RE: [Declude.JunkMail] Header Information Util...
Andy, I may take you up on that. I'll fire up my .NET environment tonight and poke around a bit. I wonder if it would be easier to attack if I dropped it all to a PST file and rummaged around there, rather then pull through Outlook itself ? I could go straight at the file instead of having to use outlook commands... avoid the API's and just build an array. Hmmm. If I get something accomplished, I'll post it back here. Seems it's a tool we could all use. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, May 15, 2007 9:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Header Information Util... Hi Karl: It sounds as if you are looking for a way to read messages items in your Outlook folders. You can accomplish this relatively easily by writing a small Visual Basic for Appliations Outlook Macro. If you move the suspect messages (at least temporarily) into some work subfolder in Outlook, then it isn't too hard to iterate through that folder, open each message item and then process its various properties. Once you identify specific messages you can easily delete them, move them, flag them or extract whatever information you need to a regular text file - just to state a few examples. I'd be happy to share some basic code snippets if you need a head start. Best Regards, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Monday, May 14, 2007 10:23 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Header Information Util... Message tracking won't tell me what specific email in an exchange email box is the one I am interested in. Maybe I'm not explaining myself. After my Declude box filters over 23,000 emails, I have 1245 emails from Friday night until Monday AM on my exchange server. I manually sort these emails, winding up with roughly 118 left over verified SPAM emails. I'd like a tool I can run against these emails, in an Outlook mailbox, that will pull the info from the individual message headers. I don't believe the server logs, on either server, are going to do a thing, since I'd need to know which message I was looking for, one of the 118 out of 1200 or 23000. Out of the emails that came in during the time period I am sampling, I'd need the SMTP ID, and I'd have to basically do what I am doing now, manually open each email header. I want to bypass this, and pull the data directly. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 8:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Looks to me that if you turn on Message Tracking, you get a log file with the info you need all on one line. I'm not certain about REVDNS, but you certainly have from address, to address, and IPs. You could run a script over this to get the REVDNS if it isn't there. The stats you want could then be compiled in Excel, a database, etc. Darin. - Original Message - From: IS - Systems Eng. (Karl Drugge) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, May 14, 2007 6:13 PM Subject: RE: [Declude.JunkMail] Header Information Util... Because the emails I have left are from a range of times/dates, and they're on an Exchange server. I'd have to know what SMTP ID's I was looking for in the logs, which I'd need from the email header information, etc etc... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 6:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Why don't you use the mail server log files instead. Much easier to parse, and tools like Grep and Sawmill can be used to do it. Darin. - Original Message - From: IS - Systems Eng. (Karl Drugge) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, May 14, 2007 5:45 PM Subject: [Declude.JunkMail] Header Information Util... I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good
[Declude.JunkMail] Header Information Util...
I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good hours to sort the header information. More often then not, I end up deleting most of it because I lack the time to properly utilize it. Does anyone know of anything before I break down and write it myself ? I'd rather not make a go-cart from scratch if someone has a used chevy pickup. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Header Information Util...
Because the emails I have left are from a range of times/dates, and they're on an Exchange server. I'd have to know what SMTP ID's I was looking for in the logs, which I'd need from the email header information, etc etc... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 6:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Why don't you use the mail server log files instead. Much easier to parse, and tools like Grep and Sawmill can be used to do it. Darin. - Original Message - From: IS - Systems Eng. (Karl Drugge) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, May 14, 2007 5:45 PM Subject: [Declude.JunkMail] Header Information Util... I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good hours to sort the header information. More often then not, I end up deleting most of it because I lack the time to properly utilize it. Does anyone know of anything before I break down and write it myself ? I'd rather not make a go-cart from scratch if someone has a used chevy pickup. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Header Information Util...
Message tracking won't tell me what specific email in an exchange email box is the one I am interested in. Maybe I'm not explaining myself. After my Declude box filters over 23,000 emails, I have 1245 emails from Friday night until Monday AM on my exchange server. I manually sort these emails, winding up with roughly 118 left over verified SPAM emails. I'd like a tool I can run against these emails, in an Outlook mailbox, that will pull the info from the individual message headers. I don't believe the server logs, on either server, are going to do a thing, since I'd need to know which message I was looking for, one of the 118 out of 1200 or 23000. Out of the emails that came in during the time period I am sampling, I'd need the SMTP ID, and I'd have to basically do what I am doing now, manually open each email header. I want to bypass this, and pull the data directly. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 8:15 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Looks to me that if you turn on Message Tracking, you get a log file with the info you need all on one line. I'm not certain about REVDNS, but you certainly have from address, to address, and IPs. You could run a script over this to get the REVDNS if it isn't there. The stats you want could then be compiled in Excel, a database, etc. Darin. - Original Message - From: IS - Systems Eng. (Karl Drugge) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, May 14, 2007 6:13 PM Subject: RE: [Declude.JunkMail] Header Information Util... Because the emails I have left are from a range of times/dates, and they're on an Exchange server. I'd have to know what SMTP ID's I was looking for in the logs, which I'd need from the email header information, etc etc... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Monday, May 14, 2007 6:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Header Information Util... Why don't you use the mail server log files instead. Much easier to parse, and tools like Grep and Sawmill can be used to do it. Darin. - Original Message - From: IS - Systems Eng. (Karl Drugge) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, May 14, 2007 5:45 PM Subject: [Declude.JunkMail] Header Information Util... I am hoping the people here can help me. It's not Declude specific, but I consider the experts here as the most knowledgeable on SMTP and Email. I am looking for a script/utility to pull the header information out of every email in an Outlook/Exchange inbox. I want to be able to pull the sending IP's, reverse DNS, and sender names out of the headers directly. I'd like to point the script/util at an inbox, and have it yank this info out, so I can, for instance, sort it and see that 12 out of the 130 messages came from free2way.com, and the address ranges were all the same class C. Every few days, I pull every email that has made it's way to my inside server and manually sort out all legit emails ( we archive all emails on our Exchange box ). What's left is pure SPAM, but it takes a few good hours to sort the header information. More often then not, I end up deleting most of it because I lack the time to properly utilize it. Does anyone know of anything before I break down and write it myself ? I'd rather not make a go-cart from scratch if someone has a used chevy pickup. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E
[Declude.JunkMail] Spam reduction ?
Anyone else seeing a major reduction is spam the past week ? I usually see about 14-15k messages daily, but since Monday have dropped off to about 8k... Did the recent arrests and law suits have a result this early ? Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003 ), C.C.N.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
This shouldn't be an issue for most of us. My DMZ boxes are already as hardened as I can get them, with the firewall ( ingress and egress ), patches, and IP filtering. I would think that most ISP's and corporate networks would be using the same techniques. We gave up relying on M$ and other vendor patches keeping us safe. Our solution is to block all traffic except that which is explicitly needed by any server. Our DNS/SmarterMail/FTP server only has those ports exposed to the Internet that are absolutely needed. Management from inside to our DMZ is limited to a few workstations by the firewall. If someone needs to work from home, they have to VPN inside, hit a registered workstation/server, and THEN hit our DMZ boxes. Convoluted, yes. PITA at times, sure. But it's pretty damn secure. 5 years and we haven't had a break yet ( crossing fingers ). Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 1:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution While we are on the topic of vulnerabilities I just saw 2 new vulnerabilities found in clamav. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Reimer Sent: Friday, April 13, 2007 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution You could do Microsoft's registry workaround if you are not using the remote management. Mark Reimer IT System Admin American CareSource 972-308-6887 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, April 13, 2007 10:58 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution However, for ISP's that use MS DNS servers and do remote management from the inside - their customers could potentially exploit them. I have worked with folks who run services other than mail on their DNS servers. One example is FTP. With passive ftp high ports 1024+ need to be open both ways. So if they are using standard ACL's and not a firewall this could lead to some trouble as well. Stateful firewalls don't need to open these ports for passive FTP. The FTP connection is established on the standard port after which the passive port is shared with the client and the firewall tracks this and allows the connection. As a rule of thumb, RPC should never be exposed to untrusted IP space. It is also odd and possibly grossly incompetent of Microsoft to choose to use ports 1024+ for such purposes, but I'm thinking that they have some weakly justifiable reason to do this as a feature. Matt --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question
Yes I did. Nice program, very complete. It did just about anything you could imagine. But I found for what I needed, it did a bit too much. I ended up writing my own in VB, and then porting it to a web page ( in ASP ) with all the util's I run against the log files. Pretty much what my PERL scripts do that I release here occasionally. I even have a beta web site that allows adjusting the declude configs. Send me an email and we can discuss off-line if you want. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Wednesday, March 21, 2007 2:27 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filtering question Have you tried DLanalyzer? http://www.invariantsystems.com/dlanalyzer/ There is a free version that you can use for evaluation. Original Message From: IS - Systems Eng. \(Karl Drugge\) [EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 9:35 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filtering question Oh well, didn't think there was. I just wanted to get a statistical sampling of what I was deleting. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, March 21, 2007 9:01 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filtering question Hi Karl, Unfortunately not, we don't count emails other than in the console.txt file David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Wednesday, March 21, 2007 8:57 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Filtering question I am trying to get some stats off of my Declude. It would help if I could set Declude to send me every fifth, or tenth, or one hundredth email that I have set to delete, or route-to. Is there a way to do this ? Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filtering question
I am trying to get some stats off of my Declude. It would help if I could set Declude to send me every fifth, or tenth, or one hundredth email that I have set to delete, or route-to. Is there a way to do this ? Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question
Oh well, didn't think there was. I just wanted to get a statistical sampling of what I was deleting. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, March 21, 2007 9:01 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Filtering question Hi Karl, Unfortunately not, we don't count emails other than in the console.txt file David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Wednesday, March 21, 2007 8:57 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Filtering question I am trying to get some stats off of my Declude. It would help if I could set Declude to send me every fifth, or tenth, or one hundredth email that I have set to delete, or route-to. Is there a way to do this ? Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] dns attacks today
Those are not the only DNS attacks... TWC had one as well, I believe. One of their servers was knocked off the net two days ago. I was monitoring my DNS changes at network solutions, waiting for propagation and I kept getting random packet loss on it. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Wednesday, February 07, 2007 5:07 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] dns attacks today fyi - http://www.darkreading.com/document.asp?doc_id=116685WT.svl=news2_1 -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAM reductions ?
Anyone seeing a reduction in incoming SPAM ? I've been looking at my morning reports, and my incoming mail is off by 30 percent or so for the past two weeks. Typically, I'll see 12-15k messages a day, but lately it's been 9-12k. I can't believe I'm the only lucky one... Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAM reductions ?
Haven't used them in years. The SPAM reduction is a lot more recent. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, January 31, 2007 11:55 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] SPAM reductions ? Karl, maybe your spam slowdown is because of the lame delegation of two out of three of your DNS servers listed in your WHOIS. http://www.dnsreport.com/tools/dnsreport.ch?domain=casselberry.org How long have you not been using the DNS servers at twtelecom.net ? Andrew. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Wednesday, January 31, 2007 5:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] SPAM reductions ? Anyone seeing a reduction in incoming SPAM ? I've been looking at my morning reports, and my incoming mail is off by 30 percent or so for the past two weeks. Typically, I'll see 12-15k messages a day, but lately it's been 9-12k. I can't believe I'm the only lucky one... Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] 20+ percent jump in SPAM
Guess they got the issues fixed in Asia that was keeping the spammers offline Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Anyone know of a tool....
Looking for a tool that works with Outlook/Exchange.. I'd like to be able to pull all the header info out of any messages in a particular folder.. like last-hop IP, domain name, that kind of stuff. Once a week, I copy all messages sent/rev'd in the past few days into a sort folder, and then manually check them all, deleting legit emails, to see what got through my filters. What I'm left with is 100% SPAM that made it into my Exchange box. I'd like a quick way to pull out the header info from all these messages and parse it for reverse DNS, sending domains, etc... Anyone know of something out there before I write my own ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Asaro Sent: Tuesday, January 09, 2007 5:13 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] all_list.dat ? It has been requested of Engineering that a new all_list.dat be build ASAP. You should have this in your hands soon. Chris A. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Tuesday, January 09, 2007 4:30 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] all_list.dat ? David (or any Declude people that may be reading), Any chance of seeing a new all_list.dat any time soon, considering the current one has a date of 6 Jul 06, and considering the additional input from this recent thread? I'm starting to see false positives caused by weights I previously gave to IANA Reserved and RIPE Unlisted. Gary Original Message From: Jay Sudowski - Handy Networks LLC [EMAIL PROTECTED] Sent: Thursday, January 04, 2007 5:57 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Indeed. When we obtained our own IP space from ARIN, it was from 72/8, which had been released only about 6 months prior to it being assigned to us. You wouldn't believe the number of networks that were running with 72/8 in their bogons list and were entirely blocking traffic from our network... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, January 04, 2007 3:47 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? I would be very careful with this. IANA just released (I believe in October) 96/8, 97/8, 98/8, 99/8. With the all_list.dat not being updated frequently I would tred very lightly in this area. Part of 96/8 has been handed out. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 3:29 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Nice. Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 3:16 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? sending hop only: COUNTRY 0 IS *R or all hops: COUNTRIES 0 CONTAINS *R - Original Message - From: S.J.Stanaitis [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, January 04, 2007 1:55 PM Subject: RE: [Declude.JunkMail] [IANA Reserved] ? Holy [EMAIL PROTECTED], that answers one question! Any idea how to incorporate the IANA Reserved thing into Declude? Thanks, Sam SJ.Stanaitis - Network Administrator Decorative Product Source E-commerce Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Thursday, January 04, 2007 2:37 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] [IANA Reserved] ? Here are my december totals for the odd-balls (COUNTRY IS test) Country Name CountOfMessageID DEL SPAM HELD SPAM Poss SPAM OK APNIC Unlisted 97 97 0 0 0 ARIN Unlisted 1426 1395 12 1 18 Central/South America 89 89 0 0 0 European Union 1804 1674 8 1 121 IANA Reserved 11677 11428 91 118 39 Multi-Regional 23 19 1 1 2 RIPE Unlisted 1332 1330 1 1 0 Unknown 4018 3938 13 3 64 # # Special Codes # #*1 Multi-Regional #*2 Europe #*3 North America #*4 Central/South America #*5 Pacific Rim #*A ARIN Unlisted (North America/South Africa) #*B Public Data Network #*E RIPE Unlisted (Europe, North Africa, Middle East) #*I Private IP #*L Loopback #*M Multicast #*P APNIC Unlisted (Asia Pacific) #*R IANA Reserved #*U Unknown
Re[2]: [Declude.JunkMail] OT: Message Storage
EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Message Storage
True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Message Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's Government-in-the-Sunshine laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Message Storage
Gotta love that picture Keeping it for my personal laptop back ground. I'll agree with you 99%.. I hate lawyers with a passion, and excepting the miniature French poodle and HR personnel, they are loathed beyond all else. But, in doing a risk assessment, factors like the possible cost of a possible law suit is something that should be considered. A hospital is a good example. Regardless of what the I.T. team is doing ( for good or ill ), it's a good idea to get the advice of a legal professional. Just one suit will offset the cost of hundreds of consultations. It's not always possible, especially in the smaller firms, to CYA in this fashion, but a sign off from above works just as well. As IT management, I stress that we offer the company technical solutions. What we CAN do is very different in most cases, from what we SHOULD do. The SHOULD do part comes from written company policy. Written company policy needs impartial review, from as many perspectives as possible. Medical/Legal/Financial records all have different retention requirements. This includes emails which pertain to these records ( or even have them imbedded ). So, how do you handle your archives then ? Keeping ALL the emails will get you fried if you have expunged records in your archives ( if you're an attorney ). Who sorts these emails for relevant information to determine if they even should be stored ? SOX doesn't require I keep emailed pictures of my 5 year old nieces B'day party.. So do you check each one individually ?! Yargh ! Leave it up to the end users ? Oh boy... So, why do ( or don't ) you have these records ? Company policy will be the only thing that keeps you as the email admin from getting thrown under the bus. Easy, company policy dictates it. You're off the hook. Remember, when the witch hunt ends, you don't want to be the one wearing the pointy hat. Apologies for the hijacked thread... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 18, 2006 2:36 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Message Storage Karl, The problem is assuming that keeping it 'legal' involves lawyers for instance. The Sarbanes-Oxley Act of 2002 was enacted by Congress and the responsibility for clarifying the law into workable practices was assigned to PCAOB (The Public Company Accounting Oversight Board, created by Sarbanes-Oxley), and signed off on by the SEC. It is the responsibility of independent auditors to verify compliance and report it's findings to the board of directors, who are ultimately responsible for the companies in question. . . Lots of good stuff . . . Matt IS - Systems Eng. (Karl Drugge) wrote: True, I'm covered by different laws.. But in regards to keeping 'legal', in all senses of the word, especially when you are discussing 'home grown' versus 'off the shelf' solutions, it would be best to consult legal advisors before implementing anything. If you aren't sure, get advice. If you are sure, get it in writing. I was private sector long before I converted to government, and still keep some of those clients. Most of my clients would much rather have a lawyers sign off, especially if it's going to help them avoid a lawsuit later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, December 18, 2006 12:48 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Message Storage Karl, We were specifically talking about SOX (Sarbanes-Oxley) compliance, which have no legal applicability to your own needs. Your needs are governed by Florida's Government-in-the-Sunshine laws which allow for public inspection of most records. Matt IS - Systems Eng. (Karl Drugge) wrote: EXACTLY why we have the city attorney and another legal specialist helping to formulate our own new policy. Best to invest some real $$$ now, before we get sued for our ignorance ( and ) later. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Sunday, December 17, 2006 1:46 PM To: Matt Subject: Re[2]: [Declude.JunkMail] OT: Message Storage /snip In summary: you still don't know about e-mail archival for compliance purposes. Thanks for sharing. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http
[Declude.JunkMail] List up ?
List up ? Nothing in a day or so Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] blklst ON statistics...
Interesting.. I ran some scripts against the blklst.txt file, and it shows I am already blocking the most active connections. About the only thing I can really see, is that the SPAM is coming from hundreds of IP's, with only a few from each one. I was kind of shocked by the extent of it, figuring that I'd see numerous IP's over 100 in a 12 hour period. But 8300+ IP's, and only 10 or so above 10 connections. Wow. Talk about distributed ! Script attached, PERL again, edit the top to fit your environment, as usual. Output below.. Total IP's : 8381 HitsIP Address HostName 54 61.50.229.194 61.50.229.194 --- 25 70.108.157.156 pool-70-108-157-156.washdc.east.verizon.net --- 23 82.173.173.230 ip230-173-173-82.adsl2.versatel.nl --- 22 151.49.24.185 adsl-ull-185-24.49-151.net24.it --- 22 88.154.136.186 bzq-88-154-136-186.red.bezeqint.net --- 14 202.175.165.198n17z165l198.broadband.ctm.net --- 12 66.151.234.151 ccm14.constantcontact.com --- 11 59.115.100.197 59-115-100-197.dynamic.hinet.net --- 11 66.151.234.153 ccm16.constantcontact.com --- 8 201.9.194.141 201009194141.user.veloxzone.com.br --- 8 213.207.242.147 213.207.242.147 --- 8 220.133.25.238 220-133-25-238.hinet-ip.hinet.net --- 8 66.91.4.132 cpe-66-91-4-132.hawaii.res.rr.com --- 7 169.139.180.120 mail.scps.k12.fl.us --- 7 202.175.95.171 z95l171.static.ctm.net --- 7 219.155.156.139 hn.kd.pix --- 7 66.104.31.195 ip66-104-31-195.z31-104-66.customer.algx.net --- 6 125.33.74.167 125.33.74.167 --- 6 208.254.21.131 crozier.missingkids.com --- 6 222.217.118.250 222.217.118.250 --- 6 59.45.98.25559.45.98.255 --- Karl Drugge B.S.I.T., A.S., M.C.S.E. (NT 4, 2k, 2k3), M.C.S.A. (2k + 2k3), C.C.N.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. decblklst.pl Description: decblklst.pl
RE: [Declude.JunkMail] New Reporting Tool
Try dragging down the script again. Maybe it didn't copy right to your HD ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lists - Declude JunkMail Sent: Tuesday, December 12, 2006 3:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New Reporting Tool I've got ActiveState Perl 5.8.8 bld 819 installed and working. I use perl for all sorts of other scripts with no issues. I'm not sure what Regex is. I thought it was part of your code. I don't see a perl package install called Regex. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Posted At: Monday, December 11, 2006 4:33 PM Posted To: Lists - Declude JunkMail Conversation: [Declude.JunkMail] New Reporting Tool Subject: RE: [Declude.JunkMail] New Reporting Tool What's Regex ? Do you have PERL installed ? A 20 meg log file shouldn't matter... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lists - Declude JunkMail Sent: Thursday, December 07, 2006 4:29 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New Reporting Tool Thanks so much for this! I tried it out and it errors out as follows: File path : g:/logarchive/ Processing a single day Opening File : g:/logarchive/dec1206.log . Sorting arrays and cleaning up data Unmatched [ in regex; marked by -- HERE in m/[ -- HERE weight/ at f:\tools\dis tro-declog.pl line 443. My log is 20mb if that matters. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Posted At: Thursday, December 07, 2006 1:53 PM Posted To: Lists - Declude JunkMail Conversation: New Reporting Tool Subject: [Declude.JunkMail] New Reporting Tool The newest PERL script. Slices, dices, etc ... Throw it in a directory, edit a few environment variables at the top of the script, dump in a few Declude logs, run it, enjoy. Requires PERL, of course. Added two command line switches : 'day' and 'week' . Day does the previous day, week does the previous week. No command line switch, and you do all the logs in the directory. This can be memory intensive... You have been warned ! My own server, with 11-13k log files, consumes 700+ megs of memory when doing an entire month. Folks with larger files might want to think about doing this many files at once. Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] blklst ON
This keeps track of all emails processed ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, December 11, 2006 5:12 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] blklst ON I must have posted the global.cfg sorry, if it is working in the declude.cfg then that's where it should go. Hey I said it was undocumented ;) David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen King Sent: Monday, December 11, 2006 4:47 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] blklst ON I just tried entering blklst on in declude.cfg instead of global.cfg and the file is now being populated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 11, 2006 4:28 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] blklst ON Yes, I scanned the whole drive for blklst.txt and found none. Declude 4.3.23 on Imail 2006.1 - Original Message - From: David Barker mailto:[EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Monday, December 11, 2006 3:03 PM Subject: RE: [Declude.JunkMail] blklst ON Did you check your \Spool ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, December 11, 2006 3:15 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] blklst ON I tried 'blklst on' in the global.cfg and no file was created - Scott Fisher Director of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Reporting Tool
What's Regex ? Do you have PERL installed ? A 20 meg log file shouldn't matter... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lists - Declude JunkMail Sent: Thursday, December 07, 2006 4:29 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] New Reporting Tool Thanks so much for this! I tried it out and it errors out as follows: File path : g:/logarchive/ Processing a single day Opening File : g:/logarchive/dec1206.log . Sorting arrays and cleaning up data Unmatched [ in regex; marked by -- HERE in m/[ -- HERE weight/ at f:\tools\dis tro-declog.pl line 443. My log is 20mb if that matters. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Posted At: Thursday, December 07, 2006 1:53 PM Posted To: Lists - Declude JunkMail Conversation: New Reporting Tool Subject: [Declude.JunkMail] New Reporting Tool The newest PERL script. Slices, dices, etc ... Throw it in a directory, edit a few environment variables at the top of the script, dump in a few Declude logs, run it, enjoy. Requires PERL, of course. Added two command line switches : 'day' and 'week' . Day does the previous day, week does the previous week. No command line switch, and you do all the logs in the directory. This can be memory intensive... You have been warned ! My own server, with 11-13k log files, consumes 700+ megs of memory when doing an entire month. Folks with larger files might want to think about doing this many files at once. Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Reporting Tool
The newest PERL script. Slices, dices, etc ... Throw it in a directory, edit a few environment variables at the top of the script, dump in a few Declude logs, run it, enjoy. Requires PERL, of course. Added two command line switches : 'day' and 'week' . Day does the previous day, week does the previous week. No command line switch, and you do all the logs in the directory. This can be memory intensive... You have been warned ! My own server, with 11-13k log files, consumes 700+ megs of memory when doing an entire month. Folks with larger files might want to think about doing this many files at once. Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Distro-declog.pl Description: Distro-declog.pl
RE: [Declude.JunkMail] Undocumented Directive 4.x
Running the newest, and still nothing... Is it in a later, or the current BETA, versions ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, December 04, 2006 2:17 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Undocumented Directive 4.x Mmm maybe I had them put it in a bit later. I think it is definitely in 4.3.14 ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Monday, December 04, 2006 2:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Undocumented Directive 4.x Running v4.3.7 for SmarterMail, and I don't have any blklst.txt file anywhere on my disk Do I need to upgrade to a newer version ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, December 04, 2006 12:58 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Undocumented Directive 4.x Just an FYI you may find it useful, in the global.cfg: BLKLST ON Writes a text file to the \spool\blklst.txt containing the IP and weight of emails eg. 1.1.1.1 23 2.2.2.2 7 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Undocumented Directive 4.x
Running v4.3.7 for SmarterMail, and I don't have any blklst.txt file anywhere on my disk Do I need to upgrade to a newer version ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, December 04, 2006 12:58 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Undocumented Directive 4.x Just an FYI you may find it useful, in the global.cfg: BLKLST ON Writes a text file to the \spool\blklst.txt containing the IP and weight of emails eg. 1.1.1.1 23 2.2.2.2 7 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
FW: [Declude.JunkMail] Results ! 92.9 percent delete rate...
Hadn't really thought of selling it myself. Give me a few days to get my Exchange box 100% functional, and we'll see. I'd need to make a few changes since I hard coded log file locations and a few other things. Karl Drugge -Original Message- From: Craig Edmonds [mailto:[EMAIL PROTECTED] Sent: Thursday, November 02, 2006 3:45 PM To: IS - Systems Eng. (Karl Drugge) Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Importance: High Hi Karl, I have to ask Off List and hope you don't mind. Would you consider selling me a copy or a license? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Thursday, November 02, 2006 9:35 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Wrote it myself ! Kind a 'swiss army knife' for the logs.. Summary report for rules, and the old What happened to Aunt Martha's email she sent me from Tibet. Typical stuff in the daily life of a Declude admin. It doesn't do everything some of the others do, but more than enough for me and my friends. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, November 02, 2006 1:20 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Importance: High Hi, Where did you get the declude log reader from? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Thursday, November 02, 2006 7:13 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Results ! 92.9 percent delete rate... Doing my monthly checkup on how my rules are working, and was blown away at the actual amount I am getting. 11 thousand a day ? Damn, we only have 250 employees ! Anyone else seeing this upswing ? Two-three months ago I was getting 6 thousand a day.. The new version of Declude is rocking.. Check it outhttp://www.casselberry.org/results.bmp Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SmarterMail Problem...
Wow ! FUN weekend ! Internal Exchange server lost two drives simultaneously on a RAID 5 stripe early Friday... Then on rebuild started dropping random drives. Needless to say, Dell backplanes are a little hard to come by on a weekend. Anyway, after we get the Exchange box back Saturday, it turns out SmarterMail only mailbags for 2 hours.. anyone know how to fix this before I attempt a call to smartertools ? I haven't been impressed with their support line in the past. Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Results ! 92.9 percent delete rate...
Wrote it myself ! Kind a 'swiss army knife' for the logs.. Summary report for rules, and the old What happened to Aunt Martha's email she sent me from Tibet. Typical stuff in the daily life of a Declude admin. It doesn't do everything some of the others do, but more than enough for me and my friends. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Thursday, November 02, 2006 1:20 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Results ! 92.9 percent delete rate... Importance: High Hi, Where did you get the declude log reader from? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Thursday, November 02, 2006 7:13 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Results ! 92.9 percent delete rate... Doing my monthly checkup on how my rules are working, and was blown away at the actual amount I am getting. 11 thousand a day ? Damn, we only have 250 employees ! Anyone else seeing this upswing ? Two-three months ago I was getting 6 thousand a day.. The new version of Declude is rocking.. Check it outhttp://www.casselberry.org/results.bmp Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Analyzing junkmail log files
I did DL a copy some time ago, and it didn't really fit my needs, hence writing my own. Not to say DLAnalyzer isn't a good product, but for the 4 or 5 things I need done on a regular basis, mine works better for me and my site. If I was running multiple servers, or needed some of the advanced options you offer, it would be a different story. Mine basically grew out of a PERL script I wrote way back for declude 1.6x.. 5 or 6 quick buttons for the junior admins ( AKA Monkeys ) to push when they need some info on why email did/didn't get where it was supposed to. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Wednesday, September 20, 2006 5:33 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Analyzing junkmail log files Karl, I would recommend DLAnalyzer - (since its our product). It can process both virus and junkmail logs, process multiple days, process multiple servers, email capability, as well as providing all types of reports. It is compatible with past and current versions of Declude. Here is a link to all the reports. http://www.invariantsystems.com/dlanalyzer/reportsamples.htm We also have a free version that covers the basic features you were used to with Delog. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Karl Hentschel writes: Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Analyzing junkmail log files
I've been using my own, written in VB.net . Quick and dirty, but it gets the job done. Been thinking of porting it to run under a web page and selling it for cheap if there was an interest. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karl Hentschel Sent: Wednesday, September 20, 2006 4:22 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Analyzing junkmail log files Up until upgrading from Declude 2.06 to 3.11 I had been using delog 1.08b from imagefxonline for analyzing my junkmail log files. After the upgrade it no longer works. Delog was a simple tool that emailed me daily and gave statistics for all the tests. From this I could determine which were the most effective. Does anybody have a suggestion for a replacement program to analyze junkmail log files that can email the results automatically. Which program has been the must successful? Or has anyone been successful using delog with declude 3.11? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Way to filter bogus FRMOM domains ?
I was using a FROMFILE, subtracting a fairly large amount, and was getting stuff past it with from the forging domains. Obviously, not the best way to do it, but it worked well for the past few years. I've got a two new files using the suggestions from yesterday, one for GOOD-REVDNS adding a negative value, and one for BAD-REVDNS adding a good amount of points. Makes for better readability in the headers. Is there another test that compares the REVDNS and Sender's domain to check for a match ? Like the SPAMDOMAINS test without having to make a text file ? Not a killer test, but definitely worth a few points. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, September 18, 2006 5:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Way to filter bogus FRMOM domains ? You didnt mention exactly on how you are letting in .gov, .us, .edu? Are you just checking via a fromfile or whitelist? If so I would shift that to negative weighting on reverse dns. REVDNS -x endswith .edu If you have to let it in - seem like the revdns might be a better fit. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. IS - Systems Eng. (Karl Drugge) writes: I've been trying to filter some SPAM that is using a false FROM domain. Stuff is coming from overseas ( spammachine.spamsite.spammer.pl [99.99.99.99] ), but is using a false from domain, such as ( [EMAIL PROTECTED] ). This stuff would fail, except DECLUDE shows it as coming from a .edu, and clears it ( assigns the appropriate negative value, I should say ). Now, for reasons I won't go into here, I HAVE to allow all mail from .edu domains, as well as .gov, and .us... I can't bounce it, and I have no other way to pre-allow email from some junior college in upper southern north Dakota... Any help on this ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, September 18, 2006 12:33 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug! And it made its appearance over at the SANS Internet Storm Center handler's log: http://isc.sans.org/diary.php?storyid=1711 In short, Microsoft has admitted that there is a problem and updated their advisory and also provided a hotfix. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Tuesday, September 12, 2006 7:16 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug! Andy, Not sure if you saw it but this issue was brought up on Slashdot yesterday, so it got some exposure. Heimir Andy Schmidt wrote: Hi, I finally was able to get a confirmation from Microsoft Support yesterday afternoon (case: SRZ060911001854) We are aware the issue you are experiencing. A corresponding bugcheck request is currently open, and the develop team is working on this issue. However, the hotfix for this issue is not ready. 0xDF is the data pattern that NTFS returns when it has problem to decompress the file (eg. the compression fragments are corrupted and can't be decompressed). Based on my research, the actual raw data on the disk is not changed, it shows as 0xDF because the system cannot decompress the file and display the data correctly. So the corrupt is not permanent. Further more, the issue only occurs on files which containing Hexadecimal codes. Apparently, Microsoft decided not to warn people about this problem - no comment has been added to KF920958 warning people which system configurations will cause data loss (who cares if it's not permanent if you can't use your data for a few months). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Thursday, August 24, 2006 03:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files - KB920958 may be bad! Answers below. Andy Schmidt wrote: Hi Heimir: I've been running a number of tests, am in contact with a third Microsoft customer and some pattern seems to emerge. I also have a lead to a questionable Hotfix, but I'm trying to qualify that first. Can we first compare your systems to see what's the same (and may be relevant) and what's different
RE: [Declude.JunkMail] Spam Spike
Getting pelted here... Mostly from cinci.rr.com... Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Tuesday, September 19, 2006 2:29 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam Spike I say about 25% more spam yesterday than last Monday (9-11) - Original Message - From: Chris Anton [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Tuesday, September 19, 2006 11:31 AM Subject: [Declude.JunkMail] Spam Spike Hi All, We have recently gone from processing 30,000 emails daily to 85,000 daily. 75,000 are getting caught by Declude Message Sniffer (I love this combo). There are a total of 300,000 attempted RCPT TOs daily. 1) Has anyone experienced recent spikes like this? How can I reasonably handle this? I have run several analytics and found that these emails are not targeting a specific user or specific domain. Additionally, there are no blocks of IPs that are responsible. 2) What are the realistic limits of Imail / Declude / Message Sniffer (I KNOW this is platform specific, just looking for ballpark). 3) What can I do to squeze out more juice from this server? Software: IMail 8.22 (because we are still scared of 2006), Declude Virus and Junkmail 2.0.6, and Sniffer most recent version Hardware: Windows Server 2003 box with a 3 ghz XEON, and 1 Gig ram. Thanks for the help! -Chris -- Best Regards, Chris Anton Web Solutions, Inc. Tel: 203-235- x25 [EMAIL PROTECTED] www.websolutions.net -- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Way to filter bogus FRMOM domains ?
I've been trying to filter some SPAM that is using a false FROM domain. Stuff is coming from overseas ( spammachine.spamsite.spammer.pl [99.99.99.99] ), but is using a false from domain, such as ( [EMAIL PROTECTED] ). This stuff would fail, except DECLUDE shows it as coming from a .edu, and clears it ( assigns the appropriate negative value, I should say ). Now, for reasons I won't go into here, I HAVE to allow all mail from .edu domains, as well as .gov, and .us... I can't bounce it, and I have no other way to pre-allow email from some junior college in upper southern north Dakota... Any help on this ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Monday, September 18, 2006 12:33 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug! And it made its appearance over at the SANS Internet Storm Center handler's log: http://isc.sans.org/diary.php?storyid=1711 In short, Microsoft has admitted that there is a problem and updated their advisory and also provided a hotfix. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Tuesday, September 12, 2006 7:16 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files - Microsoft confirms KB920958 bug! Andy, Not sure if you saw it but this issue was brought up on Slashdot yesterday, so it got some exposure. Heimir Andy Schmidt wrote: Hi, I finally was able to get a confirmation from Microsoft Support yesterday afternoon (case: SRZ060911001854) We are aware the issue you are experiencing. A corresponding bugcheck request is currently open, and the develop team is working on this issue. However, the hotfix for this issue is not ready. 0xDF is the data pattern that NTFS returns when it has problem to decompress the file (eg. the compression fragments are corrupted and can't be decompressed). Based on my research, the actual raw data on the disk is not changed, it shows as 0xDF because the system cannot decompress the file and display the data correctly. So the corrupt is not permanent. Further more, the issue only occurs on files which containing Hexadecimal codes. Apparently, Microsoft decided not to warn people about this problem - no comment has been added to KF920958 warning people which system configurations will cause data loss (who cares if it's not permanent if you can't use your data for a few months). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Thursday, August 24, 2006 03:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Disk pattern 0xDF in files - KB920958 may be bad! Answers below. Andy Schmidt wrote: Hi Heimir: I've been running a number of tests, am in contact with a third Microsoft customer and some pattern seems to emerge. I also have a lead to a questionable Hotfix, but I'm trying to qualify that first. Can we first compare your systems to see what's the same (and may be relevant) and what's different: A) Disks are defined as dynamic Dynamic B) Disks are software mirrored using Win2k Disk Administration no C) The folders with the problem files have the compression attribute set! yes. D) Did the problem occur at some point after KB920958 was installed? yes, I think so. E) Do the corrupted files have a content of all 0xDF (it looks a little like an uppercase B, the German special s, or like the Beta character) Yes F) Does it appear as if only NEW files are effected? no, old files as well. BUT I think defrag ran this weekend and that would have moved some files - if that matters. G) Does it appear as if only files are effected that are close to a multiple of 4K? Yes. I broke the mirrors on my effected two servers and ran ChkDsk /F. On one server, ONE disk ChkDsk reported errors (including the files that I knew were corrupted) - virtually all of them were image file types. I reran the ChkDsk and it did NOT find errors. I then tried the second disk of the mirror and it found no errors at all. I then restablished the mirrors and my client continues to have problems with new files. On the second server, I broke the mirror, again, the ChcDsk /F repaired a long list of errors. I did NOT reestablish the mirror and did not put that disk back in service. Please contribute to the thread in the Microsoft newsgroup:
RE: [Declude.JunkMail] Max whitelists hit
Maybe you dont really want to whitelist What we do here is use a FROMFILE, and assign a large negative point value to all domains or individuals on that list. We still suffer with forged return addresses, but thats fairly minimal. It tends to work a little bit better then whitelists, IMO. This lets you pass the mail, but it still run the tests you have defined in declude to filter out the really horrendous stuff, or at least explain WHY stuff did or didnt get through. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Friday, July 28, 2006 11:15 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Max whitelists hit Importance: High Sensitivity: Confidential Thanks John, but Authentication is not an option right now and I will suffer the few forged addresses that come through. I did not realise that there was a limit to the amount of domains I can put in the whitelist and its worked until now whilst testing it with a few domains but with a long list of 500 domains it does not work properly, when really it should. Without posting really really confidential information here, I need to be able whitelist, the same way that I can blacklist. I have one guy at domainA.com trying to send to another guy at domainB.com and both domains are on the same server. domainB.com is not getting the emails becasue domainA.com's ip address where they are located is blacklisted quite badly and the email when sent through our server is given a score of 48, which means any email that domainA.com sends to domainB.com gets put in the spam hold queue. Right now I need to be able to use the whitelisting functionality of declude. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Friday, July 28, 2006 4:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Max whitelists hit Sensitivity: Confidential 1. Sorry, your email was not considered confidential and has been included in a public archive for all to see. 2. As I said before, please stop using the silly white listing of a domain. Havent you heard of forged addresses? 3. Please review your configuration and correct the problem causing your clients outbound email to be scanned. What you are doing is a workaround, not fixing the actual problem. You will have to bite the bullet and start forcing your users to authenticate and in doing so can easily whitelist based upon the fact that they authenticated. John T eServices For You Seek, and ye shall find! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Friday, July 28, 2006 5:28 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Max whitelists hit Importance: High Sensitivity: Confidential Hi David, It kind of works. In C:\IMAIL\Declude\$default$.junkmail I have placed the following line: WHITELISTFILEC:\IMAIL\Declude\Filters\whitelist.txt The file at C:\IMAIL\Declude\Filters\whitelist.txt contains a list of email addresses in the following format: @123-reg.co.uk @tapiz.com.ar @redhothomes.co.uk @cloudninemurcia.com @cloudninemarbella.com (there is about 500 domains I am whitelisting at the moment) I am sitting here watching the log file (btw, I am using a programme called BareTail which absolutely rocks when you want to look at live log files http://www.baremetalsoft.com) and it seems that its whitelisting some domains listed in the whitelist.txt file but still passes many of the domains in the whitelist file through the declude spam filter. This results in many of my clients emails being held in the spam folder. Any ideas? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David Barker Sent: Thursday, July 27, 2006 3:40 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Max whitelists hit Sensitivity: Confidential Yes, in the global.cfg there is a limit. If you need to have unlimited whitelist entries, or if you need per-user or per-domain whitelisting, you may find the WHITELISTFILE option helpful. To use this option, you need to add a line in the format WHITELISTFILE D:\{MAILSERVER}\Declude\mywhitelist.txt to the appropriate configuration file (\{MAILSERVER}\Declude\$default$.JunkMail, or the per-user/per-domain configuration file you wish to use the whitelists with). The D:\{MAILSERVER}\Declude\mywhitelist.txt file would then contain either one E-mail address ([EMAIL PROTECTED]) or domain (@example.com) or subdomain (.example.com) per line. The whitelist files can have unlimited entries in them. Note that the file you use with the WHITELISTFILE option does NOT use the same
RE: [Declude.JunkMail] 4.3 Upgrade
John, I had some of the same issues, and cured all leakage by disabling Hi-Jack. Give it a shot. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle Sent: Monday, July 24, 2006 1:05 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] 4.3 Upgrade Mark I upgraded last week. I'd had a leakage issue with 4.2 build 12 and went back to 4.09. I have had no problems since going back upto 4.3. I'm running Imail 8.22 hf2 On an unrelated issue. My AVG virus defs were not getting updated. It took a while to troubleshoot, but I got great support from Linda and David to resolve it. Turns out our firewall was blocking the outgoing/incoming tcp traffic on port 25 to declude servers. We allowed traffic to and fromtheir servers and it started working. We use a watchguard firewall and it is pretty locked down. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mark Reimer Sent: Monday, July 24, 2006 9:16 AM To: Declude JunkMail Subject: [Declude.JunkMail] 4.3 Upgrade Have many people upgraded to 4.3 yet. I was wondering if anyone had experienced any problems with the new version. Mark Reimer IT Project Manager American CareSource 214-596-2464 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] Over Hold Weight, but Delivered
I've been seeing it too. I finally tracked it down to Hi-Jack. Disable Hi-Jack, and you should be good ( I just renamed the config file, so I can restart it as soon as this is fixed ). Somehow, Hi-jack grabs the message before Declude kills it. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Linda Pagillo Sent: Friday, July 14, 2006 8:34 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Over Hold Weight, but Delivered Don: We are aware of this issue and it has been escalated to our engineering department. Linda Pagillo Technical Support Engineer Declude - Your Email security is our businessT - Original Message - From: Don Brown [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Friday, July 14, 2006 5:09 AM Subject: [Declude.JunkMail] Over Hold Weight, but Delivered We have been seeing mail being delivered, when it has scored higher than our hold weight. The common denominator with these messages seems to be that it is addressed to multiple recipients. These recipients are sometimes of the same domain and other times of different domains. We are running the latest 4.xx release with Imail 8.xx, but this behavior isn't new to this release. We've noticed it for the last few releases, although I'm not sure which release marked the start of it. Has anyone else been seeing this behavior or are we just lucky? Thanks, Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Number of times per test
I looked through the manual, but didn't see this defined... I want a test that applies 10 points if a certain string appears in the body of a message a number of times... So if, for example, 'replikas' appears 5 times, and I want to apply ten points only if that string is there 5 times or more, what part of the test definition string do I modify ? Which variable determines that ? Or, could I assign it 2 points each time it appears ? And which variable is that ? Numberoftimes filter C:\Declude\sampletest.txt x 10 0 Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Number of times per test
Mine always just counts the one hit, regardless of whether I have 1 or 2. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Friday, July 14, 2006 3:05 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Number of times per test I don't have STOPATFIRSTHIT in my body filter, and it always stops the first time it finds something. Original Message From: Michael Thomas - Mathbox [EMAIL PROTECTED] Sent: Friday, July 14, 2006 2:31 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Number of times per test If you do not have StopAtFirstHit enabled, then each hit adds the specified points to the total. So, set the MinWeightToFail to 10 and apply 2 point for each hit like: #SKIPIFWEIGHT 10 MINWEIGHTTOFAIL 10 #MAXWEIGHT 15 #STOPATFIRSTHIT BODY 2 CONTAINS replikas Michael Thomas Mathbox 978-683-6718 1-877-MATHBOX (Toll Free) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Friday, July 14, 2006 1:52 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Number of times per test I looked through the manual, but didn't see this defined... I want a test that applies 10 points if a certain string appears in the body of a message a number of times... So if, for example, 'replikas' appears 5 times, and I want to apply ten points only if that string is there 5 times or more, what part of the test definition string do I modify ? Which variable determines that ? Or, could I assign it 2 points each time it appears ? And which variable is that ? Numberoftimes filter C:\Declude\sampletest.txt x 10 0 Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Message Syntax...
Anyone ? Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IS - Systems Eng. (Karl Drugge) Sent: Friday, June 30, 2006 10:14 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Message Syntax... I am getting some of the typical messages through... the ones with just a linked image in the body.. I am wondering how the syntax for the linked image works .. I have a line : src=cid:stuffhere$stuffhere$stuffhere What is the syntax, or what do the sections break down into ? Is it image$directory$domain ? Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003 ), C.C.N.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message Syntax...
I am getting some of the typical messages through... the ones with just a linked image in the body.. I am wondering how the syntax for the linked image works .. I have a line : src=cid:stuffhere$stuffhere$stuffhere What is the syntax, or what do the sections break down into ? Is it image$directory$domain ? Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0, 2000, 2003 ), M.C.S.A. ( 2000 + 2003 ), C.C.N.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] This doesnt add up
I've been seeing this for weeks. I reported it, and I believe they are working on a fix. Sometimes Declude doesn't put ANYTHING in the headers. Kind of hard to figure out why something got through in the meantime, though.. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, April 05, 2006 1:44 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] This doesnt add up Todd, I do not see them in the headers ? X-Spam-Tests-Failed: SUBJECTSPACES7, SUBJECTSPACES10, SPFPASS, SPAMCHK, GIBBERISH, CATCHALLMAILS [30] David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Sent: Wednesday, April 05, 2006 12:56 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] This doesnt add up Thanks David, both of these tests are not hidden and show up in the headers. Todd - Original Message - From: David Barker [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Wednesday, April 05, 2006 11:47 AM Subject: RE: [Declude.JunkMail] This doesnt add up To reduce false positives NOLEGITCONTENT and IPNOTINMX are hidden tests, check your global.cfg you should see the -5 David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Sent: Wednesday, April 05, 2006 12:22 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] This doesnt add up A lot of spam has been getting through lately and at first I was thinking my Declude needed some tweaking. I am seeing some funny stuff though. I find emails where emails contain items that should have triggered filters but did not. I am on IMail 8.15 and Declude 2.06. Here is a header of an email where the numbers dont add to the score. It should have had a score of 5 + 15 + 15 + 30 = 65 but instead shows 30 My global.cfg has the following entries for the tests that were triggered SUBJECTSPACES7 subjectspaces 7 x 5 0 SUBJECTSPACES10 subjectspaces 10 x 15 0 SPFPASSspf pass x 0 0 X-RBL-Warning: SUBJECTSPACES7: Subject with at least 7 spaces found. X-RBL-Warning: SUBJECTSPACES10: Subject with at least 10 spaces found. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: SPAMCHK: Message failed SPAMCHK: 15. X-RBL-Warning: GIBBERISH: Message failed GIBBERISH test (line 463, weight 30) X-Declude-Sender: [EMAIL PROTECTED] [69.89.85.90] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: SUBJECTSPACES7, SUBJECTSPACES10, SPFPASS, SPAMCHK, GIBBERISH, CATCHALLMAILS [30] X-Note: Total spam weight of this E-mail is 30 . X-Country-Chain: UNITED STATES-destination X-Note: This E-mail was sent from eveningtrees.com ([69.89.85.90]). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Whitelisting email address
I can confirm that. If a single email address is white listed, then all of them get white listed. The solution was a line like this : BYPASSWHITELIST bypasswhitelist 45 6 0 0 If an email was over weight 45, AND it also had 6 or more recipients, than it bypassed the white-listing and checked it normally. I never tried to do it with individual config files.. But that might work, if it didnt affect all the recipients. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sent: Tuesday, January 17, 2006 2:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address Irecall that happening with IMail as well. That is why I was wondering if I did something wrong before. Brian - Original Message - From: Shayne Embry To: Declude.JunkMail@declude.com Sent: Tuesday, January 17, 2006 1:12 PM Subject: Re: [Declude.JunkMail] Whitelisting email address We have found that if one of the addresses is whitelisted, then every recipient's address gets whitelisted. This may be unique to SmarterMail/Declude. I don't remember having the problem with IMail, but we haven't used it in over a year. Shayne Hi Brian, Yes, this can be done with the Pro version. You can have per-user configurations. You can't not have Declude scan the mail, but you can set this individual's configuration to ignore all test results and deliver the mail. As far as I know, this shouldn't have any affect on other recipients of the email. Dean On 1/17/06, Brian [EMAIL PROTECTED] wrote: I have a customer who wants to receive all emails without having declude check them for spam. My question, is can this be done? And then can it be done so that if a message comes in and it is a message that contains their email address and several other email address on our domain, that it can only be sent to their address prior to the spam checks? I hope this makes sense. Thanks in advance, Brian T. --- -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
RE: [Declude.JunkMail] Whitelisting email address
I hold at 20, bounce at 40, and delete at 60. I realize bouncing is bad, but were government, so I have to be careful about outright deleting email without notifying someone, somewhere. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sent: Tuesday, January 17, 2006 3:38 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address What are you using for a hold weight and delete weight? Brian - Original Message - From: IS - Systems Eng. (Karl Drugge) To: Declude.JunkMail@declude.com Sent: Tuesday, January 17, 2006 3:17 PM Subject: RE: [Declude.JunkMail] Whitelisting email address I can confirm that. If a single email address is white listed, then all of them get white listed. The solution was a line like this : BYPASSWHITELIST bypasswhitelist 45 6 0 0 If an email was over weight 45, AND it also had 6 or more recipients, than it bypassed the white-listing and checked it normally. I never tried to do it with individual config files.. But that might work, if it didn't affect all the recipients. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Sent: Tuesday, January 17, 2006 2:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address Irecall that happening with IMail as well. That is why I was wondering if I did something wrong before. Brian - Original Message - From: Shayne Embry To: Declude.JunkMail@declude.com Sent: Tuesday, January 17, 2006 1:12 PM Subject: Re: [Declude.JunkMail] Whitelisting email address We have found that if one of the addresses is whitelisted, then every recipient's address gets whitelisted. This may be unique to SmarterMail/Declude. I don't remember having the problem with IMail, but we haven't used it in over a year. Shayne Hi Brian, Yes, this can be done with the Pro version. You can have per-user configurations. You can't not have Declude scan the mail, but you can set this individual's configuration to ignore all test results and deliver the mail. As far as I know, this shouldn't have any affect on other recipients of the email. Dean On 1/17/06, Brian [EMAIL PROTECTED] wrote: I have a customer who wants to receive all emails without having declude check them for spam. My question, is can this be done? And then can it be done so that if a message comes in and it is a message that contains their email address and several other email address on our domain, that it can only be sent to their address prior to the spam checks? I hope this makes sense. Thanks in advance, Brian T. --- -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
RE: [Declude.JunkMail] Whitelisting email address
Believe me, Id love to find a way to do it, but when I HAVE to receive emails from hideously mis-configured servers, whack-job citizens, and other municipalities with less then stellar I.T. staff from any where at any time, not bouncing becomes the worse of two evils. As an example, if I DELETE an email from a citizen because it meets my delete criteria ( lets say a nut-job, retired, self declared IT samurai with a shareware SMTP server, on a dial up account to a local home based ISP run by his best friend ) I can ( and have ) been questioned by the City Manager on exactly WHY he didnt get this email, because this nut-job shows up to a city council meeting and has a foaming at the mouth fit in public. Technical explanations dont cut it in the political arena. I have to, at the very least, send something back to notify the originator that the email was bounced, unless its so horribly mal-formed, or chock full of key words, that it I can absolutely guarantee its spam. But, if someone wants to take a crack at it, Ill be more than happy to post my config files. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, January 17, 2006 4:28 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address Karl, Getting blacklisted for bouncing spam back to forged addresses would probably be a lot worse than missing a stray message that shouldn't have been blocked. This certainly can happen, especially if you get a lot of zombie generated spam. It is also of course a big pain dealing with servers that bounce this stuff back to forged addresses. Today I'm under heavy attack from multiple sources of backscatter. Backscatter costs others time, money and frustration. It's not fair if it is avoidable. Please reconsider your choices. Maybe we can help you figure out a better way to deal with this. Matt IS - Systems Eng. (Karl Drugge) wrote: I hold at 20, bounce at 40, and delete at 60. I realize bouncing is bad, but were government, so I have to be careful about outright deleting email without notifying someone, somewhere. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Sent: Tuesday, January 17, 2006 3:38 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address What are you using for a hold weight and delete weight? Brian - Original Message - From: IS - Systems Eng. (Karl Drugge) To: Declude.JunkMail@declude.com Sent: Tuesday, January 17, 2006 3:17 PM Subject: RE: [Declude.JunkMail] Whitelisting email address I can confirm that. If a single email address is white listed, then all of them get white listed. The solution was a line like this : BYPASSWHITELIST bypasswhitelist 45 6 0 0 If an email was over weight 45, AND it also had 6 or more recipients, than it bypassed the white-listing and checked it normally. I never tried to do it with individual config files.. But that might work, if it didn't affect all the recipients. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Sent: Tuesday, January 17, 2006 2:16 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Whitelisting email address Irecall that happening with IMail as well. That is why I was wondering if I did something wrong before. Brian - Original Message - From: Shayne Embry To: Declude.JunkMail@declude.com Sent: Tuesday, January 17, 2006 1:12 PM Subject: Re: [Declude.JunkMail] Whitelisting email address We have found that if one of the addresses is whitelisted, then every recipient's address gets whitelisted. This may be unique to SmarterMail/Declude. I don't remember having the problem with IMail, but we haven't used it in over a year. Shayne Hi Brian, Yes, this can be done with the Pro version. You can have per-user configurations. You can't not have Declude scan the mail, but you can set this individual's configuration to ignore all test results and deliver the mail. As far as I know, this shouldn't have any affect on other recipients of the email. Dean On 1/17/06, Brian [EMAIL PROTECTED] wrote: I have a customer who wants to receive all emails without having declude check them for spam. My question, is can this be done? And then can it be done so that if a message comes in and it is a message that contains their email address and several other email address on our domain, that it can only be sent to their address prior to the spam checks? I hope this makes sense. Thanks in advance, Brian T. --- -- PLEASE NOTE : Florida has a very broad public records law. Most written
RE: [Declude.JunkMail] does anyone punish email from these folks?
I block that entire class A Nothing but issues with the entire range. If someone gets blocked, they can call a user and have them request an exception. Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike K @ NetDotCom Sent: Tuesday, December 20, 2005 11:03 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] does anyone punish email from these folks? We outright reject all their mail. We started by just holding and found lots of 'suspicious' activity like identical emails with different from domains, etc. Normal spam type stuff CC offers, grant money, etc. The we started blocked one /24, then they switched to other subnets so we blocked their entire IP space. No complaints from users. Mike - Original Message - From: Nick Hayer To: Declude.JunkMail@declude.com Sent: Tuesday, December 20, 2005 10:36 Subject: [Declude.JunkMail] does anyone punish email from these folks? I sure do get allot of spam from this ip space - are they legit and are lacking in their monitoring or ? Thanks - -Nick OrgName: WholeSale Internet OrgID: WHOLE-125Address: 1102 Grand Ave Suite 905City: Kansas CityStateProv: MOPostalCode: 64106Country: USNetRange: 69.30.192.0 - 69.30.239.255 CIDR: 69.30.192.0/19, 69.30.224.0/20 NetName: WHOLESALEINTERNET No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005 -- PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure. PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
[Declude.JunkMail] Speaking of punishment....
Weve been getting a LOT of emails from 9 particular IPs, Im talking about 60-70% of incoming. Nothing but 30+ recipient emails, with non-existent email addresses on our domain. The majority of them dont even have one valid address on my domain. Its all getting caught in our filters and deleted, but it was getting so obscene that I just blocked them on the firewall. My logs dropped from 23 meg a day to only 5. Is anyone else seeing this type of traffic lately ? 65.97.165.47 68.59.144.144 67.78.242.210 69.144.163.243 70.151.165.226 71.41.40.68 71.53.128.235 208.60.45.2 216.116.178.157 Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A., C.C.D.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
[Declude.JunkMail] Free SPAM RBL's ?
I am currently using SPAMCOP, and pretty happy with it, but wouldnt mind adding another. What is everyone else using for an external RBL ? Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A., C.C.D.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
[Declude.JunkMail] SPF PASS/FAIL test format
Quick question on the global.cfg file I upgraded to 3.0.5 yesterday. Working great so far. I want to add the SPFPASS and SPFFAIL tests.. what is the format ? I want to subtract 7 points for a pass, and add 7 points for a fail( if theyre too stupid to have an SPF by now ) I have this, but it is obviously wrong SPFFAIL spffail x x 7 0 SPFPASS spfpass x x -7 0 Karl Drugge B.S.I.T., A.S., M.C.S.E. ( NT 4.0 + 2000 ), C.C.N.A., C.C.D.A., Network+, A+ I dream of the day when I will learn to stop asking questions to which I will regret learning the answers ( Roy Greenhilt, Order of the Stick ) PLEASE NOTE : Florida has a very broad public records law. Most written communications to or from City officials regarding City business are public records available to the public and media upon request. Your E-mail communications may be subject to public disclosure.
[Declude.JunkMail] Per user tests....
Argh. I know this has been covered buy I can't find it in my own archives from the group.. Where do I define per user tests ? I am trying to use the REDIRECT ( REDIRECT [EMAIL PROTECTED] c:\dir\dir\username.txt ) statement to point at a username.txt with their own configs in it. Particularly their own word and fromfile filters. Do I copy and rename the $junkmail file ? Where do their own tests get defined ? Do I copy and rename the global.cfg ? I am looking in the decdate.log files and not finding any errors or something that tells me that the user is using their own tests or cfg file ... Karl Drugge --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Per user tests....
OK, I guess I can deal with that. A bit processor intensive for one PITA user, but if that's the way it is... If I define the tests ( ie: a fromfile ) in the global.cfg, how do I make it apply for only one person in the $junkmail file ? I thought points were assigned in the global.cfg, and the $junkmail file just told declude what to do with the final point value ? Even if I assign the user there own $junkmail file, I still have to play with the points in the tests given in the global.cfg, yes ? Karl Drugge -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 5:23 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Per user tests Where do I define per user tests ? Tests in Declude JunkMail are global. The best you can do for a per-user test is one that runs for everyone, but actions are only taken on the test for specific user(s). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Per user tests....
Ahh. OK. I am getting it now. So, to whitelist for that particular users fromfile, I would set the test to assign weight 0 in my global.cfg, and then in the users config file ( a renamed copy of the $junkmail file ), I would use a ROUTETO statement ? Is this correct ? Karl Drugge -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 5:58 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Per user tests Tests in Declude JunkMail are global. The best you can do for a per-user test is one that runs for everyone, but actions are only taken on the test for specific user(s). If I define the tests ( ie: a fromfile ) in the global.cfg, how do I make it apply for only one person in the $junkmail file ? By having the default file not take any action (TESTNAME IGNORE), and having the per-use config file take an action (TESTNAME HOLD, for example). I thought points were assigned in the global.cfg, and the $junkmail file just told declude what to do with the final point value ? Close. The weight is determined by the global.cfg file. The $default$.JunkMail file is used to determine the actions to take on tests. I would recommend not assigning any weight to the per-user test, as that weight would be applied to all users. Instead, you can have the weight set to 0, and use TESTNAME HOLD (or TESTNAME DELETE or whatever). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse DNS...
Do what I do I have a rule defined that subtracts the points my REVDNS rule adds, and put the domains I ned to get through in that list. Kind of clunky and mna-power intensive, but it works for me. I couldnt imagine doing it for hundreds of domains Karl Drugge -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 05, 2003 10:11 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Reverse DNS... What can we do when the likes of Amazon don't have reverse DNS? == X-Declude-Sender: [EMAIL PROTECTED] [12.32.32.130] X-Declude-Spoolname: D938c00b8023227dd.SMD X-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus. X-Weight: 57 X-Note: Sent from Reverse DNS: [No Reverse DNS] X-Hello: boi1-app-101.amazon.com X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL, FILTER-SPAM-HTML, FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, SPAMDOMAINS, WEIGHT20s, WEIGHT20r X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Incredible... Regards, Kami
RE: [Declude.JunkMail] How good does it get?
I don't care how much you monitor, you are NOT going to get a 100% capture rate with no false positives. If there was a way to do that, Scott would be a millionaire by now, and have twenty or thirty death threats from spammers. You can get close, like maybe a 90% or 95% if you're super particular, but that is really pushing it. Unfortunately, there isn't a perfect template you can use. The default will get you close, but then you have to tune. It's different for each site and situation. It took me about 3 or 4 months to get it pretty close with daily checks. Now I check once a week and make a few tweaks. I get about an 90%-95% capture rate with very few false positives. My technique is to delete everything outrageously bad ( 40+ on my scale with my custom weights). If it's over 40 it is seriously warped. If it's over 20 but below 40, I route it to a holding bin where I can personally check it out. Under 20 is good enough to slip through, and a few do now and then, but my users will forward it to me so I can tune Declude a bit more. Obviously, if you're getting over half a million messages a month, this won't work for you. I only get about 18k or so, with maybe 10-20 needing personal attention per day. Personally, I'd rather a few got through, rather than having it delete some of the real stuff, but you can make your own calls. Karl Drugge -Original Message- From: T. Bradley Dean [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 4:07 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How good does it get? I just installed the demo (Tuesday I believe) and I have it set to warn only. My plan is to move everything with a weight of 20 or above to a 'spam' folder in each users webmail. I may be able to do 15, so far the highest legitimate mail we've seen was 14. Looking at what's coming in, I'm getting about 80% of all spam. Another user I have watching the headers (Outlook rule) is getting about 40%. I'm going to go through the manual and see how smoothly I can get this running, but of course management wants 100% of spam captured with no legitimate mail blocked. How close can I expect to get? What levels of spam are you guys capturing and what levels of legitimate mail is being blocked? Any tips on what default settings I should mess with first? Any good threads in the archives that I should read through? Thanks in advance, ~Brad --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comments on this ?
I have a client that is getting HAMMERED by mass SPAM emailings. In excess of 500,000 emails a month are getting deleted on an 80 user network. His Internet connection is totally flooded. Ive been working with him over the past 9 months or so and have been trying to track things down to a single spammer or set of spammers. First, he is the target of the reflected email attack/delivery system. He was getting loads of these. He still gets these, but only about 100-150,000 a month. The rest are pure garbage items, at a much heavier than normal load of SPAM for a site of his size. Whats curious is that I have been attempting to run MID level logging in order to get the connecting IPs, reasoning that if I could find the IP ranges, I could blow them off at the firewall and spare DECLUDE from having to process the emails. But, to my surprise, after running a few PERL scripts on the logs, the number of offending IPs, even listing those with over 50 deletes, is something on the order of over 2,000 ! There are no real ranges that I can find. If I include servers sending 10 emails that DECLUDE deletes, I have over 5 thousand for the month. Its a massive deluge from thousands of servers sending 4 or 5 emails a day. Its beginning to look that whoever is sending the mail has hundreds of zombie bots out on the internet and can direct them at will. Short of telling him he needs to just dump his domain name and get a new one, or co-locate a server upstream at an ISP for Declude, I am out of answers. Is anyone else seeing this type of attack ? Are Spammers now using zombie bots ? Karl Drugge --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Holy Bandwidth Hog, Batman !
Looking at some logs for a client, and was slightly horrified. This guy runs DECLUDE on a P-3 333mhz machine with 256 meg of RAM, off of half a T-1. He WAS running about 2/3's of this level last month. Keep in mind, he only has 80+/- users. He is getting about 95% kill ratio on his SPAM. He has been seeing the new 'reflected email DDOS' attack for the last 9 months, and it's getting worse by the week. Email comes in addressed to bogus internal users with a spoofed return address, which SMTP faithfully attempts to 'return' when it finds no such person on the internal network. The emails originate on literally hundreds of remote boxes, so an IP filter is going to be hard to put together. If it wasn't for Declude nuking the email, his Exchange box would be dead by now. Any suggestions I can give him ? About all I have left is to change his Domain name or co-locate his declude box upstream. Log file dates from : 09/01/2003 to 09/30/2003 Lines Processed : 2856302 My Mail Server IP : [192.168.254.1] Whitelisted from Internal Server: 8257 CAUTION : You have 3263 WARNINGS/ERRORS in your log file CAUTION : You have 2208 corrupt lines in your log file Total Messages Logged : 493894 Unique SMTP ID's Logged : 237236 * ACTIONS LOGGED * COUNT PERCENTAGE ** White Listed : 115352.3 2REALLYBADMAIL: 80741.6 DELETETHEMAIL : 432363 87.5 HOLDTHEMAIL : 185363.8 PASSTHEMAIL : 212824.3 REALLYBADMAIL : 80731.6 * TESTS LOGGED *** COUNT PERCENTAGE ** 2REVDNS : 16923334.3 BADHEADERS: 31171563.1 BADTO : 16783934.0 BADTO2: 11517023.3 BADTO3: 11104522.5 BASE64: 46344 9.4 BLACKLIST : 23354 4.7 BLACKLIST2: 2690 0.5 DELETEWORDS : 31476 6.4 DELETEWORDS2 : 11753 2.4 FILTERWORDS : 26111852.9 IPBLACKLIST : 1241 0.3 MAILFROM : 9903 2.0 NOABUSE : 16755933.9 NOPOSTMASTER : 17889236.2 PERCENT : 7 0.0 REVDNS: 16925334.3 ROUTING : 16887634.2 SPAMCOP : 36072973.0 SPAMHEADERS : 36439 7.4 WHITELST : 4122 0.8 ** --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] More and more email getting past Declude
Title: RE: [Declude.JunkMail] More and more email getting past Declude Theyve cleaned up their acts. I am seeing a lot of stuff come straight through with a single hit. It ALMOST seems like if mail fails a few tests, its legit ! Karl Drugge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Foulks Sent: Tuesday, September 02, 2003 9:21 AM To: Declude JunkMail (E-mail) Subject: [Declude.JunkMail] More and more email getting past Declude Is it just me or have spammers found other ways to get past scanners? I've been getting slammed lately with more and more spam that is getting past declude without a single hit. Greg Foulks NewFound Technologies, Inc. [EMAIL PROTECTED] http://www.nfti.com 614.318.5036
[Declude.JunkMail] Blocking attachments
Just double checking, but we do NOT have a way to block specific attachments in Declude JM Pro, correct ? Karl Drugge, Systems Network Engineer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reporting Software, script attached
For anyone who wants this, here's a new script that will sort your delude log files and gives a simple easy to read report. This ones been cleaned up since the last one, and takes into account garbled and corrupt log files. Much easier to use, and no file renaming required. The only thing you have to do is edit your IP for your internal mail server, if you want. Written in PERL. Just put it in a directory with the log files you want checked, and it will do the rest, assuming you have PERL installed. Enjoy ! Sample output below : Log file dates from : 08/02/2003 to 08/19/2003 Lines Processed : 30763 My Mail Server IP : [X.x.x.x] Whitelisted from Internal Server: 2539 CAUTION : You have 83 WARNINGS/ERRORS in your log file CAUTION : You have 2 corrupt lines in your log file Total Messages Logged : 11715 Unique SMTP ID's Logged : 8 * ACTIONS LOGGED * COUNT PERCENTAGE ** White Listed: 339028.9 WEIGHT10: 473440.4 WEIGHT20: 5734.9 WEIGHT202 : 5734.9 WEIGHT40: 298625.5 * TESTS LOGGED *** COUNT PERCENTAGE ** BADHEADERS : 1987 17.0 BASE64 : 119 1.0 BLACKLIST : 493 4.2 FILTERWORDS : 3794 32.4 HELOBOGUS : 2718 23.2 IPBlacklist : 283 2.4 KILLERWORDS : 445 3.8 MAILFROM:44 0.4 NOABUSE : 1183 10.1 NOPOSTMASTER: 1074 9.2 REVDNS : 675 5.8 REVDNSPROBLEM : 1630 13.9 ROUTING : 144 1.2 SPAMCOP : 493 4.2 SPAMHEADERS : 2214 18.9 VirusKill : 1125 9.6 ** declog3.pl Description: declog3.pl
RE: [Declude.JunkMail] Best Practices question
Not to bash Scott, who is the freaking GOD of SMTP traffic.. but EEWWW.. yuck. FIND will work, but I'd have to wash my hands afterwards. My computer is supposed to do my work FOR me, on a daily basis, and mail me my checks at home ! ( I wish ! )... Just write up a quick PERL/WSH/Shell script to parse the info, then schedule it with AT to run whenever you want. I wrote mine up a few weeks ago. If people want I'll post it. It's in PERL, so you'll need active PERL installed, and you might need to tweak it for your local settings. It's not as clean as Scott or another professional programmer might make it, but it's quick, dirty, and gets the job done. Here's a sample of what mine does ( on a pretty slow day for SPAM ): Total number of messages 665 Total Passed, including whitelisted, 523,percentage : 78.6 Total HELD 21, percentage : 3.2 Total BOUNCED 121,percentage : 18.2 Total of Whitelisted 218 Total of SPAMCOP 25 Total of NOABUSE 66 Total of NOPOSTMASTER58 Total of BADHEADERS 38 Total of BASE64 1 Total of HELOBOGUS 99 Total of MAILFROM1 Total of PERCENT 0 Total of REVDNS2 34 Total of ROUTING 13 Total of SPAMHEADERS 40 Total of FILTERWORDS 248 Total of BLACKLIST 34 Total of REVDNSPROBLEM 77 Total of IPBlacklist 31 Karl Drugge, Systems Network Engineer -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Best Practices question How can I determine the amount of caught/received emails with JunkMail? It would take me an eternity to go through each log file. There are several ways that you can do this. For example, you can do a directory of the \IMail\spool\spam directory, where the held E-mails are. To find out how many are to you, you can use find with the /C switch. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Attack
While I haven't seen this particular type of attack, I do have one client that is seeing something very similar. He is getting mail-bombed from numerous spam sites/IP's.. he is rejecting over 300 an hour, and this is for a site with only a 512k connection and 50 users... It's been happening for over 3 months now. Karl Drugge, Systems Network Engineer -Original Message- From: Adrian Hauri [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 11:51 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Spam Attack These IP addresses are blacklisted as an open relay in ORDB etc. Check http://www.dnsstuff.com/tools/ip4r.ch?ip=217.16.118.12 Cheers Adrian - - Original Message - From: Jeff Kratka [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 10, 2003 12:43 PM Subject: RE: [Declude.JunkMail] Spam Attack I first thought that but there are different messages, just bad jokes each message. There were also some viruses atteched which were caught. Jeff -- Original Message -- From: Kevin Bilbee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 9 Jul 2003 17:39:39 -0700 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Kratka Sent: Wednesday, July 09, 2003 5:29 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam Attack Just to let everyone know so others don't get hit with it, I just had a Spam attack/Bomb from one particular location. As soon as I found out I blocked everything possible and things are working. It was so bad that it killed the server. It came from: [217.16.118.12] MAIL From:[EMAIL PROTECTED] Every single e-mail was to the same address and from the same address and IP, there were a couple of thousand that attempted this. My guess is there spam software is stuck in a loop and sending the the same address over and over? Just thought some others would like to know. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- ** TymeWyse Internet P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] ** -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Wish list reminder... :-)
This is precisely what we do, although not to the tune of 150k messages a day. Imail and Declude make an AWESOME gateway mail server. Only when external contact is required ( in or out ) do we actually have to touch the Imail/declude box. Our internal Exchange server isn't bothered with all the external contact and I don't have to worry about filters on internal memo's and email. Security is better as well since nothing now has direct contact to an interal server. I've set up several business clients ( I should be getting a commission from Scott ! ) and this works very well. Two clients are running their systems on Pentium III 450's with 256 megs of RAM ! Also, since nothing is actually stored on the Imaial/Declude box, if it gets burned to the ground, it only takes an hour or so to reload from our backups and images. Hell, it even runs on an old license of NT 4.0 ! Karl Drugge, Systems Network Engineer -Original Message- From: David Sullivan [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Wish list reminder... :-) Does anyone that doesn't agree with Bill have any suggestions? We've got an Imail server on a Dell box (2650 2.2 Xeon, RAID 1/5, etc) doing about 150,000 messages a day at roughly 45% utilization and climbing. Looking at all the headaches of managing another box along with duplicate purchases of Imail Unl., Declude JM Pro/Virus Pro, Hijack, Sniffer, Win2k Server, etc is just not a prospect we want to consider. I believe that the Sniffer guys have now offered an OEM version of their product that would allow us to load the rulebase in memory and drastically cut down on the content scanning cycles needed. Any thoughts at better optimizing Declude products? Bill's point is very valid. He wants to get more productivity out of his system and knows that he doesn't need to scan all of his interally generated messages. Here's my suggestion: Bill, what if you setup the new free Imail version on another box somewhere that's not doing much, keep it's port 25 closed to the outside and send all your internal notices, etc to that domain? -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.