RE: [Declude.JunkMail] Spamdomains.txt file
Me too, Thanks, Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Goran Jovanovic Sent: Monday, April 19, 2004 7:38 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spamdomains.txt file Todd, Would you mind sending me a copy of the spamdomain.txt file as well? I would like to see what you have as a starting point. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Todd Sent: Monday, April 19, 2004 2:19 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Spamdomains.txt file Jeff, I see no one has answered you on this. Spamdomains is a very useful test and I think you will like the results. We get an average of 14% weekdays and 26% on weekends of our email fail Spamdomains and there are not a lot of FPs. I will send you a spamdomains file tomorrow. Todd Hunter Smart Mail - Original Message - From: Jeff Maze - Hostmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 16, 2004 11:15 AM Subject: RE: [Declude.JunkMail] Spamdomains.txt file Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Friday, April 16, 2004 8:26 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spamdomains.txt file Hello, I think I'm going to implement the spam domains tests. Anyone have a file they would like to share that works well for them? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [South Texas Internet scanned this E-mail for viruses using Declude Virus] --- [South Texas Internet scanned this E-mail for viruses using Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SMTP processes hanging
I am running Imail 6.06. Declude 1.75i2. Lately I have been having to kill 10-15 smtp32.exe processes about three times a day to keep the server running. The processes don't terminate and eventually the server stalls out. Killing the processes returns functionality. Is it possible that the newer declude isn't backwards compatible with the older IMail or is there something else going on? Thanks, Doug McKee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Emails not processed
This morning I found about 100 spam held in the spool between 1200 and 0830. The log shows multiple scans of some of the emails. Other single-scanned emails were also not processed during the period and remain in the spool file. 09/28/2003 00:29:22 Q71ab0f6 Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [801e].). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 2.172.164.106 with no reverse DNS entry.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed LONGSUBJ (Subject with at least 60 characters found.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMCHK (Message failed SPAMCHK: 176.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed WEIGHT50 (Weight of 248 reaches or exceeds the limit of 50.). Action=DELETE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMDOMAINS (). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BOGONS (ch 2aca46a ipfile against 100/8 (nm=ff00).). Action=IGNORE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [801e].). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 2.172.164.106 with no reverse DNS entry.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed LONGSUBJ (Subject with at least 60 characters found.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMCHK (Message failed SPAMCHK: 176.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed WEIGHT50 (Weight of 248 reaches or exceeds the limit of 50.). Action=DELETE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMDOMAINS (). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BOGONS (ch 2aca46a ipfile against 100/8 (nm=ff00).). Action=IGNORE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [801e].). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 2.172.164.106 with no reverse DNS entry.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed LONGSUBJ (Subject with at least 60 characters found.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMCHK (Message failed SPAMCHK: 176.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed WEIGHT50 (Weight of 248 reaches or exceeds the limit of 50.). Action=DELETE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMDOMAINS (). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BOGONS (ch 2aca46a ipfile against 100/8 (nm=ff00).). Action=IGNORE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BADHEADERS (This E-mail was sent from a broken mail client [801e].). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 2.172.164.106 with no reverse DNS entry.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed LONGSUBJ (Subject with at least 60 characters found.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMCHK (Message failed SPAMCHK: 176.). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed WEIGHT50 (Weight of 248 reaches or exceeds the limit of 50.). Action=DELETE. 09/28/2003 00:29:22 Q71ab0f6 Msg failed SPAMDOMAINS (). Action=WARN. 09/28/2003 00:29:22 Q71ab0f6 Msg failed BOGONS (ch 2aca46a ipfile against 100/8 (nm=ff00).). Action=IGNORE. I'm running 1.7, ran the updater, and all seems well. Any thoughts? --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Five Ten List
My server is blocked by five-ten because the author doesn't like Broadwing? I am immediately going to quit using the five-ten lists because I don't know who else this gentleman doesn't like. The response is: IP address 67.99.44.6 is listed here as broadwing.net spam-support. Please note that the following comments apply to broadwing.net since 67.99.44.6 seems to be owned or controlled by them. This does NOT mean that we ever received spam from 67.99.44.6. It just means that the upstream owner of that address block (which seems to be broadwing.net) is listed here for spam support. That upstream needs to resolve the below issues. added 2003-09-09; spam support - see www.spamhaus.org/SBL/sbl.lasso?query=SBL10270 If some mail server is rejecting your email based on the above listing, ask them to either whitelist your address or to stop using this list. I don't know who is using blackholes.five-ten-sg.com to block email - it is my personal list used to protect my personal mail servers (and my clients). I make it public so that anyone who has mail rejected here can find out why it was rejected. You might want to search on Google in news.admin.net-abuse.* for broadwing.net. You might consider moving to a provider whose ip packets are more acceptable to the rest of the internet. Doug --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Strange Trail
fantasticbradleys.net dragonstarts.com ENCHANTINGIDEAS.NET MITCHMYERSENT.BIZ SECURESERVER.NET a1fastrx.com Secureserver.net best-usa-rx.com secureserver.net EVERLAST123.BIZ wwdomains.com Secureserver.net jomax.net godaddy.com I discovered the above relationships while looking for commonality in the sources of this mornings spamn load. Interestingly enough if you go to jomax.net the godaddy.com page opens. The whois DNS for godaddy.com IS jomax.net Either I'm misinterpreting this or someone at godaddy needs to clean up their act. Doug McKee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re: [Declude.JunkMail] Strange Subject
This is a multi-part message in MIME format. How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the What is your test setup for the above string, please? Thanks, Doug How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1]
Re: Re: [Declude.JunkMail] Using Declude to block Sobig Virus
If I am using Declude as a gateway and block the offending IP, will I not also have to block the IP in the real mail server as well? Doug Because the IMail SMTP Control Access file will prevent the connection from even occurring, which will save on bandwidth (about 100K per virus blocked). It also saves some other resources, such as CPU usage, that would be used if it was received and scanned. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Domain Processing
If a test is listed in the Global.cfg file and in the domain file will the process be run twice? Thanks, Doug --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Domain Processing
Sorry about the incomplete nature of the question. If a test is in the global.cfg and listed in BOTH the declude\$default$.JunkMail file and in the declude\domain\$default$.JunkMail file as well, will the test be run twice? I am just wondering if that would have an effect on the processor time. Doug If a test is listed in the Global.cfg file and in the domain file will the process be run twice? If a test definition appears once in the global.cfg file, it will only be run once. If it appears two or more times in the global.cfg file, it may or may not be run more than once, depending on the type of test (ip4r tests and external programs have cached results, for example, so they would only be run once). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Unknown Folder
In my spool folder this morning are a bunch of .vir folders with 1_1.exe in them. I have not encountered these before. What are they? Thanks, Doug McKee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Confusing Log Messages
06/11/2003 15:59:31 Q982f0f6 Your virus scanner DOES NOT EXIST (at d:\IMail\spool\D982f0f6.vir\); NOT SCANNING ATTACHMENTS! [2] 06/11/2003 15:59:31 Q982f0f6 Scanned: Error starting scanner 06/11/2003 15:59:32 Q98150c4 Could not find report file d:\IMail\spool\D98150c4.vir\report.txt. 06/11/2003 15:59:32 Q98150c4 Your virus scanner DOES NOT EXIST (at d:\IMail\spool\D98150c4.vir\); NOT SCANNING ATTACHMENTS! [2] 06/11/2003 15:59:32 Q98150c4 Scanned: Error starting scanner 06/11/2003 15:59:43 Q983b022 Your virus scanner DOES NOT EXIST (at d:\IMail\spool\D983b022.vir\); NOT SCANNING ATTACHMENTS! [2] 06/11/2003 15:59:43 Q983b022 Scanned: Error starting scanner 06/11/2003 15:59:59 Q98480a6 Outlook 'CR' vulnerability [From: Tru] in line 7 06/11/2003 15:59:59 Q98480a6 Scanned: CONTAINS A VIRUS [Prescan OK][MIME: 1 670] Just Installed AVG as second engine with the following config. SCANFILEC:\Progra~1\FSI\F-Prot\fpcmd.exe /ALL /SILENT /NOMEM /NOBOOT /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORTInfection: SCANFILEC:\Progra~1\Grisoft\AVG6\avg.exe /NOMEM /NOSELF /ARC VIRUSCODE 2 VIRUSCODE 6 What have I misconfigured? Thanks, Doug --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IMail Expres Lite
The free version of IMail is for one domain. Can it be used with JM and Virus? Doug --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Way OT now!
Some VERY wise sage once opined, I have given up the search for truth and am now willing to settle for a pleasant fantasy. Doug --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.