marbella.net_ LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Stephan Chayer *Sent:* 03 April 2008 22:21 *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] Reasons to renew Dan, Todd, I feel a little like you. We are using, selling and supporting Declude for the past 4 years. It works great for us. Especially since they brought up version 4 including Commtouch and AVG, that was a nice move. We went through all the product and pricing changes for the past years. We were surprised when they conbined all the products but they honoured all the previous purchases from all our customers. We deal with other vendors that would have been much more agressive that Declude in some situations. I believe that Decluce's pricing is fair and attractive for customers, the product works well and the support is just amazing. Bottom line, if you do not make money, you can't give support and put ameliorations in a product. I wish that everyone could continue to do business and make money. Keep the good work Stephan Chayer IntraSoft Solutions Inc. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *De :* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *De la part de* Linda Pagillo *Envoyé :* 3 avril, 2008 14:35 *À :* declude.junkmail@declude.com *Objet :* Re: [Declude.JunkMail] Reasons to renew Thank you Todd. It's my pleasure! If you have any further questions, please do not hesitate to contact me
Re: [Declude.JunkMail] Filters not triggering
Dave, I noticed with the relevant lines from the filter posted below some of the lines were indented more than the one line. Is it possible you have extraneous whitespaces between contains and the text you want to filter on? Dsrrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.88.75.224; X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59, weight 3) X-Declude-RefID: X-Note: X-Note: Spam Score: [11] X-Note: Scan Time: 08:50:19 on 07 Apr 2008 X-Note: Spool File: 35052863.eml X-Note: Server Name: 224samana75.codetel.net.do X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: 224samana75.codetel.net.do [200.88.75.224] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: DOMINICAN REPUBLIC-destination X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3], WEIGHT10 [10] X-Note: Where it says my.server.com and my.address.com is where I edited info I didn't want posted to the list. Here is the Declude log entries from when the email was scanned: 04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1. 04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0. 04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set to ON 04/07/2008 08:50:10.746 35052863 Last line of headers checking for Recived: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 04/07/2008 08:50:10.746 35052863 About to run spam tests 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 DeHTML End: 495:367 ratio=0.425754 04/07/2008 08:50:19.011 35052863 Doing filter file D:\Apps\smartermail\Declude\CustomFilters\Filter_Subject_Delete.txt. 04/07/2008 08:50:19.011 35052863 Filter Filter_Subject_Delete: Not skipping E-mail due to current weight of 11. 04/07/2008 08:50:19.011 35052863 SPAMCOP:7 SPFUNKNOWN:1 Filter_Country:3 . Total weight = 11. I edited some of the log text, but the above is the relevant stuff. We're running declude 4.3.46 on Smartermail 3. Any ideas on why that filter is not triggering? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filters not triggering
Dave, From my experience I have had number of problems with spaces that would cause my filter files not to trigger. I have since stopped using spaces and started using tabs like below and it has stopped any of the issues I had in the past. SUBJECTtab0tabCONTAINStabcouponcrlf Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Darrell, Yes, there are spaces and/or tabs between the contains and the data that I want to filter on. I was under the understanding that those were ignored? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 07, 2008 2:42 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Filters not triggering Dave, I noticed with the relevant lines from the filter posted below some of the lines were indented more than the one line. Is it possible you have extraneous whitespaces between contains and the text you want to filter on? Dsrrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Dave Beckstrom wrote: Hi Everyone. I have a filter set up to delete an email if the subject line contains the keyword in the filter. For some odd reason, the filter is not triggering and it really has me baffled. I could use some suggestions on this one. The filter is called: Filter_Subject_delete.txt Here are the relevant lines from the filter: SUBJECT 0 containsdiscount. Code SUBJECT 0 containsdiscount.Code SUBJECT 0 containsdiscount. coupon SUBJECT 0 contains discount. Coupon SUBJECT 0 containsdiscount.coupon SUBJECT 0 containsdiscount.Coupon SUBJECT 0 containsoff .code As you can see, I added some filter lines to test to see if I was running into an issue with the filter not triggering due to case sensitivity. I didn't think the filters were case sensitive, but in trying to debug this problem I checked to see if that was an issue or not. My junkmail config has the following specifying to delete the spam: Filter_Subject_Delete DELETE Here are the headers from the spam that was not deleted: Return-Path: [EMAIL PROTECTED] Mon Apr 07 08:49:57 2008 Received: from 224samana75.codetel.net.do [200.88.75.224] by my.server.com with SMTP; Mon, 7 Apr 2008 08:49:57 -0500 Message-ID: [EMAIL PROTECTED] From: brit luc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SPAM]- Score (11)81% discount. Coupon #2IJk Date: Mon, 07 Apr 2008 12:34:28 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_01C898BA.05CF202E X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 4/7/2008 8:50:18 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.88.75.224; X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 59, weight 3) X-Declude-RefID: X-Note: X-Note: Spam Score: [11] X-Note: Scan Time: 08:50:19 on 07 Apr 2008 X-Note: Spool File: 35052863.eml X-Note: Server Name: 224samana75.codetel.net.do X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS IP: 224samana75.codetel.net.do [200.88.75.224] X-Note: Recipient(s): [EMAIL PROTECTED] X-Note: Country Chain: DOMINICAN REPUBLIC-destination X-Note: Failed Weights: SPAMCOP [7], SPFUNKNOWN [1], Filter_Country [3], WEIGHT10 [10] X-Note: Where it says my.server.com and my.address.com is where I edited info I didn't want posted to the list. Here is the Declude log entries from when the email was scanned: 04/07/2008 08:50:03.527 35052863.eml CFG: Bypassing IP 127.0.0.1. 04/07/2008 08:50:03.527 35052863.eml CFG: Set hop to 0. 04/07/2008 08:50:03.527 35052863.eml STOPPROCESSINGONFIRSTDELETE: Set to ON 04/07/2008 08:50:10.746 35052863 Last line of headers checking for Recived: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 04/07/2008 08:50:10.746 35052863 About to run spam tests 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 JunkMailBase64 Start 04/07/2008 08:50:18.980 35052863 DeHTML End: 495:367 ratio=0.425754 04/07/2008 08:50:19.011 35052863 Doing filter file D:\Apps\smartermail\Declude\CustomFilters\Filter_Subject_Delete.txt. 04/07/2008 08:50:19.011
Re: [Declude.JunkMail] 4.4.00 Released
Has anyone tried this option yet? DEC ADD Can use for 4 digit year on log file names in the format ddmm IS the format really ddmm - it seems like it would make more sense if the format was actually mmdd? Especially since the regular format of dec.log right now is mmdd. I was about to test it until I realized today is 0404 Might have to wait until tomorrow to verify unless someone has already tried it. Darrell Colbeck, Andrew wrote: David Barker said: DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log Dave, the what log? Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, March 27, 2008 7:30 AM To: declude.junkmail@declude.com; [EMAIL PROTECTED] Subject: [Declude.JunkMail] 4.4.00 Released 4.4.00 Released we will be sending a notification to all customers. EVA ADD Updated AVG (avgsdk.dll 1.3.511) EVA ADD BANEXT EZIP for encrypted files .RAR can encrypt at the file name level requiring a password. EVA ADD ALLOWVULNERABILITIESFROM example.com can be used with just domain EVA FIX BANEZIPEXT ON blocking any encrypted file names EVA FIX ALLOWVULNERABILITIESFROM error when non sender EVA FIX Fix Header Vulnerability to accommodate Opera mail Client header format JM ADD Updated PCRE (pcre3.dll 7.0) JM ADD Updated CommTouch ZEROHOUR (asapskd.dll 5.05.8) JM ADD Check the SmarterMail Domain Level for Trusted Sender in the domainconfig.xml JM FIX PCRE on a match was writing additional information not pertaining to the match in the LOG JM FIX PCRE found a match and the size of the match was than the buffer size. JM FIX Declude produced an error when reading the envelope file (SM and IM), the HELO line can only be 512 according to RFC-821 we now truncate after 512 characters. JM FIX HELO information was reported incorrectly when IPBYPASS is set JM FIX Incoming and Outgoing messages being reported incorrectly DEC ADD Can use for 4 digit year on log file names in the format ddmm DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log DEC FIX SmarterMail CMDSPACE test. This test was not triggered in the SmarterMail envelope as token was changed from cmdspc instead of cmdspace we now check for both. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Version 4.4.0 leaving some trash?
I just checked and I am seeing this as well. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Adolfo Justiniano wrote: Is someone else noticing that version 4.4.0 is leaving a lot of txt files in the proc/work directory? Version 4.3.46 didn't do this, I've noticed since we upgraded. Adolfo Justiniano Santa Cruz BBS e-mail: [EMAIL PROTECTED] http://www.scbbs.net --- [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Forged-Spam Backscatter
Jim, While others may cringe regarding this, but some of the backscatter I have had to deal with (excess of 500-1000 messages a minute at times) I have had to put filters in place to delete null senders for periods of time. Darrell Jim Comerford wrote: Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.Virus] DLAnalyzer 5.2.2 Released
DLAnalyzer 5.2.2 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DLAnalyzer 5.2.2 Released
DLAnalyzer 5.2.2 has been released. DLAnalyzer is a comprehensive reporting tool that integrates both Junkmail and Virus statistics into one report. Some of the features require the Enterprise or Standard version, but we also have a FREE LITE version available. Report Samples: http://www.invariantsystems.com/dlanalyzer/reportsamples.htm Release Notes: http://www.invariantsystems.com/download/current/readme.txt Download: http://www.invariantsystems.com/dlanalyzer/download.aspx Any questions let me know, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] evaluating foreign spam
Do you expect to receive russian messages (other than spam) if not than you can filter by charset koi8-r. Charset filtering is not CPU intensive. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Imail Admin wrote: Hi, Lately, we've been getting a lot of stuff like this: Received: from mail5.slik.com.ru [194.62.0.249] by mail2.bcwebhost.net with ESMTP (SMTPD-9.20) id ABB40398; Wed, 05 Mar 2008 09:43:16 -0800 Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] From: =?koi8-r?B?7dXSwdfDxddh?= [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: SPAM [13]=?koi8-r?B?xMzRINDSz8bJzMHL1MnLySDJIMzF3sXOydEgzc7Px8nIINrBws/MxQ==?= =?koi8-r?B?18HOyco=?= Date: Wed, 05 Mar 2008 15:54:03 + MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_0007_01C87EE8.0451BBC1 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-invURIBL-Scan: Scanned by invURIBL 3.1.0 on 3/5/2008 9:47:33 AM X-invURIBL-Weight: 0 X-invURIBL-Range: CLEAN X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: SUBCHARS-50: Subject with at least 50 characters found. X-RBL-Warning: SUBCHARS-55: Subject with at least 55 characters found. X-RBL-Warning: SUBCHARS-60: Subject with at least 60 characters found. X-RBL-Warning: SNIFFER: Message failed SNIFFER: 61. X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [194.62.0.249] X-Declude-Spoolname: Ddbb401e07908.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [13] at 09:47:34 on 05 Mar 2008 X-Declude-Fail: NOABUSE [2], NOPOSTMASTER [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [7], WEIGHT5 [5], WEIGHT10 [10], WEIGHT10r [10], WEIGHT7 [7], WEIGHT7r [7], ZEROHOUR [0] X-Country-Chain: [RIPE Unlisted]-destination Where the body of the message is full of Russian. Is the best way to weight this stuff by country of origin? If so, what kind of country tests do people typically use? How severe is the CPU load on these kinds of tests? For this particular message, it get blocked as spam, but some of these messages come through as clean and I'm trying to figure how to filter for them better. Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] multiple simultaneous problems
Check the IMAP logs of recent compared to some of the older ones. We should rule out that someone is not hitting you with excessive connections etc. A couple weeks ago one of my systems started having problems with the POP3 service being slow or timing out. It turned out someone was running an automated tool to try and crack accounts/passwords. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: -Original Message- From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] Which RBL's are timing out? Is your DNS server having problems? Is your DNS server local to the mail server or is it located somewhere else? It is totally random ... sometimes none of them for several messages, other times, the first several work, and the rest fail ... doesn't seem to be any pattern (3) IMAP4d32.exe services are running 99% of the cpu time ... This will essentially starve out Declude and anything else. I have seen several folks have this issue on the Imail list. What version of Imail are you using? 9.23 since it was released ... been running it for a while. Any thoughts on where to start ... I've rebooted, stopped services, restarted services ... works fine for about 8 hrs then starts up all over again I would start with the IMAP4D issue. Darrell, I agree ... just wish I knew what was affecting it. Another response suggested the file system ... and I noticed the comment from the Sniffer people about NTFS. We have had some bad sectors on our hard drive starting about a few weeks ago ... Ran chkdsk etc and that seemed to have caught them, ran a defrag session today ... I order today a new Barracuda ES2 drive for the server, which will arrive Monday and I'll attempt to clone. Linda @ Declude suggested I might be having a bad network card go bad, which she thinks is attributing to the failed RBL issues, but I don't think that would affect the IMAP usage. Short of installing a new network card / drive ... any other thoughts what to try? David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] multiple simultaneous problems
David, Comment's inline (2) Declude is failing to make connections on RBL tests about 10 to 20% of the time. Running in debug mode will show one message running against multiple DBL tests, and then the message will show the first 5 DBL tests running, and the rest fail with no connection Which RBL's are timing out? Is your DNS server having problems? Is your DNS server local to the mail server or is it located somewhere else? (3) IMAP4d32.exe services are running 99% of the cpu time ... This will essentially starve out Declude and anything else. I have seen several folks have this issue on the Imail list. What version of Imail are you using? (4) Multiple instances of the sniffer exe program This is normal - on my server with a decent volume its not uncommon to see 20-30 sniffer's running at the same time. It all depends on how many threads you are running. Any thoughts on where to start ... I've rebooted, stopped services, restarted services ... works fine for about 8 hrs then starts up all over again I would start with the IMAP4D issue. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter for Bounce messages
Don, Depending on your situation you could simply filter the null sender in a from file filter. I would not suggest this as a permanent solution as NDR's are helpful in most cases. About two weeks ago I had a user get hammered with probably 500-1000 NDR's per second from a spam campaign. I ended up having to create a from filter to delete the bounces until the storm cleared up. Took a couple days, but now we are back to accepting the null sender. Now if the issue is localized to one or two users can you create a filter that takes that into account and than deletes the null sender. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. [EMAIL PROTECTED] wrote: I am looking for a filter that will allow me to delete bounce type messages. We are getting on internal blacklists (Bellsouth, Comcast) from what I believe is an over abundance of bounce messages. I would like to filter these out on my server. If anyone can help, I would appreciate it. Thanks, Don --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Barracuda Quarantine bypass
Scott, Does the Barracuda system add any headers that we could trigger a filter to hit will reduce the weight so we can prevent it from being captured? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fosseen wrote: Due to the number of messages going through my system I pre-filter E-Mail with a Barracuda box. I have about 10 schools I filter for then pass to their local email servers, and 35 districts who I host email for. On initial setup I have 2 districts I am filtering for that have Per User Quarantine setup. Those districts do not want to loose the Per User Quarantine option but yet are complaining that they are getting too much spam. Has anyone setup a filter in Declude that would whitelist an email message if a user allows a quarantined email message from the Barracuda box. What I don't want to happen is have a user release a quarantined message from the barracuda and have it deleted by the Declude system upstream. Thanks in advance _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ This is to inform you that a memo will be issued today regarding the subject mentioned above. - memo sent by Microsoft Legal Affairs Division _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DecludePro Eating Up CPU
David, It really depends on several factors: how you have Declude configured (tests, filters, etc), how many threads your running, volume. It's not uncommon to see for me to see decludeproc on a dual proc xeon 2.4ghz using 75% of ram, but I am running ~50 threads at a volume of 200K+ messages per day. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: I am running a Dell with a Pentium D 3.0 machine / 1 meg of RAM. Decludeproc is eating up 50 to 75% of the CPU cycles ... is this normal, increase the amount of RAM? David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DecludePro Eating Up CPU
Opps, I noticed I said using 75% of ram I meant to say 75% of cpu. On the ram side I do have to restart decludeproc on a weekly basis otherwise its virtual memory usage creeps the process to the 2GB mark collapsing itself. For my systems running invURIBL and Sniffer with the volume we deal with our system would be crippled with 1Gb of memory. In general as long as your not experiencing backup's than your configuration is working fine for you. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: On Feb 10, 2008, at 1:42 PM, Darrell ([EMAIL PROTECTED]) wrote: David, It really depends on several factors: how you have Declude configured (tests, filters, etc), how many threads your running, volume. It's not uncommon to see for me to see decludeproc on a dual proc xeon 2.4ghz using 75% of ram, but I am running ~50 threads at a volume of 200K+ messages per day. Thanks Cliff ... I'm running a ton of tests, including INVURL and SNIFFER ... so maybe I'm not doing so bad --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] counting mail
Bonno, With emails that have multiple recipients its not uncommon to see last actions multiple times for the same message. This will skew your results. Your better off using a tool like DLAnalyzer to analyze your logs as it takes all of this into account. Plus it can be scheduled to run automatically and email you the results. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, I've got IMail reporting on so I get an e-mail every day telling me how many rdeliverd en ldeliverd. I also have my Declude logfiles with action lines for each recipient of a mail. A lot of mail is within our mailserver as students and staff communicate between each other. On a given day, let's take feb 1st, I have: IMail LocalDeliver 8837 and RemoteDeliver 1240 Couting from the Declude log using: CountAction.cmd decl0201.txt --quote- grep Action(s) taken for %1 Action.txt grep -c LAST ACTION=DELETE Action.Txt LastDel.Txt grep -v -c LAST ACTION=DELETE Action.Txt LastNonDel.Txt exit --quote- I get 23758 for LastDel and 4123 for LastNonDel I cannot find any match in those numbers, nothing even close. I would have expected the LastNonDel to be the total of Local and/or Remote delivered. What am I missing? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Any Known issues Inv-URIBL today?
Randy, None that I am aware of. It's processing fine on all of my servers. Also, version 1.x is very old (several years). We are now on version 3.1.1. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: We're seeing a backup today on mulitple occasions now in the Declude Proc folder. Proc folder has grown to as many as 6000+ items in it; once we turn off our Inv-URIBL filter, messages start processing again. . Any known issues that would cause this? We're still running an older version of Inv-URIBL (1.1x I believe) --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 http://globalweb.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Any Known issues Inv-URIBL today?
In addition to what Pete suggests with Weightgate (which I also use on some servers with older hardware). You will want to set inside your invuribl.exe.config file values for max and min skipweights to skip any unnecessary processing of messages. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Pete McNeil wrote: On Wednesday, February 6, 2008, 2:09:23 PM, Herb wrote: Hi Randy; We have seen that often, in fact what we do is swap that test in on nights and weekends and out during weekdays (by just renaming the declude conf files with a schedule). It is a nice tool but will bog things down. I'm curious - (I don't use this but many of my customers do) Is it possible to run Inv-URIBL only on messages that have not yet reached a hold (or other appropriate) weight? Perhaps using weightgate? If SNF is running ahead of it then would that have the effect of only running inv-URIBL on messages that have not already been tagged as spam by SNF? What are the limits of conditional test triggers in the Declude environment (aside from AVAFTERJM)? _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com list
At the bottom of the message the morons posted the proper way to remove oneself from the list. This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Darrell Rick Klinge wrote: Uh.. no I’m not having a bad day. I have asked why I keep receiving these messages when I have not clearly filed any tickets.. so apparently there is something wrong on your end. --thus.. please remove me from your email lists. Rick *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Nick Hayer *Sent:* Tuesday, February 05, 2008 1:23 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com list Hi Rick, Having a bad day? -Nick Rick Klinge wrote: Will you morons please remove me from your spam list? *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, February 04, 2008 10:33 PM *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Subject:* [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com mailto:declude.junkmail@declude.com list Thank you for submitting a ticket to support. Your ticket number is [384-0F3A4F35-96D8]. Please keep this ticket number for your records and include it in the subject (including brackets) of all future emails regarding this issue. The response time during business hours is usually within 24 hours, if you have had no response in this time please do not hesitate to call our support number 1-866-332-5833 Thank You. Declude Technical Support view this ticket online http://support.declude.com/customer/viewticket.aspx?email=declude.junkmail%40declude.comticketnum=384-0F3A4F35-96D8 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted
John, It's hard to say depending on how the message was whitelisted dictates which tests are ran. I never seen an official list on what tests get run based on the level of whitelisting but I believe user authenticated skips all tests. Can anyone confirm that? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. John T (lists) wrote: 2 years ago, I would have had a dozen replies by now and even possible a nice discussion going on. Where is everybody? *John T* *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *John T (lists) *Sent:* Monday, January 21, 2008 1:05 PM *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] Indicate msg size in header on an authenticated whitelisted I am trying to figure out how to add a line in the header of a message to indicate it is over xKB in size with that incoming message being whitelisted via authenticated sender. Example, user1 on the local Imail server sends a message to user2 on the local Imail server, hence the email is whitelisted since user1 authenticated. But the message is over 2 MB and user2 is currently traveling and using a slow broadband card. The desired action is to have a test that “fails” on the over 1 MB size and an inbound rule on user2 that will then move that message to a submail box called LargeFiles. This way, user2 when he connects via his Outlook does not try to download that email, instead he will be responsible for checking that folder via webmail and then if he needs it right away he can either download the attachment via webmail or move it to his normal inbox. Thoughts, Ideas, cookies? *John T* --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude ??? Long Delay Processing?
The first thing to do is check and make sure you do not have a ton of files in your proc folder. This would indicate a queue backup. The next thing if your not having a ton of files in your proc is to kick the logs into debug mode and send a test message. Look through the debug log and find any issues like DNS tests timing out etc. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: I'm trying to track down a problem, which I think might be in Declude. Here is the scenerio ... I'm noticing mail is taking 10 to 15 minutes to pass through our Imail / Declude system. Spent some time testing / reading logs this morning. I sent a message from my normal Imail account (via SMTP AUTH) to a gmail account I have for testing. It took almost 11 minutes to go from my domain to gmail (see headers) Received: by 10.82.114.10 with SMTP id m10cs870488buc; Sat, 5 Jan 2008 08:31:18 -0800 (PST) Received: by 10.114.168.1 with SMTP id q1mr2511797wae.73.1199550676727; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from stat.com (stat.com [65.163.175.10]) by mx.google.com with ESMTP id k26si3555043waf.35.2008.01.05.08.31.10; Sat, 05 Jan 2008 08:31:16 -0800 (PST) Received: from [10.0.0.196] [130.13.94.94] by stat.com with ESMTP (SMTPD-9.23) id AE4C0368; Sat, 05 Jan 2008 09:20:28 -0700 When I look at the Imail log for the SMTP session, the mail is received via SMTP (SMTP AUTH shows on) ... and within a second is created into a SMD file that is placed in the \imail\spool directory. That was at 09:20 When I look in the declude logs, the SMD file is scanned at 09:31 (11 minutes later) and passes right thru because of the SMTP Auth = Whitelisted) So hints on where I should look, why it took 11 minutes from the file entering the spool, till Declude processed it, and then passes it through to the outbound queue for delivery. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re: Outbound weight
WEIGHT10 does delete outbound since it is defined, but I never defined WEIGHT40 so that was ignored.I needed to add a line that now says WEIGHT10 DELETE WEIGHT40 DELETE for the outbound in global.cfg Yes, that is absolutely correct. After enabling that if its still not working post a complete debug message log for the test message. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Outbound weight
Are you sure your scanning outbound mail? Their is a directive that needs to be turned on for it to work. By default its off. JM ADD Spam checking for inbound/outbound scanning can be turned on/off. Located as a directive in the global.cfg file, below are the default settings. OUTBOUNDSCANNINGSPAMOFF INBOUNDSCANNINGSPAM ON Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: I know I'm doing something wrong ... I have the following in my global.cfg at the end WEIGHT10weightrangexx1039 WEIGHT40weightxx400 #CATCHALLMAILS catchallmails x x 0 0 # # The actions listed below only apply to outgoing E-mail, and only if you # have the Pro version. Note that the DUL and OSDUL tests should NOT # be used to block outgoing mail! # WEIGHT10 DELETE - But outbound email is not being caught and deleted ... is the second WEIGHT statement suppose to be configured differently for outbound? My inbound weights are working perfectly. David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re: Outbound weight
Your weight ranges are set fine. There is nothing wrong with the syntax of those. To be certain you only have weight ranges defined once right? Can you throw your logs into debug and send a test outbound message through. We will be able to help you better seeing this output. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: Are you sure your scanning outbound mail? Their is a directive that needs to be turned on for it to work. By default its off. Yes, I do have that line turned ON Do I have my weight defined correctly in the global.cfg that I have defined below? David Dodell wrote: I know I'm doing something wrong ... I have the following in my global.cfg at the end WEIGHT10weightrangexx1039 WEIGHT40weightxx400 #CATCHALLMAILS catchallmails x x 0 0 # # The actions listed below only apply to outgoing E-mail, and only if you # have the Pro version. Note that the DUL and OSDUL tests should NOT # be used to block outgoing mail! # WEIGHT10 DELETE --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Loop
From looking at this the st07.edmsa.net server is running MSSMTP and sending it back to you. Are they using MSSMTP as a gateway to relay it internally to themself's? If so in the settings do they have it set to use a smarthost instead of use DNS to deliver? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Serge wrote: Dear all I have a mail loop between my server and my client mail server Please give hints/solutions on how to resolve this Regards Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id A7900608; Sat, 15 Dec 2007 23:47:28 + Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 23:40:23 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id 44EEF1052; Sat, 15 Dec 2007 22:13:01 + (WET) Received: from mail.cefib.com ([217.170.144.6]) by fwedmsa.edm-sa.com.ml via smtpd (for [10.100.2.68] [10.100.2.68]) with SMTP; Sat, 15 Dec 2007 23:45:38 + Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id A4FC06C8; Sat, 15 Dec 2007 23:36:28 + Message-Id: [EMAIL PROTECTED] Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 23:29:58 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id 9FFFA1053; Sat, 15 Dec 2007 22:02:36 + (WET) Received: from mail.cefib.com ([217.170.144.6]) by fwedmsa.edm-sa.com.ml via smtpd (for [10.100.2.68] [10.100.2.68]) with SMTP; Sat, 15 Dec 2007 23:35:13 + Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id A1EE0500; Sat, 15 Dec 2007 23:23:26 + Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 23:16:26 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id 464BF1054; Sat, 15 Dec 2007 21:49:04 + (WET) Received: from mail.cefib.com ([217.170.144.6]) by fwedmsa.edm-sa.com.ml via smtpd (for [10.100.2.68] [10.100.2.68]) with SMTP; Sat, 15 Dec 2007 23:21:41 + Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id AF1E09D0; Sat, 15 Dec 2007 23:11:26 + Message-Id: [EMAIL PROTECTED] Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 23:04:20 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id A2A241054; Sat, 15 Dec 2007 21:36:59 + (WET) Received: from mail.cefib.com ([217.170.144.6]) by fwedmsa.edm-sa.com.ml via smtpd (for [10.100.2.68] [10.100.2.68]) with SMTP; Sat, 15 Dec 2007 23:09:35 + Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id AC8906D4; Sat, 15 Dec 2007 23:00:25 + Message-Id: [EMAIL PROTECTED] Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 22:53:43 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id EC2DA1054; Sat, 15 Dec 2007 21:26:22 + (WET) Received: from mail.cefib.com ([217.170.144.6]) by fwedmsa.edm-sa.com.ml via smtpd (for [10.100.2.68] [10.100.2.68]) with SMTP; Sat, 15 Dec 2007 22:58:59 + Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id AA0C07C0; Sat, 15 Dec 2007 22:49:48 + Message-Id: [EMAIL PROTECTED] Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 22:53:22 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id E11F91054; Sat, 15 Dec 2007 21:26:01 + (WET) Received: from mail.cefib.com ([217.170.144.6]) by fwedmsa.edm-sa.com.ml via smtpd (for [10.100.2.68] [10.100.2.68]) with SMTP; Sat, 15 Dec 2007 22:58:38 + Received: from st07.edmsa.net [216.226.209.212] by mail.cefib.com with ESMTP (SMTPD-8.22) id A9F40574; Sat, 15 Dec 2007 22:49:24 + Message-Id: [EMAIL PROTECTED] Received: from edmsms.edm-sa.com.ml ([10.100.2.68]) by st07.edmsa.net with Microsoft SMTPSVC(6.0.3790.1830); Sat, 15 Dec 2007 22:53:00 + Received: from fwedmsa.edm-sa.com.ml (unknown [10.100.2.67]) by edmsms.edm-sa.com.ml (Symantec Mail Security) with SMTP id 699A01053; Sat, 15 Dec 2007 21:25:36 +
Re: [Declude.JunkMail] OT: Use MS IIS SMTP server as a gateway
Craig, I currently use MS SMTP as a gateway for several customers. Shoot me a note off list and I can help you get going. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Craig Edmonds wrote: Hi All, A little off topic but i was wondering if anyone can help me find a tutorial on how to set up my IIS server running Imail 8.15 and Declude to use the MS IIS SMTP server as a gateway. I am having or going to have problems with CBL blacklisting me again in a few days unless I use the ms smtp server as a gateway for my email. Any help on this would be great. Kindest Regards Craig Edmonds 123 Marbella Internet W: _www.123marbella.net http://www.123marbella.net_ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] akamai.net Redirect/obfuscation
Don, That's interesting. That line is actually an Akamai cache key that is being used to reference the image directly from Akamai's cache. Based on the cache key I suspect this showed up in a phish. For folks that utilize Akamai's caching services would never reference content via that way (cache key). The reference to e.akamai.net means its one of their edge servers. In the link below its not actually obfuscating or redirecting. I would not block based on akamai.net because they provide other services like file downloads etc where its not uncommon that you could have links to file with akamai.net in the URL. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Don Brown wrote: What's the best way to block the akamai.net URL redirect/obfuscation, ie. //a248.e.akamai.net/7/248/1856/90m/www.wellsfargo.com/img/hp/logo_62sq.gif Block everything with akamai.net in it or ...? Thanks, Don Brown - Dallas, Texas USA Internet Concepts® [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] my DNS tests
FWIW - I pulled CSMA-SBL ip4r sbl.csma.biz 127.0.0.2 5 0 earlier this week as it was timing out for us. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/SmarterMail/Declude Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Serge wrote: To all, Please quikly brows my tests below and let me know of any that you know are oudated/needs to be deleted or replaced TIA AHBLRELAYS ip4r dnsbl.ahbl.org 127.0.0.2 2 0 AHBLPROXIES ip4r dnsbl.ahbl.org 127.0.0.3 2 0 AHBLSOURCES ip4r dnsbl.ahbl.org 127.0.0.4 2 0 AHBLSUPPORT ip4r dnsbl.ahbl.org 127.0.0.7 2 0 AHBLEXEMPT ip4r exemptions.ahbl.org 127.0.0.2 -5 0 AHBL-DOMAINS RHSBL rhsbl.ahbl.org127.0.0.2 7 0 BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10 -5 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 3 0 NJABL ipr4 dnsbl.njabl.org 127.0.0.2 3 0 NJABLDUL ipr4 dnsbl.njabl.org127.0.0.3 3 0 NJABLFORMMAIL ipr4 dnsbl.njabl.org127.0.0.8 3 0 NJABLMULTI ipr4 dnsbl.njabl.org127.0.0.5 3 0 NJABLPROXIES ipr4 dnsbl.njabl.org127.0.0.9 3 0 NJABLSOURCES ipr4 dnsbl.njabl.org127.0.0.4 3 0 CSMA-SBL ip4r sbl.csma.biz 127.0.0.2 5 0 RSL ip4r relays.visi.com 127.0.0.2 5 0 ZEN ip4rzen.spamhaus.org 127.0.0.250 SPAMBAG ip4r blacklist.spambag.org * 5 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 10 0 CBL ip4r cbl.abuseat.org 127.0.0.2 5 0 DSBL ip4r list.dsbl.org * 5 0 MXRATE-BLACKip4r pub.mxrate.net 127.0.0.2 5 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 MAILPOLICE-Fraud rhsbl fraud.rhs.mailpolice.com127.0.0.2 5 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2 5 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 2 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 2 0 FIVETEN-SPAM ip4rblackholes.five-ten-sg.com 127.0.0.210 FIVETEN-BULK ip4rblackholes.five-ten-sg.com 127.0.0.420 FIVETEN-MULTISTAGE ip4rblackholes.five-ten-sg.com 127.0.0.52 0 FIVETEN-SPAMSUPPORT ip4rblackholes.five-ten-sg.com 127.0.0.7 30 FIVETEN-MISC ip4rblackholes.five-ten-sg.com 127.0.0.920 FIVETEN-FREEip4rblackholes.five-ten-sg.com 127.0.0.12 20 SORBS ip4rdnsbl.sorbs.net * 2 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 4 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 4 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 4 0 SORBS-SPAM ip4rdnsbl.sorbs.net 127.0.0.6 4 0 SORBS-ZOMBIE ip4rdnsbl.sorbs.net 127.0.0.9 4 0 SORBS-DUL ip4rdnsbl.sorbs.net 127.0.0.10 2 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] new virus/spam as mp3?
MP3 spam - the new kid on the block Posted on 18 October 2007. Spammers are back with a new trick, this time round sending messages with MP3 attachments that contain the latest pump-and-dump stock scams. One sample identified this morning by GFI, was a heavily distorted 30-second MP3 file. A synthetic female voice was used to promote a particular stock. This voice is distorted to avoid filtering approaches based on the file signature. Once again, spammers are taking advantage of the fact that the MP3 format is one of the most common in use today, another attempt at social engineering. -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: we just saw a Spam come in with lovedrug.mp3 Randy A. Global Web Solutions, Inc. - Original Message - From: Gary Steiner [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, October 17, 2007 9:10 PM Subject: [Declude.JunkMail] new virus/spam as mp3? I just started receiving something new that so far is being caught as spam. They are messages with no subject, no body, but have a file attachment that is Content-Type: audio/mpeg. So far I've seen it as elvis.mp3 beatles.mp3 hurricanechris.mp3 I sent it through VirusTotal but didn't get any hits. Anyone else seen this or heard what it is? Thanks, Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP_DELIV_FAILED
Matt wrote: I haven't followed this thread much, but it seems fairly obvious what the the problem is related to. When your server is connecting to the recipient's server, it fails to establish a connection with that server. This log line indicates the likely source of the problem: 10:08 20:18 SMTP-(f30001890106) [x] using source IP for Rogersbenefit.com [192.168.0.4] While you might be doing NAT on your network, it doesn't appear that this is the case here, and the failure is probably being caused by your If he was not doing NAT he would not be able to send mail to anyone since his server is on private ip. No ISP will route RFC1918 addresses across the public internet. So it's doubtful its a NAT issue. Kevin - are you able to telnet to their mailserver from any other machines on your network? telnet 204.107.47.187 25 Darrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] noticed problem after upgrade to beta
Herb, There were a lot of posts on this late last week on the forum. Declude is working on the fix. -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Herb Guenther wrote: Hi All; We have been experiencing the same declude shutdown errors when running declude for smartermail that some of you have been seeing. On Friday I upgraded to the beta version as had been suggested. We had some customers who were not seeing some incoming messages. Declude was tripping on a couple vulnerabilities (see below). I turned off those tests, and have since went back to the production version. Did anyone else see this? There were no attachments in the message. 10/08/2007 07:06:40.687 20122895 Vulnerability flags = 4 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 21 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 24 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 25 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 29 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 30 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 36 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 37 10/08/2007 07:06:40.687 20122895 Outlook 'MIME segment in MIME Postamble' vulnerability in line 39 10/08/2007 07:06:40.687 20122895 Deleting file with vulnerability 10/08/2007 07:06:40.687 20122895 Deleting E-mail with vulnerability! -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP_DELIV_FAILED
Your A / PTR records look fine. mail.rogersbenefit.com. 7200IN A 207.47.22.58 58.22.47.207.in-addr.arpa. 86288 IN PTR mail.rogersbenefit.com Your listed in one RBL - backscatter so it would seem that it should not be related to spam. Can you post a more detailed smtp log for the 6863023f5c41 transaction. This would help more. You can out any addresses etc to prevent harvesting.. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Kevin Rogers wrote: I'm not sure if this is the right place to post this issue, but here goes: We recently upgraded our server (to Server2003 - running Imail. 8.21, Declude 4.3) and we're getting a lot of delivery failures to specific domains. It looks like the error we used to get before we had a PTR record setup correctly - certain domains refusing to connect with us. But I believe our PTR record is setup correctly. We upgraded our server, and so it has a different local IP address, but the same external IP, so our PTR record shouldn't have to change. The domain is rogersbenefit.com The errors in the imail log look like this: 10:08 13:20 SMTP-(57f5021f4794) Trying LifeWiseHealth.com (0) 10:08 13:20 SMTP-(5b9502064c35) Trying healthnet.com (0) 10:08 13:20 SMTP-(66fa0818097c) Trying healthnet.com (0) 10:08 13:20 SMTP-(593902374927) Trying healthnet.com (0) 10:08 13:20 SMTP-(69ac02185d9b) Trying taylorjohnsongroup.com (0) 10:08 13:20 SMTP-(64bd009a57db) Trying heiworld.com (0) and end like this: 10:08 13:20 SMTP-(6863023f5c41) 421 Service not available, closing transmission channel 10:08 13:20 SMTP-(6863023f5c41) SMTP_DELIV_FAILED 10:08 13:20 SMTP-(6863023f5c41) QUIT I can ping our DNS servers fine. Any ideas? Thanks - Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Setting Up DNS Service on Server 2003
Kevin, All you need to do is install the service and your already in caching mode. Just limit the outsides ability to query it since you will need to have recursion enabled and MSDNS does not allow you to set what ip blocks can and can not query the dns service. Any problems let me know and I can help you out. -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Kevin Rogers wrote: Does anyone have any simple instructions on how to setup the DNS service for Windows 2003 Server? We only host 2 domains and our DNS records are hosted by Network Solutions. Our old server (windows 2000 server) had the DNS service setup already when I took over the admin, so I never had to set it up from scratch. So we're only using the DNS service to allow Imail to run more efficiently - we're not actually using the DNS service to act as the authority for these domains. As you can probably tell, the simpler the instructions, the better ;) Thanks - Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Setting Up DNS Service on Server 2003
So if my server's local IP is 192.168.0.4 and I have simply installed the DNS service, I can change Imail's SMTP settings to include 192.168.0.4 as one of my DNS servers? I would use 127.0.0.1 as it speeds things up a bit opposed to using the IP address. In my Network Connection applet in the control panel, I can also put 192.168.0.4 as my primary DNS IP? (I also have 2 external ones from my ISP.) And I can do this without adding any forward or reverse lookup zones? Yes, you can do that. The caching dns server will find that netsol is authoritative for your dns and end up querying the correct dns servers for your domain. On my old server, someone had setup a Forward Lookup Zone You can do this, but its not necessary. Could this be the problem with not being able to reach certain domains via SMTP (the other problem I posted earlier)? It seems like there was domain name resolution, but our connection was being halted by the recipient server - I'm not sure why DNS would be involved in that - just checking. No this would not be the issue since your logs show you connecting to the server. However, as John suggested I would turn off all the DNS caching that Imail does for the Queuemgr it causes a lot of problems. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELP, Declude stoped functioning
Randy, Is the decludeproc service started? Also, in the declude folder to you have a diags text file? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: apologixe for false alarm; after re-install of earlier version (4.3.46) I saw messages goinf into proc folder, so assumprtion was made it was working; but apparewntly my mistake for assuming. No declude logs being generated so it still appears to be not functioning --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Randy Armbrecht [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 9:24 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning We have experienced the same issue - as of 1.30pm friday our declude just stopped working; all attempts to restart it are not working - we've rebooted, re-installed, etc. We did just renew our SA with declude at 12.30pm yesterday; I'm wondering if that has anything to do with it. Declude - please contact me! I've emailed urgent at declude and left a voice mail on your support line Randy A. Global Web Solutions Inc 804-442-56300 - Original Message - From: Serge [EMAIL PROTECTED] To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, September 26, 2007 3:02 PM Subject: [Declude.JunkMail] HELP, Declude stoped functioning Dear Support, Today my declude stoped functioning Nothing being writen to the logs since 14:00 local time (GMT) Imail smtp delivery still pointing to declude.exe Rebooting did not help what is going on ? Please help, very urgent Serge Dergham Cefib Internet Av de la Nation B.P. E1172 Bamako, Mali --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELP, Declude stoped functioning
You will need to contact Declude at this point. There is nothing we can do to help you out since the key is showing as expired thus is will not process messages. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: Darrell, thanks for thew quick response... process is running; but only at 3 threads and 0% CPU. do have a diags.txt file; looking into that it shows at bottom: [81CDE419-BDA4-44DB-9090-89C4A7492A98] IS EXPIRED KEY but we just renewed this yesterday.. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 10:10 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning Randy, Is the decludeproc service started? Also, in the declude folder to you have a diags text file? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: apologixe for false alarm; after re-install of earlier version (4.3.46) I saw messages goinf into proc folder, so assumprtion was made it was working; but apparewntly my mistake for assuming. No declude logs being generated so it still appears to be not functioning --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Randy Armbrecht [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 9:24 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning We have experienced the same issue - as of 1.30pm friday our declude just stopped working; all attempts to restart it are not working - we've rebooted, re-installed, etc. We did just renew our SA with declude at 12.30pm yesterday; I'm wondering if that has anything to do with it. Declude - please contact me! I've emailed urgent at declude and left a voice mail on your support line Randy A. Global Web Solutions Inc 804-442-56300 - Original Message - From: Serge [EMAIL PROTECTED] To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, September 26, 2007 3:02 PM Subject: [Declude.JunkMail] HELP, Declude stoped functioning Dear Support, Today my declude stoped functioning Nothing being writen to the logs since 14:00 local time (GMT) Imail smtp delivery still pointing to declude.exe Rebooting did not help what is going on ? Please help, very urgent Serge Dergham Cefib Internet Av de la Nation B.P. E1172 Bamako, Mali --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELP, Declude stoped functioning
Thanks for the heads up Matt. It's a shared hosting environment so this kind of stuff happens every once in a while. They are a good hosting company (pretty responsive on all of the issues). I just checked that link and it appears that they have either expired from the RBL or were removed. IP Address 204.14.91.21 was not found in the CBL. Thanks Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Matt wrote: Darrell, The Web server at fluidhosting.com that dlanalyzer.com is hosted on is listed in CBL currently and has been before. http://cbl.abuseat.org/lookup.cgi?ip=204.14.91.21 Matt Darrell ([EMAIL PROTECTED]) wrote: You will need to contact Declude at this point. There is nothing we can do to help you out since the key is showing as expired thus is will not process messages. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: Darrell, thanks for thew quick response... process is running; but only at 3 threads and 0% CPU. do have a diags.txt file; looking into that it shows at bottom: [81CDE419-BDA4-44DB-9090-89C4A7492A98] IS EXPIRED KEY but we just renewed this yesterday.. --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 10:10 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning Randy, Is the decludeproc service started? Also, in the declude folder to you have a diags text file? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Randy Armbrecht wrote: apologixe for false alarm; after re-install of earlier version (4.3.46) I saw messages goinf into proc folder, so assumprtion was made it was working; but apparewntly my mistake for assuming. No declude logs being generated so it still appears to be not functioning --- Randy A. Technical Support Director Global Web Solutions, Inc. 804-442-5300 globalweb.net - Original Message - From: Randy Armbrecht [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Saturday, September 29, 2007 9:24 AM Subject: Re: [Declude.JunkMail] HELP, Declude stoped functioning We have experienced the same issue - as of 1.30pm friday our declude just stopped working; all attempts to restart it are not working - we've rebooted, re-installed, etc. We did just renew our SA with declude at 12.30pm yesterday; I'm wondering if that has anything to do with it. Declude - please contact me! I've emailed urgent at declude and left a voice mail on your support line Randy A. Global Web Solutions Inc 804-442-56300 - Original Message - From: Serge [EMAIL PROTECTED] To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, September 26, 2007 3:02 PM Subject: [Declude.JunkMail] HELP, Declude stoped functioning Dear Support, Today my declude stoped functioning Nothing being writen to the logs since 14:00 local time (GMT) Imail smtp delivery still pointing to declude.exe Rebooting did not help what is going on ? Please help, very urgent Serge Dergham Cefib Internet Av de la Nation B.P. E1172 Bamako, Mali --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list
Re: [Declude.JunkMail] What am I doing wrong with Revdns filter?
I would not think so - do you have any other entries in the file? Do you show any hits on it during the day for the other entries? Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: .On Sep 8, 2007, at 10:55 AM, Darrell ([EMAIL PROTECTED]) wrote: .It should have. Do you also have an entry in the $default$.junkmail file as well? I would bump your logs up to debug for a quick couple of seconds to verify indeed the test is being called. Yes, confirm it is in the $default$.junkmail file. I bumped up to DEBUG and it confirms in the log that the filter test is being started. The other thing is if 66.135.209.210 did not resolve on your system you would not get a hit on that line. Checked that, and it is resolving to mxsmfpool13.ebay.com Any other ideas? Could there be a conflict because the test for the filter is called REVDNSTEST compared to the REVDNS that declude recognizes? David Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: Ebay notifications with the header: Content-Type: multipart/mixed; boundary=SomeRandomStuffGoesHere X-Rbl-Warning: HELOBOGUS: Domain mx28.smf.ebay.com has no MX or A records [0301]. X-Rbl-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Rbl-Warning: SPFPASS: SPF returned PASS for this E-mail. X-Declude-Sender: [EMAIL PROTECTED] [66.135.209.210] X-Declude-Refid:X-Spam-Tests-Failed: HELOBOGUS, BADHEADERS, SPFPASS, WEIGHT10 [10] X-Country-Chain: UNITED STATES-destination X-Note: [RemoteDNS: mxsmfpool13.ebay.com] [Remote IP: 66.135.209.210] [RemoteHost: ebay.com] X-Hello: mx28.smf.ebay.com X-Rcpt-To: [EMAIL PROTECTED] Status:X-Imail-Rule: SpamS~You have spam:spam Data- YOU HAVE SPAM X-Uidl: 464312848 X-Imail-Threadid: ca6101d76329 Are being caught as spam ... I have in file I call REVDNSFILE REVDNS -99 ENDSWITH .ebay.com Thinking that would validate this as non-spam ... am I missing something why that test isn't positive? David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] What am I doing wrong with Revdns filter?
David, It should have. Do you also have an entry in the $default$.junkmail file as well? I would bump your logs up to debug for a quick couple of seconds to verify indeed the test is being called. The other thing is if 66.135.209.210 did not resolve on your system you would not get a hit on that line. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. David Dodell wrote: Ebay notifications with the header: Content-Type: multipart/mixed; boundary=SomeRandomStuffGoesHere X-Rbl-Warning: HELOBOGUS: Domain mx28.smf.ebay.com has no MX or A records [0301]. X-Rbl-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Rbl-Warning: SPFPASS: SPF returned PASS for this E-mail. X-Declude-Sender: [EMAIL PROTECTED] [66.135.209.210] X-Declude-Refid: X-Spam-Tests-Failed: HELOBOGUS, BADHEADERS, SPFPASS, WEIGHT10 [10] X-Country-Chain: UNITED STATES-destination X-Note: [RemoteDNS: mxsmfpool13.ebay.com] [Remote IP: 66.135.209.210] [RemoteHost: ebay.com] X-Hello: mx28.smf.ebay.com X-Rcpt-To: [EMAIL PROTECTED] Status: X-Imail-Rule: SpamS~You have spam:spam Data- YOU HAVE SPAM X-Uidl: 464312848 X-Imail-Threadid: ca6101d76329 Are being caught as spam ... I have in file I call REVDNSFILE REVDNS -99 ENDSWITH .ebay.com Thinking that would validate this as non-spam ... am I missing something why that test isn't positive? David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New RBL
FYI - Seen this on another list (SA-Users). David you may want to add this to the RBL list. This may interest those playing with RBL checks in SA, we have released spamrats.com as a free RBL service now. http://www.spamrats.com RATS-NoPtr and RATS-Dyna will be the most useful, RATS-Spam is still in testing phase, so is not available yet. This data is collected from ISP's all over north america, and is generated by the most virulant of RATS. Normally in order to become listed, they will have triggered several checks, including rate limiters, and conform to signatures that indicate they are Bot or Trojan orientated.. rather than the more traditional use of Spam traps, so we do not expect false positives. We actually recommend that RATS-NoPtr be used to block at the edge level, however you can use it as you see fit. (Mail servers should have Reverse DNS right? And they sure should not be sending excessive amounts of email, to multiple ISP's) RATS-Dyna might in theory get triggered by a mail server that uses Non-Conforming Best Practises for Reverse DNS, (but they also have to be sending abusive levels of email to get listed, and appear to be home PC style connections) Have fun :) -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot 6?
SJ, Marc was only trying to help by pointing out that F-Prot has a different licensing scheme for mail servers than client machines. At one time F-Prot did not differentiate the two and a lot of us were using F-Prot with a much higher user count than even what the chart listed below. Than one day with no notice it all changed - and they even made a point to specifically point out using it under Declude. At that point the cost for most of us jumped through the roof. For several customers I consult for it went from $100 to well in excess of $5K. So needless to say we had to find alternated - and we were VERY thankful AVG was included in Declude. Marc's post (as I interpreted it) was to make sure you did not end up in a licensing bind as many others... This list is very friendly and helpful and we would like to keep it that way. Darrell SJ.Stanaitis wrote: Your powers of observation boggle the mind. --SJ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Marc Catuogno *Sent:* Thursday, August 23, 2007 9:37 AM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] F-Prot 6? So you have 100 users? http://www.f-prot.com/products/prices/price_win_ms.html F-PROT Antivirus for Windows Mail Servers Number of Users Annual license fee 1-24 US$ 269 25-49 US$ 359 50-99 US$ 449 100-199 US$ 719 200-299 US$ 989 300-399 US$ 1259 400-499 US$ 1529 500-749 US$ 1799 750-999 US$ 2069 1000-1999 US$ 2519 2000-2999 US$ 2969 3000-3999 US$ 3419 4000-4999 US$ 3869 5000-5999 US$ 4499 /*/Marc Catuogno/*/ MIS Director Prudential Rand Realty 845-825-8025 -Original Message- From: SJ.Stanaitis [EMAIL PROTECTED] Sent 8/23/2007 9:04:42 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] F-Prot 6? $500? That’s a steal. Website answered my questions. --SJ **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] **On Behalf Of **Marc Catuogno **Sent:** Wednesday, August 22, 2007 10:29 AM **To:** declude.junkmail@declude.com **Subject:** RE: [Declude.JunkMail] F-Prot 6? Don’t know – but it has a hefty price for legit use on a mail server unless they have changed with the new version **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] **On Behalf Of **SJ.Stanaitis **Sent:** Wednesday, August 22, 2007 8:39 AM **To:** declude.junkmail@declude.com **Subject:** [Declude.JunkMail] F-Prot 6? Anyone here using F-Prot 6 with their Declude antivirus setup? Does it still have the command line scanner? --SJ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Upgrade to version 4 causes processor to skyrocket
What are your settings in your declude.cfg file. Are you still using the same setting in that file from Version 3? Has your mail volume increased? Darrell Kevin Stanford wrote: Hi all, Since upgrading to Declude Version 4 (from version 3) my processor has really taken a hit (runs about 90-100%). I used the default Global.cfg file and just moved over the Whitelist stuff as well as a few rules that I have. Looking at the Task Manager is consistently shows decludeproc.exe running at the top of the list under the Process tab. Anyone know where I can start troubleshooting to bring this back in line. Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] copyfile ?
Looks right to me - I use WEIGHT-TAG-RVW1 COPYFILE X:\Review\ WEIGHT-TAG-RVW2 COPYFILE X:\Review\Low Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Scott Fisher wrote: I’m trying to trap some emails to look at and wanted to use the copyfile action, but I haven’t caught any. I’m worried I don’t have the format correct: TESTNAME COPYFILE d:\hold\ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ZEN test
Bonno, Due to your HOP setting you are checking multiple hops. Since you use a multihop setting you should score the hops differently or run into problems like you identified. I would suggest reducing it to 1. This will score the last two hops. Than you can modify your tests like the following. The first one only checks the last ip recevied. The second one checks all of them. One thing to keep in mind if the LAST test hits so will the ALL test. So for example if you want the last hop (who connected to you) to have a weight of 3 for the SORBS-SPAM test than you will want to make sure that the sum of the two tests equal that weight. SORBS-SPAM(LAST)dnsbl %IP4R%.dnsbl.sorbs.net 127.0.0.6 2 0 SORBS-SPAM(ALL) ip4rdnsbl.sorbs.net 127.0.0.6 1 0 So in the case above if the second hop was listed we would only assign a score of 1 from the SORBS-SPAM(ALL) test. If the last hop was listed than we would have a score of 3 since both the (LAST) and (ALL) test would hit. Let me know if this is not clear, Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Bonno Bloksma wrote: Hi, Maybe using the ZEN test isn't such a good idea. It is caching a DSL line that is several hops down. In Global.cfg I have Hophigh 2, should I maybe reduca that to 1? Is that the cause? If so As far as I know my server is Hop 0, the smtp-4 should then be Hop 1, the me-wanadoo.net should then be Hop 2. So the hulsbeek.nl (adsl-dc-34529 line) should be Hop 3 and not be checked. Why was that ip number checked? --quote Received: from smtp-4.orange.nl [193.252.22.249] by student.tio.nl with ESMTP (SMTPD-9.21) id A33707C8; Mon, 30 Jul 2007 09:28:55 +0200 Received: from me-wanadoo.net (localhost [127.0.0.1])by mwinf6301.orange.nl (SMTP Server) with ESMTP id E8495784for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) Received: from hulsbeek.nl (adsl-dc-34529.adsl.wanadoo.nl [83.116.227.41])by mwinf6301.orange.nl (SMTP Server) with ESMTP id AF5A9782for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Mon, 30 Jul 2007 09:28:54 +0200 (CEST) X-ME-UUID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [SPAM: 22]RE: 5 augustus MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7D27B.467F4FA9 Date: Mon, 30 Jul 2007 09:28:50 +0200 Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: 5 augustus thread-index: AcfSClRkqB1y6CB4TkymtwIq3Exp3QAZtfQA From: Erve Hulsbeek [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sender: Piet Heuvelmans [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Nienke Koster [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: FIVETEN-SRC: 41.227.116.83.blackholes.five-ten-sg.com. X-RBL-Warning: MXRATE-BLOCK: http://www.mxrate.com/lookup/refused.asp?ipaddress=193.252.22.249; X-RBL-Warning: ZEN: http://www.spamhaus.org/query/bl?ip=83.116.227.41; X-RBL-Warning: SPAMCANNIBAL: blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookuplookup=193.252.22.249 http://www.spamcannibal.org/cannibal.cgi?page=lookuplookup=193.252.22.249 X-RBL-Warning: FROMNOMATCH: Env sender ([EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) From: ([EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) mismatch. X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [193.252.22.249] X-Declude-Spoolname: D933701b3b7de.smd X-Declude-RefID: str=0001.0A0B0204.46AD933D.0104,ss=1,fgs=0 X-Declude-Note: Scanned by Declude 4.3.46 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [22] at 09:29:18 on 30 Jul 2007 X-Declude-Fail: FIVETEN-SRC [3], MXRATE-BLOCK [7], ZEN [7], SPAMCANNIBAL [2], FROMNOMATCH [3], SPAMSUBJECT [12], SPAMHOLD [20], ZEROHOUR [0] X-Country-Chain: NETHERLANDS-FRANCE-destination X-fpReview-Weight: 22 --quote Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] / www.tio.nl http://www.tio.nl --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How to whitelist this
Why not just base it on a REVDNS test for .fedex.com and assign a large negative weight? -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Kevin Bilbee wrote: How does the whitelist features work? We receive various emails from fedex with different domain portions of the email. I have @fedex.com fedex.com In our domain level whitelist? But they emails do not seem to be getting white listed. It seems that the whitelist works on the following [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] – the entire email address @fn3nds2.prod.fedex.com – the entire domain including the @ fn3nds2.prod.fedex.com – Just the domain portion How do I whitelist just on the first subdomain like fedex.com? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] Changing the way industry works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] frustration
Uwe, It's always a battle. However, there are a lot of good resources on this list that are willing to share and help. I am sure we can get you to the point where you can breath a bit again... Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Uwe Degenhardt wrote: Hi everybody on the list, please excuse me, but I would like to share my frustration with you. I am poured with SPAM the last two-to-three weeks. It gets worse every day. Am I the only one who is seeing this ? I am in a good contact with David of Declude. He is doing a fantastic job, but sometimes I loose my faith and my trust, that we can win the SPAM-fight. It appeals to me, as it is like the old principle: If you put water on the fire at one place, you have to run to the next place to delete it there too. And the SPAMMERs will get cleverer everyday. What do you guys think ? Are you frustrated as well ? Uwe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering outbound as a default
Ben, In newer versions of Declude there is a directive for the global.cfg that needs to be turned on OUTBOUNDSCANNINGSPAM ON. I believe in newer versions ON is the default? Than you would need to add your tests and actions like in the $default$.junkmail file into the global.cfg file. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, and SmarterMail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Imail Admin wrote: Right now, we only use JM on a domain-by-domain basis. We're considering turning on spam filtering on all outbound email. How do we configure that as a default? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering outbound as a default
Same deal Ben, with the exception you do not have to add the directive below to the global.cfg. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Imail Admin wrote: What about older versions? Thanks, Ben - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, July 02, 2007 2:14 PM Subject: Re: [Declude.JunkMail] Filtering outbound as a default Ben, In newer versions of Declude there is a directive for the global.cfg that needs to be turned on OUTBOUNDSCANNINGSPAM ON. I believe in newer versions ON is the default? Than you would need to add your tests and actions like in the $default$.junkmail file into the global.cfg file. Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, and SmarterMail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Imail Admin wrote: Right now, we only use JM on a domain-by-domain basis. We're considering turning on spam filtering on all outbound email. How do we configure that as a default? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] invURIBL 3.0.7 Released
For those using invURIBL with Declude we have released an update today. For more information http://www.invariantsystems.com/invuribl/ Any questions let me know, Darrell -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, and Smartermail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New PDF worm?
SJ, Andrew posted a blurb from SANS a couple of days ago. Pump and dump scams now in PDF Published: 2007-06-20, Last Updated: 2007-06-20 21:33:39 UTC by Maarten Van Horenbeeck (Version: 1) Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment. These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism. They even contain the following disclaimer: “This is not an offer to buy or sell any security. German Stock Insider discloses that they were paid ten thousand Euros for distribution of this report.” The messages are usually sent to [EMAIL PROTECTED] with an attachment name of name_report.pdf. Apparently they are distributed most to .com and .org domains, though most of the reports we’ve received were from Europe. Each of the reports so far has had an MD5 hash of 2e4b2158909f276942dadf6a0b621b1a. Thanks to Günter for reporting his findings. - Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. SJ.Stanaitis wrote: I’m getting gobs of PDF’s snagged in my antispam filter, they’re not triggering any AV yet, anyone else seeing this? SJ.Stanaitis - //Network Administrator// Decorative Product Source, Inc. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Software for copying files with permissions
Sharyn, I would check out robocopy in the resource kit. I use it all the time to do stuff like this. Darrell - Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Looking for an Secure Email Solution that works with Imail Premium 2006.2 and declude 4.x
Are you looking for a solution like the PGP plug in's for Outlook or something else? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude and Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Howard Smith (N.O.R.A.D.) wrote: I am an ISP that have customers in need of an Secure Email Solution such as a outlook plug-in , similar to what ATT and network solutions offer their email customers . Do anyone know of any company having an offering for ISP? Thanks Howard Howard Smith --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] is the list working?
Still here, just quiet. Sometimes that's a good thing :) Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bruce Loughlin To: declude.junkmail@declude.com Sent: Tuesday, June 05, 2007 8:27 AM Subject: [Declude.JunkMail] is the list working? I have not received any thing since the 25th on the virus list and the 30th on this one. Is it just me? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] More accidental whitelisting
I think the whole idea of whitelisting the address book should be an option that can be turned on/off from the config file. It is with the AUTOWHITELIST setting in the global.cfg. Darrell invURIBL - Intelligent URI filtering plug-in for Declude. Stop spam at the source the spamvertised domain. More effective than traditional RBL's. Try it today - http://www.invariantsystems.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Per user config and performance
For 5,000 users I wouldnt expect a major performance hit, but keep in mind if you had 5,000 files they all need to be loaded when a message is processed. However, I would only drop a user config file with actions set to WARN for the users who did not want to be spam filtered. This way the users who do want spam filtering would use the default junkmail file for the domain. My assumption is based off that most of your users would want antispam thus keeping a limited amount of files you have to deal with. Let me know if you have any questions, Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Ing. Andrés E. Gallo To: declude.junkmail@declude.com Sent: Wednesday, May 16, 2007 9:27 AM Subject: [Declude.JunkMail] Per user config and performance Sorry for re-posting but.from Thursday to Monday, no messages of the list. If any, please re-answer. Thanks Andres.- /***/ Hi List I wonder if some have experience by configuring the per user and per domain settings. I mean, having 5000 users per domain, each user by domain will choose if Declude Antispam or not. So, should be a file ( for all users same configuration, _not_ customized for each one ) like user.junkmail, user1.junkmail, user6.junkmail and so on under each domain dir. How this will impact performance ? Is there a limit there ? Any experience ? or any 'easy' way to do it ? Regards Andres-. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Anyone seeing the 419 Death Threat Scam yet?
See - http://isc.sans.org/diary.html Wondering if anyone has actually seen any of these? 419 death threat scam Published: 2007-05-08, Last Updated: 2007-05-08 18:49:23 UTC by Swa Frantzen (Version: 1) A new scam is circulating on the Internet: There are a number of variation on the text, but it all boils down to (I've chosen a short version as an example): Hello, I wish to let you know that i have been paid by a client to assasinate you at convenience,and i have signed a contract of $650,000 yesterday for this.I have never met you before,but they gave me the full description of your identity and contact,together with your photograph which my boys have used to trace you. The reason why they want you Dead is not disclosed to me as i was not allowed to know,but you are now not better that the dead ok. My BOYS are now contantly watching you,they are following you-home,office,everywhere.,you go and they are waiting for my instruction to terminate you.And they will strike at convenience. THIS IS MY MESSAGE- LISTEN VERY WELL ,the Police cannot do much to help you out in this right now because you are being watched,any such attempt is very risky cause you will push us to terminate your life without option. Your calls are not safe also.In fact you are traced. I have no business with you but at least i have cleared the way as a pro-,but you may have one chance to live again if you can contact me not latter that 24 hours after this mssage. GOODLUCK!!! [Spelling and Grammar enthusiasts, please abstain, the errors were in the original) Some versions ask for more realistic amounts, are longer, have less spelling mistakes etc. Basically there is a drop box on some free email provider where they expect you to contact them. The best possible advice: DO NOT MAKE CONTACT. These guys will just spam you if you do not respond, once you respond they've spotted somebody who might fall for the scam and they'll be much harder and annoying to get rid of. This is the classical don't be the easiest target. This is becoming known as a 419 death threat, use that term when reporting. How to report: a.. the abuse contact of the drop mailbox where they try to make contact gmail: gmail-abuse/AT/google.com yahoo: abuse/AT/yahoo.com ... b.. If you can get them to give attention, report it as an attempted scam with the appropriate authorities for the part of the world you live in. Success! -- Swa Frantzen -- NET2S Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] X-Note: REVDNS: (timeout)
Harry, REVDNS timeout occurs when Declude does not get an answer from the DNS serer indicating the reverse entry does not exist. Basically this means the REVDNS could exist but Declude is not sure because it never received a response back saying it did or did not exist. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Harry vanderzand To: declude.junkmail@declude.com Sent: Monday, April 30, 2007 9:20 AM Subject: [Declude.JunkMail] X-Note: REVDNS: (timeout) I am seeing this in spam getting through. What would be causing this? Harry Vanderzand Intown Internet 11 Belmont Ave. W. Kitchener, ON, N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
FYI - This looks pretty serious and will probably affect most of us. This alert is to notify you that Microsoft has released Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - on 12 April 2007. Summary: Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft's initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Recommendations: Review Microsoft Security Advisory 935964 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site: http://support.microsoft.com/common/international.aspx. Additional Resources: * Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/935964.mspx * MSRC Blog: http://blogs.technet.com/msrc/ Note: check the MSRC Blog periodically as new information may appear there. Regarding Information Consistency: We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Security Advisories posted to the web are occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in the web-based Security Advisory, the information in the web-based Security Advisory is authoritative. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. Thank you, Microsoft PSS Security Team --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
It does NOT effect the DNS port - ONLY RPC connections. So, if someone has Correct. Assuming that everyone is firewalling their servers so that only necessary ports are open on the outside, this is not a high priority item. However, for ISP's that use MS DNS servers and do remote management from the inside - their customers could potentially exploit them. I have worked with folks who run services other than mail on their DNS servers. One example is FTP. With passive ftp high ports 1024+ need to be open both ways. So if they are using standard ACL's and not a firewall this could lead to some trouble as well. Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Friday, April 13, 2007 10:08 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution FYI - This looks pretty serious and will probably affect most of us. This alert is to notify you that Microsoft has released Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - on 12 April 2007. Summary: Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code. Microsoft's initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Recommendations: Review Microsoft Security Advisory 935964 for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQ) and links to additional resources. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site: http://support.microsoft.com/common/international.aspx. Additional Resources: * Microsoft Security Advisory 935964 - Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/advisory/935964.mspx * MSRC Blog: http://blogs.technet.com/msrc/ Note: check the MSRC Blog periodically as new information may appear there. Regarding Information Consistency: We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Security Advisories posted to the web are occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in the web-based Security Advisory, the information in the web-based Security Advisory is authoritative. If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant. Thank you, Microsoft PSS Security Team --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from
Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
Mark, You have a link for those? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mark Reimer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 13, 2007 1:29 PM Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution While we are on the topic of vulnerabilities I just saw 2 new vulnerabilities found in clamav. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution However, for ISP's that use MS DNS servers and do remote management from the inside - their customers could potentially exploit them. I have worked with folks who run services other than mail on their DNS servers. One example is FTP. With passive ftp high ports 1024+ need to be open both ways. So if they are using standard ACL's and not a firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a feature. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Increase in CPU usage since upgrade
What version did you upgrade from? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mike Hardrick [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, April 10, 2007 1:50 AM Subject: [Declude.JunkMail] Increase in CPU usage since upgrade Greetings All, Since upgrading to v4.3.40 the CPU usage has doubled on my mail server. There have been no configuration changes in Declude or Imail in this time frame. Are there any known issues with 4.3.40 that might cause the increase in CPU usage? Michael Hardrick TNWEB LLC Middle Tennessee ISP --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Increase in CPU usage since upgrade
Have you ruled out higher than normal mail volume? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mike Hardrick [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, April 10, 2007 11:37 AM Subject: RE: [Declude.JunkMail] Increase in CPU usage since upgrade From version 4.3.14 to 4.3.40. Prior to the upgrade the cpu usage was: Current:32/Average:23/Maximum:49 After the upgrade to 4.3.40: Current:66/Average:49/Maximum:100 (With spikes at 100% cpu usage sometimes lasting an 3 hours.) Mike TNWEB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, April 10, 2007 7:40 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Increase in CPU usage since upgrade What version did you upgrade from? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Mike Hardrick [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, April 10, 2007 1:50 AM Subject: [Declude.JunkMail] Increase in CPU usage since upgrade Greetings All, Since upgrading to v4.3.40 the CPU usage has doubled on my mail server. There have been no configuration changes in Declude or Imail in this time frame. Are there any known issues with 4.3.40 that might cause the increase in CPU usage? Michael Hardrick TNWEB LLC Middle Tennessee ISP --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Yahoo Email Problems
A couple months ago there was a big thread on the imail list about yahoo doing 451 Message temporarily deferred - 4.16.50However nothing on unable to read configuration - that does sound like a remote option. When you try other yahoo.com servers does it go through? Maybe you got a bad server in their farm? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Dave Beckstrom [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, March 29, 2007 12:25 PM Subject: [Declude.JunkMail] OT: Yahoo Email Problems Sorry about the off-topic post. This is the only email server software related list that I am on. I tried to send a couple of email to a Yahoo group and received this message back: Reason: Remote host said: 451 qq unable to read configuration (#4.3.0) Is that a problem with Yahoo or are they blocking email from me? It looks to me like a problem with Yahoo, but I thought I'd run in by you to see what you thought. Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Body Filter - Stupid/Simple Question
Don, You can put a space in the filter file to do that, but it has some drawbacks. For example if the word was terminated with any character like a period etc. What I tend to do is something like this .1cialis .-1specialist i.e. reverse credit for legit hit words. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Don Brown [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, March 15, 2007 9:28 PM Subject: [Declude.JunkMail] Body Filter - Stupid/Simple Question I should know the answer to this, but obviously . . . How do I filter on cialis and not catch specialist? I don't know anything but 'Contains' that will catch it, but it also catches specialist. There has to be a way to look for just a word . . . Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMMTOUCH FP Reporting
Jeff, I had the exact same thing happen. I sent them a list of refid's that were false positives per the false positive reporting document and never received a response back either. Has anyone received a response back? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Jeff [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, March 06, 2007 7:53 AM Subject: [Declude.JunkMail] COMMTOUCH FP Reporting BlankAlthough I have sent FPs to COMMTOUCH in the format that they have requested I have never received a response from them. Am I doing something wrong ?? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] COMMTOUCH FP Reporting
So what exactly does this mean? We send our false positives to Declude and they send them to CommTouch? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Ken Weise [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, March 06, 2007 10:28 AM Subject: RE: [Declude.JunkMail] COMMTOUCH FP Reporting After contacting Declude support, Commtouch does not respond to individuals, only to partners. It would be nice for some response, especially on FP's. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, March 06, 2007 9:37 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] COMMTOUCH FP Reporting Jeff, I had the exact same thing happen. I sent them a list of refid's that were false positives per the false positive reporting document and never received a response back either. Has anyone received a response back? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Jeff [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, March 06, 2007 7:53 AM Subject: [Declude.JunkMail] COMMTOUCH FP Reporting BlankAlthough I have sent FPs to COMMTOUCH in the format that they have requested I have never received a response from them. Am I doing something wrong ?? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Help: Domain not found
BlankIs there really a space in the logs or is that just a formatting issue? philippe @ malivsion.com Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Serge To: declude.junkmail@declude.com ; Imail_Forum@list.ipswitch.com Sent: Monday, February 26, 2007 10:31 PM Subject: [Declude.JunkMail] Help: Domain not found I have a client having problems sending emails to some servers No thank you rejected: Domain not found DNSSTUFF shows no major problem with malivision.com Would appreciate any help to resolve this issue 20070226 183127 127.0.0.1 SMTP (276b023cf3f9) Trying mail.com (0) 20070226 183128 127.0.0.1 SMTP (276b023cf3f9) Connect mail.com [208.36.123.68:25] (1) 20070226 183130 127.0.0.1 SMTP (276b023cf3f9) 220 spf8.us4.outblaze.com ESMTP Postfix 20070226 183130 127.0.0.1 SMTP (276b023cf3f9) EHLO mail.cefib.com 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) 250-spf8.us4.outblaze.com 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) 250-PIPELINING 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) 250-SIZE 1024 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) 250-ETRN 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) 250 8BITMIME 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) MAIL FROM:philippe @ malivsion.com 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) 250 Ok 20070226 183131 127.0.0.1 SMTP (276b023cf3f9) RCPT To:mathioye @ mail.com 20070226 183132 127.0.0.1 SMTP (276b023cf3f9) 550 philippe @ malivsion.com: No thank you rejected: Domain not found 20070226 183132 127.0.0.1 SMTP (276b023cf3f9) QUIT --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Blank Bkgrd.gif Description: GIF image
Re: [Declude.JunkMail] Declude/Sniffer Issues
What are you seeing the logs that indicates this? Declude will terminate long running external processes and log that it terminated it. Are you seeing those entries? Also, during these times when you look at task manager do you see a bunch of idle sniffer processes? Typically from my experience when you see all the threads being used with very little to no CPU usage it tends to be a DNS issue (i.e slow or not responding DNS server). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 8:47 AM Subject: [Declude.JunkMail] Declude/Sniffer Issues I am running 2 versions of Smartermail Declude both running Sniffer and InvURIBL. One is Smartermail4/Declude4.3.3 Other is Smartermail2/Declude3. These servers can run perfectly for weeks but for the past few weeks we have been sporadically seeing Declude back up files in the Proc directory. At this time all Declude threads are being used with no processing power being used. It appears Sniffer is not finishing and hogging up all the threads after reviewing the logs. Anyone else experiencing this? Thanks, Chris Patterson, CCNA Network Engineer/Support Manager Rapid Systems --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction
I know you mentioned that you have tried a reinstall - but have you tried an uninstall and made sure after that the decludeproc and declude.exe files are gone from the Imail directory? Once you know they are gone try to reinstall again. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Luis Alberto Arango E. To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 10:50 AM Subject: RE: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction By the way, declude stopped scanning since the errors started. My proc is holding thousands of messages now. I have reinstall declude, installed older versions and the error keep showing up in the eventlog. Luis Arango From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Luis Alberto Arango E. Sent: lunes, 19 de febrero de 2007 10:23 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Decludeproc.ex Faulting Applicaction starting yesterday feb 18 at 3:33 am (ET) I get errors from decludeproc.exe every 10 to 15 seconds.. the error is as follows: Faulting application decludeproc.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x20202020 I am running Imail and decludeproc version 3.13 under windows 2003 Any ideas.. Luis Arango --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude/Sniffer Issues
Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 1:03 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues I get this in logs: 02/19/2007 05:16:12.213 23859386 ERROR: External program SNIFFER didn't finish quick enough; terminating. 02/19/2007 05:16:12.213 23859386 Couldn't get external program exit code At this point I see thousands of .xxx and .fin files built up in the sniffer directory. Usually forcing a sniffer update (normally done every hour automatically). -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What are you seeing the logs that indicates this? Declude will terminate long running external processes and log that it terminated it. Are you seeing those entries? Also, during these times when you look at task manager do you see a bunch of idle sniffer processes? Typically from my experience when you see all the threads being used with very little to no CPU usage it tends to be a DNS issue (i.e slow or not responding DNS server). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 8:47 AM Subject: [Declude.JunkMail] Declude/Sniffer Issues I am running 2 versions of Smartermail Declude both running Sniffer and InvURIBL. One is Smartermail4/Declude4.3.3 Other is Smartermail2/Declude3. These servers can run perfectly for weeks but for the past few weeks we have been sporadically seeing Declude back up files in the Proc directory. At this time all Declude threads are being used with no processing power being used. It appears Sniffer is not finishing and hogging up all the threads after reviewing the logs. Anyone else experiencing this? Thanks, Chris Patterson, CCNA Network Engineer/Support Manager Rapid Systems --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude/Sniffer Issues
500 threads is a lot of threads. Is that volume for one server? That's about ~500K messages a day - thats a very busy server. I would think that you could reduce that down to around 50-75. With 500 threads the system is starving itself with context switching especially when launching all those external processes. I would suggest also looking into setting WAITFORTHREADS and WAITBETWEENTHREADS. To help give a bit of a break between external processes. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 3:33 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues Threads = 500 3 days (approx): 1420731 [Spam: 1392289Virus: 114] Relay High: 0 -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 2:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What is your mail volume and how many threads do you have declude configured for? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 2:20 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues When this issue happens which seems more frequent, I do clear out the thousands of left behind files. I am more trying to find a way to prevent it or reason that is happening. And yes, Sniffer does have a hard time operating when it hoses up that bad. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 1:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 1:03 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues I get this in logs: 02/19/2007 05:16:12.213 23859386 ERROR: External program SNIFFER didn't finish quick enough; terminating. 02/19/2007 05:16:12.213 23859386 Couldn't get external program exit code At this point I see thousands of .xxx and .fin files built up in the sniffer directory. Usually forcing a sniffer update (normally done every hour automatically). -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What are you seeing the logs that indicates this? Declude will terminate long running external processes and log that it terminated it. Are you seeing those entries? Also, during these times when you look at task manager do you see a bunch of idle sniffer processes? Typically from my experience when you see all the threads being used with very little to no CPU usage it tends to be a DNS issue (i.e slow or not responding DNS server). Darrell Check out http
Re: [Declude.JunkMail] Declude/Sniffer Issues
Even thought the thread count sounds high even at 500 threads being used in Task Manager, we never hit 100% CPU. I think this may be because the system is bogged down context switching amongst all of the threads. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 4:41 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues This really is a front end gateway to a front end also running declude. Even thought the thread count sounds high even at 500 threads being used in Task Manager, we never hit 100% CPU. 2 - dual-core opterons. 3 - 15K SCSI's in Raid 5, 3 gigs Ram on a DL385. When this happens all 500 threads are being used and the CPU is doing nothing, like 2%. Get a new sniffer update, clean up the directory and it will not give a problem for days and days. -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, February 19, 2007 4:08 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, Reduce your threads setting to a more reasonable number and you should be fine. A number around 50 should suffice, but you can set it, restart Declude and then see if you are redlining. Once you get to redlining when there is a backup, that is pretty much where threads should be set. By going to 500 you are definitely overdoing it and causing other issues. Matt Chris Patterson wrote: Threads = 500 3 days (approx): 1420731 [Spam: 1392289Virus: 114] Relay High: 0 -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 2:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues What is your mail volume and how many threads do you have declude configured for? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 2:20 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues When this issue happens which seems more frequent, I do clear out the thousands of left behind files. I am more trying to find a way to prevent it or reason that is happening. And yes, Sniffer does have a hard time operating when it hoses up that bad. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, February 19, 2007 1:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude/Sniffer Issues Chris, I am gathering that you are running Sniffer in persistant mode? I would stop your declude and Sniffer services. Than go into the sniffer directory and remove all of the *.fin, *.svr files. I am not sure what the .xxx files are. I have yet to see those. Than I would check your Sniffer log for any errors. After making sure there are no errors I would restart the Sniffer persistant service and Declude and see if the issue is resolved. It's possible Sniffer could be stepping on itself trying to weed through all those files. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Monday, February 19, 2007 1:03 PM Subject: RE: [Declude.JunkMail] Declude/Sniffer Issues I get this in logs: 02/19/2007 05:16:12.213 23859386 ERROR: External program SNIFFER didn't finish quick enough; terminating. 02/19/2007 05:16:12.213 23859386 Couldn't get external program exit code At this point I see thousands of .xxx and .fin files built up in the sniffer directory. Usually forcing a sniffer update (normally done every hour automatically
Re: [Declude.JunkMail] Weird email problem
MessageBased on the headers and the logs this was a retransmission. Something happened in the initial send that caused it to be aborted. They did not attempt the resend until today. That's a very long retransmission interval. As Kevin said earlier these kinds of things happen from time to time. In reality a 2 day retransmission interval is pretty odd. Most servers will retry several hours later. Now what caused the connection to be dropped you will probably never know - I would not be too terribly concerned unless you start seeing a pattern with this (i.e. an issue on your end causing the dropped connections). Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Sharyn Schmidt To: declude.junkmail@declude.com Sent: Thursday, January 25, 2007 12:43 PM Subject: RE: [Declude.JunkMail] Weird email problem Regarding your issue, it would be best to share the headers from the E-mail with the Received lines intact. Here are the headers from the original email: Received: from WDL.wilsondaniels.com [64.168.89.133] by cruzaninc.com with ESMTP (SMTPD-9.10) id A2950324; Thu, 25 Jan 2007 00:39:33 -0500 Received: from WilsonDaniels-DOM-MTA by WDL.wilsondaniels.com with Novell_GroupWise; Tue, 23 Jan 2007 07:28:54 -0800 Message-Id: [EMAIL PROTECTED] X-Mailer: Novell GroupWise Internet Agent 7.0.1 Date: Tue, 23 Jan 2007 07:28:28 -0800 From: Johnna Cooledge [EMAIL PROTECTED] To: 'Judith Taylor' [EMAIL PROTECTED] Subject: Good Morning Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Declude-Sender: [EMAIL PROTECTED] [64.168.89.133] X-Declude-Spoolname: D429526d4aecd.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.23 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 00:39:45 on 25 Jan 2007 X-Declude-Fail: Whitelisted X-Country-Chain: X-RCPT-TO: [EMAIL PROTECTED] Status: X-UIDL: 465367379 X-IMail-ThreadID: 429526d4aecd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [IANA Reserved] ?
I would be very careful with this. IANA just released (I believe in October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat not being updated frequently I would tred very lightly in this area. Part of 96/8 has been handed out. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 3:29 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Nice. Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 3:16 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? sending hop only: COUNTRY 0 IS *R or all hops: COUNTRIES 0 CONTAINS *R - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 1:55 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Holy [EMAIL PROTECTED], that answers one question! Any idea how to incorporate the IANA Reserved thing into Declude? Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 2:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? Here are my december totals for the odd-balls (COUNTRY IS test) Country Name CountOfMessageID DEL SPAM HELD SPAM Poss SPAM OK APNIC Unlisted 97 97 0 0 0 ARIN Unlisted 1426 1395 12 1 18 Central/South America 89 89 0 0 0 European Union 1804 1674 8 1 121 IANA Reserved 11677 11428 91 118 39 Multi-Regional 23 19 1 1 2 RIPE Unlisted 1332 1330 1 1 0 Unknown 4018 3938 13 3 64 # # Special Codes # #*1 Multi-Regional #*2 Europe #*3 North America #*4 Central/South America #*5 Pacific Rim #*A ARIN Unlisted (North America/South Africa) #*B Public Data Network #*E RIPE Unlisted (Europe, North Africa, Middle East) #*I Private IP #*L Loopback #*M Multicast #*P APNIC Unlisted (Asia Pacific) #*R IANA Reserved #*U Unknown - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 1:02 PM Subject: [Declude.JunkMail] [IANA Reserved] ? I currently tag each incoming email from a country other than the US (with few exceptions) with a weight of 10. Some emails come in with [IANA Reserved] in the X-Country-Chain header and as such these emails (originating in places like Amsterdam, etc) aren't affected by the FILTER-COUNTRY filter. Any way to add a weight to those IP's too? Do American IP's show up as IANA Reserved ever? Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] change location of spam email folders
You sure can - see example below. WEIGHT30 HOLD F:\SPAM-HOLD\%DATE% Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Craig Edmonds To: declude.junkmail@declude.com Sent: Saturday, December 30, 2006 9:52 PM Subject: [Declude.JunkMail] change location of spam email folders Is it possible to have all the spam email folders stored in a different folder other than C:\IMAIL\spool\spam ?? say a subfolder perhaps? like C:\IMAIL\spool\spam\emails Currently declude creates folders called 31Dec2006 for example in C:\IMAIL\spool\spam and I would like them to be stored in C:\IMAIL\spool\spam\emails. I was looking around the config files and cant see a setting anywhere for it. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Resend email caught by Declude/Sniffer
If you would like them to be reprocessed by Declude you can do the following below. Declude (service version) - Drop the files into the proc directory off the spool. If you are running the non service version drop the q* into the overflow directory and the d* into the spool directory. If you just want them delivered you can drop both file (q*/d*) into the spool folder for delivery. If your running smartmail the service version above will still work to have them delivered. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Postmaster [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, December 20, 2006 10:15 AM Subject: [Declude.JunkMail] Resend email caught by Declude/Sniffer I had a rule set that was a little too exuberant (since been fixed) in catching spam. How can I queue up the caught spam to be resent and filtered for spam? Thanks, Kevin --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail 2006.1 and declude
threads 150 This is very high - even on a dual proc xeon (2.6) box - HT enabled - I am easily able to run with 40 threads processing 150K messages a day. What is your message volume? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Harry Vanderzand To: declude.junkmail@declude.com Sent: Tuesday, December 19, 2006 5:54 AM Subject: [Declude.JunkMail] Imail 2006.1 and declude I just upgraded from imail V8.22 to 2006.1 After the upgrade the load on my system is much heavier The system was running smoothly before the upgrade but now it is hitting 100% utilization consistently I am concerned because it is before 6am. What will happen during the day when my users are active? I am running on dual xeon 3.4Ghz with 2GB ram, windows 2000 server. Everything is at latest version and update level I am running sniffer, invuribl and fprot also sniffer is in persistent mode Any help or ideas would be appreciated declude.cfg: CODE xx threads 150 waitformail 500 waitforthreads 25 waitbetweenthreads 100 winsockcleanup OFF avgupdatefreqhrs 4 BANCHARSET iso-2022-jp BANCHARSET koi8-r AUTOREVIEW ON BLKLST ON Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Version 4.3.2.3
Herb, Have you actually opened the file and verified that it says the new version in the file? I have seen this same behavior on several servers. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Herb Guenther [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Sunday, December 17, 2006 9:09 AM Subject: Re: [Declude.JunkMail] New Version 4.3.2.3 If it installed correctly it will. It may be putting it in a different directory, in which case it is probably using the wrong configs as well. Herb Darrell ([EMAIL PROTECTED]) wrote: I am noticing that when restarting the Declude Proc service it does not generate a diags.txt file anymore. Is this normal behavior to be expected with this version. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Version 4.3.2.3
All of the servers where I have seen this behavior are running Imail. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Asaro [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Sunday, December 17, 2006 11:10 AM Subject: RE: [Declude.JunkMail] New Version 4.3.2.3 Actually Darrell I hadn't checked this on a server running Imail?? What are you using? Darrell ([EMAIL PROTECTED]) wrote: I am noticing that when restarting the Declude Proc service it does not generate a diags.txt file anymore. Is this normal behavior to be expected with this version. Darrell Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833 toll free 978.499.2933 office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, December 17, 2006 10:44 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New Version 4.3.2.3 Herb, Have you actually opened the file and verified that it says the new version in the file? I have seen this same behavior on several servers. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Herb Guenther [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Sunday, December 17, 2006 9:09 AM Subject: Re: [Declude.JunkMail] New Version 4.3.2.3 If it installed correctly it will. It may be putting it in a different directory, in which case it is probably using the wrong configs as well. Herb Darrell ([EMAIL PROTECTED]) wrote: I am noticing that when restarting the Declude Proc service it does not generate a diags.txt file anymore. Is this normal behavior to be expected with this version. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Version 4.3.2.3
Okay - I guess I am losing it here. I just restarted decludeproc and sure enough diags.txt file was updated. Thanks to all who have confirmed my craziness. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Asaro [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Sunday, December 17, 2006 11:10 AM Subject: RE: [Declude.JunkMail] New Version 4.3.2.3 Actually Darrell I hadn't checked this on a server running Imail?? What are you using? Darrell ([EMAIL PROTECTED]) wrote: I am noticing that when restarting the Declude Proc service it does not generate a diags.txt file anymore. Is this normal behavior to be expected with this version. Darrell Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833 toll free 978.499.2933 office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, December 17, 2006 10:44 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] New Version 4.3.2.3 Herb, Have you actually opened the file and verified that it says the new version in the file? I have seen this same behavior on several servers. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Herb Guenther [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Sunday, December 17, 2006 9:09 AM Subject: Re: [Declude.JunkMail] New Version 4.3.2.3 If it installed correctly it will. It may be putting it in a different directory, in which case it is probably using the wrong configs as well. Herb Darrell ([EMAIL PROTECTED]) wrote: I am noticing that when restarting the Declude Proc service it does not generate a diags.txt file anymore. Is this normal behavior to be expected with this version. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting ORF stats
Goes to prove spammers are still trying the lowest priority MX record to get around spam filters. That is very true. I think the mindset is that folks don't have access to features like IPBYPASS and trust mail coming from their backup mail server by default. Darrell invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and ORF. Stop spam at the source the spamvertised domain. More effective than traditional RBL's. Try it today - http://www.invariantsystems.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why are these being whitelisted?
Why are these being whitelisted?If you change your log level to high it will log the exact reason the message was whitelisted. Also, remember if one user on the email (even if they were BCC'ed) is whitelisted the whole message will be whitelisted. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Sharyn Schmidt To: declude.junkmail@declude.com Sent: Thursday, December 14, 2006 9:20 AM Subject: [Declude.JunkMail] Why are these being whitelisted? Just upgraded to 4.3.23. I'm getting a ton of stuff now that is being whitelisted. I have several users whitelisted TO but not the entire domain. This is not one of the users that is whitelisted TO. Suggestions? Here is the header info: Received: from SpeedTouch.lan [83.8.172.182] by cruzaninc.com with ESMTP (SMTPD-9.10) id ABE602AC; Thu, 14 Dec 2006 09:12:54 -0500 Return-Path: [EMAIL PROTECTED] Received: from 69.66.1.12 (HELO ca.iowatelecom.net) by todhunter.com with esmtp (*VX))0(RG1 :?1V/X) id AHNCX*-FQHG4D-/M for [EMAIL PROTECTED]; Thu, 14 Dec 2006 14:11:11 -0060 Date: Thu, 14 Dec 2006 14:11:11 -0060 From: Troy Goddard [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Take it easy MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--19C38D386E05E0CA X-Spam: Not detected X-Declude-Sender: [EMAIL PROTECTED] [83.8.172.182] X-Declude-Spoolname: D5be202f77bd0.smd X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.3.23 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [0] at 09:13:20 on 14 Dec 2006 X-Declude-Fail: Whitelisted X-Country-Chain: UNITED STATES-POLAND-destination Precedence: bulk Sender: [EMAIL PROTECTED] X-RCPT-TO: [EMAIL PROTECTED] Status: X-UIDL: 465362209 X-IMail-ThreadID: 5c010844d46a --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Why are these being whitelisted?
MessageOn that one I am not sure - I would bump your logs to HIGH and than we will be able to tell for sure. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Sharyn Schmidt To: declude.junkmail@declude.com Sent: Thursday, December 14, 2006 10:48 AM Subject: RE: [Declude.JunkMail] Why are these being whitelisted? If you change your log level to high it will log the exact reason the message was whitelisted. Also, remember if one user on the email (even if they were BCC'ed) is whitelisted the whole message will be whitelisted. What if all email is sent to a copyall account and I had the settings to WHITELIST TO that account? Would that cause all email to be whitelisted? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] MimeOLE
What can anyone tell me about this X-Header X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Does outlook produce this or is this added by a MS tool? Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Way to delete spam over a certain weight?
Sure - setup another weightrange test with your weight and set that action to delete. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chris Patterson To: declude.junkmail@declude.com Sent: Friday, December 01, 2006 12:03 PM Subject: [Declude.JunkMail] Way to delete spam over a certain weight? I am running Smartermail2.6 with Declude 3.11. We are slaying some serious spam, (Total: 4129440 [Spam: 4029758 Virus: 626]), so much we can no longer complete searches for customers who want their spam zipped and sent to them each evening in less than 4 hours. I don't want to delete for individual tests but would rather delete spam with an absurd weight on it. Any ideas for this? Thanks, Chris Patterson, CCNA Network Engineer/Support Manager Rapid Systems --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re: [sniffer] Configuring Sniffer in declude....
Chuck, Declude will only call Sniffer one time as long as the path and executable are identical which they are. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Wednesday, November 29, 2006 2:16 PM Subject: [sniffer] Configuring Sniffer in declude Several years ago when we first started using message sniffer I set it up for in the following manner in my global.cfg file. SNIFFER-GENERALexternal063 F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode 70 SNIFFER-EXPERIMENTALexternal062 F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode 120 SNIFFER-OBFUSCATIONexternal061 F:\IMail\Declude\sniffer2r32\licensecode.exe activationcode110 So one and so forth. With the increase in spam and CPU load is there any advantage load wise to just call sniffer once using nonzero instead of the return code. It seems like someone told me that sniffer was only called once and not seperately for each return code. Could someone confirm that. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude v2.06 and Imail 2006.1
MessageAs Matt said - Imail 8.22+ requires Declude 3+. So if you end up trying to use 2.x under 2006 you may or may not have issues. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Sharyn Schmidt To: declude.junkmail@declude.com Sent: Tuesday, November 28, 2006 3:05 PM Subject: RE: [Declude.JunkMail] Declude v2.06 and Imail 2006.1 Um, I did... (in the subject line) Decluded v2.06 and Imail 2006.1 Sharyn, You should specify what version of Declude you are asking about. FYI, IMail 8.2+ requires Declude 3+. Some claim that older versions of Declude will work, however there are also widely reported problems with IMail 8.2+ and it is no doubt safest to run Declude 3+. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blacklists Recommendations.
Chuck, I would look to add MxRate and FiveTen. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Declude. JunkMail Declude.JunkMail@declude.com Sent: Monday, November 27, 2006 12:35 PM Subject: [Declude.JunkMail] Blacklists Recommendations. I am looking for recommendations on other blacklists that Declude users are successfully using. Right now I use. Spamcop list.dsbl.org (trusted) AHBL Spamhaus CBL UCEB ORDB SORBs NJABL BLITZEDALL MailPolice I looked at the Declude list and I am wondering about adding spamsources.fabel.dk bl.csma.biz 0spam.fusionzero.com dnsbl.cyberlogic.net blackholes.five-ten-sg.com (multiple tests) psbl.surriel.com db.wpbl.info Thoughts on these tests. Any others that people are having luck with? We use sniffer with Declude but too much is slipping through. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamhaus
Bill, Thanks for posting that - one interesting thing I found was this. Use of the Spamhaus DNSBLs by commercial users, including corporate networks, ISPs and ESPs, requires a subscription to Spamhaus's Data Feed service. Looked at the cost for some of the scenario's and it does not seem cheap. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Bill Landry [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, November 16, 2006 2:03 AM Subject: Re: [Declude.JunkMail] Spamhaus FYI, from Steve Linford of spamhaus: http://groups-beta.google.com/group/news.admin.net-abuse.email/msg/2d050ab220faf931 http://www.spamhaus.org/zen/ Bill David Sullivan wrote the following on 11/15/2006 12:58 PM -0800: Does anyone have the proper setup in Declude to query sbl-xbl.spamhaus.org and interpret the result? I don't think I'm doing it correctly. Thanks -David --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.