Re: [Declude.JunkMail] OT: Interesting Discussions
I actually miss the twice annual entertaining discussions on the Imail forum between Scott and Len with Sandy added for spice. It almost happened a couple weeks ago, on a BIND newsgroup, where I brought something up and Len jumped into the conversation. It was a moderated newsgroup, though, and everything after my first post never made it to the list (despite being completely benign at that point). They might have made it to the list a day or so later, or perhaps the moderators knew what was to come... -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Undocumented Directive 4.x
I used to know what sleep is. But a couple years ago Scott convinced me it is a four letter word so I stopped getting so much, keeping it to a bare minimum. Hey wait a minute, isn't he getting more of that four letter word now? If I said yes, would you really believe me? :) -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] may skip - 1
Could anyone tell me why these test would be skipped? That's one of the potentially misleading debug log file entries that I added. :) The debug mode was originally designed as a troubleshooting tool for someone with access to the source code, so there are occasionally comments that could be misleading. In this case, I believe the may skip was added to indicate that even though the test was about to be processed, any pass/fail/whitelist results hadn't yet been determined (so the test could be skipped by a whitelist, for example). -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Commtouch, etc
Contrary to your comments on the use of this forum, it has always been for all things Declude when Scott was the sole player he never complained about the conversation threads. Positive or negative. I think you could complain if say we were talking about phone systems. On the other hand, I would be saying Hey, wait a minute here... :) I would explain that Commtouch should indeed be treated as an addon to Declude, not part of the base package (since it requires a huge amount of manpower in the background). I would then explain that while the revenue share plan may not seem ideal to everyone, people who don't find the revenue share plan acceptable can either [1] continue using Declude as they have with no extra cost, or [2] if they want to add real-time scanning, they can go with an alternative like Message Sniffer. It's encouraging that customers see this as a gotta have it addon, but it is important to recognize that it should still be treated as an addon. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.3
Oh and prices were increased from $132 to $295 before they were dropped back to $132 for legacy customers, so there was no price cut except in the sense of department stores raising prices to have a sale. FYI, from the time that Service Agreements first came out through December, 2004 the Service Agreements were never less expensive than $295. So when they were lowered to $132, it was definitely a real price cut. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Test - can I post?
You would think that a company that is SPAM control and offer a product for SPAM control would look more into who they use for their ISP and how they setup their service. Just for the record, I was the one that chose EasyDNS. And at that time, I certainly had no knowledge of them making money from spammers. :) You had also mentioned the non-vanity reverse DNS (63-246-31-248.xiolink.com) -- that is a perfectly valid setup, and is in fact the same way that the DNSstuff.com mailserver is set up (which, like the Declude mailserver back in my day, is on a business Internet connection that can't have a vanity reverse DNS entry without switching to a much more expensive Internet provider). It's also an old pet peeve of mine when people block E-mails from IPs with valid-but-non-vanity reverse DNS entries, as some people may remember. Of course, it's better if you can have a vanity reverse DNS entry -- so it's a good thing that Declude is in the process of getting it -- but it is perfectly valid. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Max number of files in directory?
On NTFS systems, this is most likely app-related such as Explorerer where they have to deal with slogging through all the extra files, as noted by another poster. An App opening a specific file will see almost no degradation because the NTFS uses a tree structure to maintain fast access to a file by name. Very true. Getting that one file is very quick. The reason that Explorer is so slow is that it has to at the very least get the name of every single file. In the DOS days, that was relatively quick and easy (a directory of 20,000 files would take up about 320K). With NTFS, though, each file typically uses 8K, so 20,000 files would take up 150MB. So doing a directory listing of 20,000 files is like loading a 150MB files. Worse, if the directory is fragmented (which is very common), it takes even longer. With millions of files, it can take hours just to do directory listings. As someone else pointed out, disabling the last access time can help; also, disabling 8.3 can help too (only on computers with no programs that need 8.3, so you have to be careful with that). Disabling 8.3 can help a lot if the first 5-6 characters of the filenames are often the same. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
Dave Beckstrom wrote: The problem is that someone using your IP was using a Java program to access our site That was more than likely a search engine spider indexing your site. Not a legitimate one. :) We do have a lot of search engines crawling our site, some of which we let do so, some we don't, and some just occasionally get banned. But legitimate search engines don't announce what language they are using (and they would also do other things to indicate that they were a search engine). -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
That IP is our gateway address. I can get to those sites from any of our DMZ servers or from home, but not from inside the network. I am the only person who goes to those sites and I go there very infrequently (2-4 time a month). The problem is that someone using your IP was using a Java program to access our site. It isn't clear exactly what the intent was (in may have just been a browser written in Java, for example). But recently we had to come down hard on abuse of our site, and now have to block very quickly if it looks like someone isn't using a web browser (we have nearly a quarter million IPs that have abused our site). -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] problem with DNSstuff.com web site
The problem is ... I forgot to mention, your IP is unblocked now. :) -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] CBL:Abuse on dnsstuff.com
How does dnsstuff.com redirect me to their warning web page when I have to proxy in my settings...that would be a good tool for me to have... It doesn't. It would actually be easier to do that; you can just look for several HTTP headers that indicate that a proxy is being used (such as X-Forwarded-For: or Via:). Someone familiar with PHP or ASP or a similar language should be able to do that fairly easily. However, at dnsstuff.com, web proxies are always allowed to access the site. Unless, however, they are web proxies that are attacking us (several viruses have been written that cause a large amount of traffic to dnsstuff.com). Unfortunately, no major web proxy yet has a way to force web pages to be cached (and as we know, one of the main reasons for web proxies is to cache any and all pages that are cachable!). So we can't stop the attacks, which means that we have to block the web proxies that are attacking us. So what we do is add the IP of any web proxy that is attacking us to a list, and then any time someone tries connecting from that IP, we send the message about the web proxy. -Scott --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is there any hope running Declude with imail 8.21???
I gave up and downgraded to 8.15 now I'm getting: 09:07 15:08 SMTPD(CP) error 3 executing c:\imail\Declude.exe D:\IMAIL\spool\Q3ab90041008c0e76.SMD It looks like you set up Declude to run in C:\IMail, but you run IMail on D:\IMail. :) -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IMail 8.02
Declude as a multi-threaded service sound very promising. I agree. :) It is something that I had wanted to see in Declude for a long time, and was a logical progression for Declude, that will take care of many issues. It should increase performance, and at the same time allow E-mails that are being processed to communicate with one another. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IMail 8.02
RSP ...allow E-mails that are being processed to communicate with one another Curious. How do emails communicate with each other? Just to clarify, it's not the actual E-mails themselves doing the communicating G, but the code that is processing each E-mail. By having Declude run as a service, there is just one process running handling all the scanning (rather than one for each E-mail). Although the current architecture does allow communication (Declude Hijack, for example, keeps tabs on how much E-mail is being sent from each IP), it is very cumbersome. As a result, only things that are vital would be communicated. With a single process, however, it is much easier to communicate information (basically almost any information that one thread has about an E-mail can be accessed by any other thread if needed). By itself, this doesn't really do anything noticeable. What it does do, however, is make some potential features easier to write, as well as making the code easier to read (and troubleshoot). -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] PIDDEBUG
I'm just curious when this bug will be fixed. It was reported months ago. I've got three more months left on my support contract and don't think I'm going to renew if it takes six months for the Declude dev team to fix one bug. Sorry yall, but my confidence is waning. I think it might help if I comment here. I believe this was a necessary evil -- kind of like getting a tooth removed, it's no fun, but it needs to be done. As many of you know, about 6 months ago I stopped working full time for Declude. I'm still involved, just not nearly to the extent that I was before. Before that point, I was essentially in charge of the Declude source code. Part of the transition of me leaving was to get the development team to take that on. That transition worked very well, except for one flaw. And it was a major one, which I recognized and understood. I was faced with a choice: either push until the problem was fixed (in which case I would not be around to handle the next problem), or let the team handle it on their own (which gives them the opportunity to learn from their mistake). This one flaw caused most (if not all) the issues that have been discussed here with the 2.x releases. Making matters more difficult, the issues were not easily reproducible. Fortunately, the flaw eventually exposed itself, and has been addressed and removed. There's still a bit more work to be done, however, and some more testing to do. But with that flaw out of the way, it should be smooth sailing from here. This whole process has helped give the team the experience they need to be able to recognize and deal with future issues that come up much more quickly. And as I mentioned in a post a few days ago, I think that you will be pleased with the next release. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Woes
Whoa! First post in like 4.5 months Scott. Did you have a good vacation? Are you back to working on Declude? :) If so, when do you think there's going to be a new release that will fix the overflow issue related to: [Application popup: Declude.exe - Application Error : The application failed to initialize properly (0xc142). Click on OK to terminate the application] Unfortunately, I cannot comment on when the new release will be available -- there are always too many variables. I'd rather see delays and get the issues fixed than get the product out on a deadline with some unresolved issues. However, I can say that the source of the more noticeable issues with the v2 releases that some people have encountered has been identified and removed (including the 0xc142 issue). Although it is taking a bit longer than expected, I think you will be pleased with the results. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Woes
I’m not so sure it’s a DNS issue because the Imail spam filters run perfectly fine, which I am now using in place of Declude. They do not do as good a job identifying spam, but they are better than nothing. It probably is a DNS issue. It sounds like the problem is that the E-mails aren't being processed as quickly as they need to be (~10 seconds given your volume), and few things can cause scanning delays of multiple seconds (the 2 most common being a virus scanner that times out, or a spam database that times out or is very slow). So I'm guessing that the DNS responses just aren't fast enough. If the IMail v8 anti-spam doesn't cause these issues, it is probably because Declude JunkMail is doing more spam database lookups that IMail is. Doing the debug mode and checking for timeouts as Darin suggested would be a good idea. A single dead spam test can easily push you into the processing time limit with volumes like yours. -Scott --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Any word on the 2.06 release?
Agreed on Scott leaving. And what's up with that anyway? There was news article I noticed on their site a few weeks ago stating something about Scott leaving because he wanted to spend more time working for the Red Cross? Correct. :) The new article was http://www.declude.com/Articles.asp?ID=150, and it was short and sweet. Basically, I needed a break. I had been putting so much time into Declude over the past close to 5 years that I didn't have time to do some of the things that I wanted to, such as volunteering at the Red Cross. Before I started Declude, I was a very active volunteer on their local Disaster Action Team, responding to hundreds of local disasters (typically house fires, but occasionally other things such as floods, hazardous materials incidents, even a hostage situation once). It was very rewarding, and while I've managed to go to their monthly meetings over these years, I haven't had a chance to go to the local disasters, and I have really missed it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNSReport and DNSStuff websites
How can we check with him to see if they will continue to be maintained? I do plan to keep maintaining both sites. The sites don't require too much maintenance, but if for some reason I decide not to continue maintaining them, I will do my best to ensure that the sites don't go away (and that they remain both free to use as they are now, and that they don't get cluttered with graphics/ads). -Scott P.S. Thanks to everyone for your kind words in response to Barry's post about the organizational changes. :) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] RFCSPACE Explanation?
Is it every version of Outlook that fails the CMDSPACE or is it the mail server this test is for? It is for whatever connects to IMail. If you only accept incoming E-mail, it should be a mailserver. If you also allow outgoing E-mail, it could be a mailserver or a mail client. If it for a mail server is there a list of servers that are known to fail this test? There are no known mailservers that fail this test. Just a handful of mail clients. That's what makes the test so useful -- even though Outlook fails the test, nobody in the world using Outlook will cause the E-mail to fail the test, unless either [1] their mailserver has a problem that causes the E-mail to fail the test (which is extremely unlikely), or [2] they connect directly to your mailserver (in which case they are a user of yours, and you can whitelist them). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RFCSPACE Explanation?
I have been looking for an explanation of the RFCSPACE test but I cannot find one Anybody have a detailed explanation with references? Do you mean CMDSPACE? That one looks for a space in the SMTP commands, such as RCPT TO:, that really shouldn't be there (although some people may try to argue that the RFCs do allow it). No legitimate mailserver that I am aware of has the space there, although some mail clients (most notable Outlook) include it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT: Internet Usage - Monitoring and Filtering Apps
We use a Watchguard firewall on our corporate network. http://www.watchguard.com FYI, if you use a Watchguard Firebox, make absolutely sure that the DNS Proxy is *disabled*. There's a serious bug that they have been ignoring for over a year now that makes it useless when multiple requests come in from the same IP. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2.0.5 - Junkmail passes?
What am I missing - this email failed virtually every test there is G, it also should have bypassed whitelisting. Yet - at the end it was delivered? I believe the issue here is that you are using ROUTETO followed by DELETE. In pre-2.0, the DELETE action deleted the entire E-mail. With v2.0, however, it only deletes it for the recipient(s) that use the DELETE action. However, if you use the ROUTETO action, the recipient gets changed in the Q*.SMD file to a different E-mail address. So if you later use the DELETE action, Declude JunkMail sees that the original recipient isn't listed in the Q*.SMD file, and isn't able to delete the E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Base 64 Encoded messages
The headers say base64 Declude JunkMail will attempt to decode base64-encoded attachments (unless you have a DECODE OFF line in your global.cfg file, but that means you don't want Declude JunkMail to do such decoding). If you're running an older version of Declude (before around 1.75 I believe), it might not have this ability. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam tests by months
I've send this message over 46 hours ago. It's only me to receive it on the list so late? I fear if this happens repeatedly an effective discussion is not more possible. Back to snail-mail? Our mailserver received millions of E-mails over the past few days. Once we detected the problem yesterday morning, we were able to block the E-mails and make sure that backed up E-mail got delivered. Just about all of the backed up E-mail has gone out. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 2.0 - crash
We've gone back to 1.82 as well. We'll wait again until 2.0 is proven stable. Declude hasn't been like what has been in the past. Just to let people know a bit about this -- the source of the crash was identified pretty quickly. And a change could have been made almost as quickly to prevent the crash. However, in this case, the D*.SMD files (the ones containing the E-mail body) were disappearing -- a situation that should (in theory) never happen. There are causes for this (such as an on-access virus scanner), but they aren't very common. So my advice was that rather than just fix the crash, further investigation should be done to determine why those files were disappearing. That way, we can have a new release that fixes the crash without running the risk of people noticing a new problem (that they weren't seeing simply because the crash occurred). With software, there are often minor issues that come up that don't get addressed because they seem so minor or aren't being reported. Yet many times when this happens, a bigger bug appears later that would have been fixed if the minor issue had been dealt with right away. I've seen this a number of times with software I've worked on that nobody but myself runs. One out of a hundred times, something that isn't quite right will appear. The thought process is Gee, it would be a good idea to look into that to see why it happened, but it would be a lot of work tracking it down; I'll deal with that later. With a program that only I run, that's fine. But for software that 1,000s of people are running, most of whom consider E-mail to be mission critical, I think it is best to wait and have it done right. And, to take credit away from where it should be taken (or whatever the opposite of giving credit where it is due is), the crash is occurring in code that I wrote. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filters and encoded subject lines
And I have a filter that looks for vicodin ANYWHERE 2 CONTAINS VICODIN The filter does not find it. I think it is because the subject line is encoded. Is there any way to check it with the filters? Actually, I believe the issue is that ANYWHERE just looks at the subject and body (without doing any decoding). If you add a line: SUBJECT 2 CONTAINS VICODIN then it should get triggered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filters and encoded subject lines
If ANYWHERE only gets subject and body... Sorry, I meant that it covers the headers and body (but not any decoded parts). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Base 64 Encoded messages
Does declude decode messages before using filters? It does a lot of decoding, yes. I have a domain in a body filter that keeps getting through? Have you checked the raw source to see how it is encoded? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Subject problem
Scott. Any response to this. There should be a new release Monday that covers the issues from this week. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Subject problem
I am running the latest version (newly released 2.0) and the subject is showing =?iso-8859? The subject shouldn't appear that way in the E-mail itself. For Declude JunkMail usage, it may appear that way with the Subject starting with a colon issue, which has been fixed in the latest 2.0. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log Levels
I working a routing to process the log files for declude. The ultimate goal is to produce statitics and graphs based on the information from the log files. I checked the manual and the descripiton for the various log formats is vague. Correct. That's because there are somewhere around 1,000 different possible log file entries. WARN (This is in the current global.cfg, but I see no reference to anywhere else) LOW MID HIGH DEBUG (Used for debugging potential problems with Declude) ERROR: Logs error only. LOG is the primary level, which is designed to record the basic information that just about everyone will want. HIGH is used to get as much useful information as possible. MID is a compromise between LOW and HIGH. DEBUG contains about 100 times as many log file entries (most of which aren't designed to be readable to end users), and as such should only be used as needed. WARN can be used if you don't want information on each E-mail, but want to be alerted to any warnings/errors that occur. ERROR really should never be used, as it will not record warnings to the log file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Problem with subject line in version 2.0
I had the same problem. The declude.exe is about 1/2 of the size as the one it replaced. That actually is normal -- the old declude.exe file had quite a bit of extra (unnecessary) debugging code in it. This smaller version removes that code, which makes Declude slightly more efficient. I emailed support but I imagine they are fixing it, I have not heard back from them.. The person in charge of the install program just got in, so I expect you should get a response shortly. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] new decoding-problem
so you think something like filename==? shouldn't appear in a legal mail? that would give us the opportunity to filter for camouflaged attachmentnames. It *should* be illegal in legitimate E-mail, from what I can tell. But it is possible that legitimate E-mails may be sent out that way for some reason (I do not know for certain). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Problem with subject line in version 2.0
There appears to be a problem in version 2.0 where Declude is seeing the first character after the word subject as the start of the subject line. The first character is a colon and followed by a space and then the actual subject line. You are correct. I'm surprised this didn't get caught during the beta. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Confused about 2.0
I'm confused about the release of 2.0. I received 2 emails from Barry making annoucements and then 2 emails immediately following which recalled the announcements. (?) I believe the 2 recalls were both for the first message. Is 2.0 for IMail ready? Yes, it is. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] new decoding-problem
we received a new mail, wich contains an attachment. the filename is coded as follows: Content-Type: application/octet-stream; name==?koi8-r?B?NC5wZGYuZXhl?= we are running a filter that searches for combinations like this, but with the used encoding, declude seems to be unable to track this attachmentname. If I recall correctly, this isn't technically legal. However, we are looking at the possibility of decoding filenames for banning file extensions (virus scanning will still work properly with these encoded filenames). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNSSTUFF.COM Web Site Down?
It's 4:30A PST, and I cannot access the 'dnsstuff.com' web site. Is anyone else having the same problem? The site was being reset -- normally it's only down for a few seconds, but this morning it was down for about 10 minutes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Authenticating account
Is there a command to filter (in a filter file) based on the account the authenticated the session ? No; IMail does not store that information (aside from in the log file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2.0 Manuals?
With the official release of version 2 on Jan 31 I would like to know if the manual will be rev'ed as well or will we still have the old 1.81 manual? Yes, it will. :) I want to know more about: The Virus Pro Event logging. What is it? What can I do with it? That provides an option to include Declude Virus log file entries in the Windows Event Log. It was added for the Somix Logalot program, but could be used for other purposes. The change to the DELETE command in JunkMail? It allows the DELETE option to work for individual recipients. Previously, the E-mail would be deleted if any user used the DELETE action. With v2, however, the E-mail can be deleted for one user while being delivered to another. How to implement the new HOLD with directory path? This will work similarly to other actions -- you just specify the directory after the HOLD action (WEIGHT20 HOLD E:\IMail\spool\hold\weight20\). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 2.0 Manuals?
If I am using domain $default$.junkmail config files then if I do a WEIGHT40 DELETE it will delete the mail for everyone in that domain? In this case, it will work exactly as it had before. Since all users had DELETE before, the E-mail now will still be deleted. But if there is a single user fred.junkmail file and he has WEIGHT40 DELETE then it will only delete the e-mail for fred and other recipients in the domain and other domains would receive it? Correct (assuming that the other users were not using the DELETE action). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Difference Between MAILFROM and FROMFILE
I apologize for asking such a silly question but I'm suffering from a mental roadblock. What is the difference between the MAILFROM and FROMFILE tests? I understand the difference from a Declude configuration syntactical standpoint but I don't understand the intended benefit of having two tests which seem to do essentially the same thing, other than the fact that all entries in a FROMFILE would have the same number of points added whereas MAILFROM you can specify individual number of points. The MAILFROM test simply checks to see if the return address is on a valid domain. So if I sent an E-mail from [EMAIL PROTECTED], it would fail the MAILFROM test. You do not give the MAILFROM test any data (you don't give it an address, domain, list of addresses, etc.). It will work the same for everyone who uses the test. The fromfile test type is called a Sender Blacklist. It lets you enter a list of E-mail addresses that will cause the E-mail to fail that test. It will work differently depending on what E-mail addresses you list. So if you have @made_up_domain.com or [EMAIL PROTECTED] in your blacklist, an E-mail from [EMAIL PROTECTED] would fail both the MAILFROM and sender blacklist tests. But if you did not happen to list that user/domain, the E-mail would only fail the MAILFROM test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Difference Between MAILFROM and FROMFILE
I'm sorry. I didn't mean the MAILFROM test. I mean the MAILFROM entry that you put in the filter file, e.g. MAILFROM 50 CONTAINS suspect. Filters work by looking at a specific piece of information, and comparing to information you supply. So the line MAILFROM 50 CONTAINS suspect does exactly that -- it checks to see if the MAILFROM (return address) contains suspect. If so, the E-mail will trigger that test. The Sender Blacklists check to see if the return address matches anything in a list you supply. It doesn't work the same way, as it looks for exact matches on E-mail addresses (so a line [EMAIL PROTECTED] won't match [EMAIL PROTECTED]), and partial matches on domains (so @example.com will match [EMAIL PROTECTED]). All I need to know is if the MAILFROM I describe above looks at the whole address in X-Declude-Sender, e.g. [EMAIL PROTECTED], or if it just looks at the stuff before the @ character or just looks after the @ character. It looks at the entire address (which is the same one as in the X-Declude-Sender: header, and IMail SMTP log file MAIL FROM entries). Also with the FROMFILE test if I put in an entry... hotmail.com would the FROMFILE test add points if the X-Declude Sender was [EMAIL PROTECTED] Yes (and it would also catch E-mail from [EMAIL PROTECTED]). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Not whitelisted, why
Log lines 01/21/2005 03:03:45 Qe18f09a600c0cf70 Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 01/21/2005 03:03:45 Qe18f09a600c0cf70 Redirecting [EMAIL PROTECTED] to file D:\Imail\declude\junkmailfiles\standardabrasives.com.junkmail. Are there further log file entries? ### first line in D:\Imail\declude\junkmailfiles\standardabrasives.com.junkmail. WHITELISTFILE D:\Imail\declude\junkmailfiles\whitelistfiles\standardabrasives.com.whitelis t.txt And the X-Declude-Sender: [EMAIL PROTECTED] [218.16.121.102] is in the whitelist file as [EMAIL PROTECTED] Is that the last line in the file (remember, Windows requires that the last line in text files end with a carriage return -- if you can't move the cursor below the last line in Notepad, you need to hit ENTER at the end of the line). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow directory and a note about Windows 2003 DNS
Could you please let me know what condition causes E-mail to be left in the overflow directory, and exactly how Declude determines how/when to process such messages. The short version is that the situation is handled better than if the overflow directory isn't used (many people don't get that). The longer version is that Declude will move E-mail (actually, just the Q*.SMD file) to the overflow directory when Declude detects that there are more than X service-started processes (where X is 30, unless you have IMail set to use a different number of maximum processes). Those can be declude.exe, smtp32.exe, or AV processes. Once this situation occurs, Declude will continue to move E-mails to the overflow directory until the number of service-started processes is less than X. At that point, when an E-mail arrives, Declude will start enough Declude processes to hit the limit of X (each of which scans a single E-mail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Not whitelisted, why
No it is not the last line of the file! In that case, the next step would be to double-check all settings (such as making sure that the paths are correct, no typos, etc.). If that doesn't explain the problem, you can use LOGLEVEL DEBUG, and send the results to [EMAIL PROTECTED], and we can see what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelist not configured right?
So in the whitelist file for our domain name, I put a line IP x.x.x.x, where x.x.x.x is my home IP address. However, the Declude continues to scan messages sent from my home PC for spam, and to act accordingly. The problem is that whitelist files don't have an option of IP x.x.x.x. In this case, you could add a line WHITELIST IP x.x.x.x in the \IMail\Declude\global.cfg file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelist not configured right?
Thanks, Scott. I also thought that whitelist files included all of the same options as the whitelist commands that go into a global.cfg file. No: The D:\IMail\Declude\mywhitelist.txt file would then contain either one E-mail address ([EMAIL PROTECTED]) or domain (@example.com) or subdomain (.example.com) per line. What about @domain-name? Does that work in a whitelist file? Yes, that will work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow directory and a note about Windows 2003 DNS
You seemed to indicate that service launched processes count against the threads...meaning that smtp32.exe launches declude.exe, which launches F-Prot and McAfee. So would this count for 4 threads (not according to Declude, but Windows/IMail)? What about Sniffer and each external test that I have configured within Declude, would those count as well? Unfortunately, we are not aware of a way to determine if a process was started by a service or not. Currently, Declude looks for declude.exe, smtp32.exe, scan.exe, F-Prot.exe processes (and any processes listed in the rarely used DAISYCHAIN option). Note that SMTPD32.exe -- the IMail process/service that starts Declude -- is just a single process, so it will only count once. Message Sniffer and other external tests won't count, since Declude doesn't specifically look for it (but it does indeed count as a service-started process, and could cause the memory limit to be reached). However, there would only be a maximum of one of them per E-mail (since Declude runs the external tests in serial, not in parallel). I also re-read the following post by Sandy: http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg94576.html It seems to indicate that there is no thread limit, but something else instead; a limit of 64 objects per thread. That's not related here. The overflow issue deals with processes, not threads. Processes are what are listed in the Process tab in the Task Manager (such as one SMTPD32.exe process, 0 to 30 or so Declude.exe processes, etc.). Each process can have from 1 to an (almost) infinite number of threads. I'm not sure how that might apply here. So if I am seeing overflow with processing power to spare, I should be able to increase the threads in IMail to a higher number than 60 in order to better utilize my server's capacity. With memory utilization below 50%, it doesn't seem like there is much risk in doing this, would that be correct? Anything referring to thread or threads in IMail settings is not relevant to this (IMail v8 introduced one or more thread options). Declude JunkMail looks at the MaxQueProc IMail registry setting (which may also be an advanced setting in IMail Administrator, with a name such as maximum number of processes). Any other settings are not used. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Not scanning mail passing between domains on the same server
I have noticed that when a user send a mail message to an address on another domain, but located on that server Declude does not scan the messages for viruses or spam. Is this via web messaging? If so, older versions of IMail may not call Declude. In this case, though, it is extremely unlikely that the E-mail would be spam (since it is from a user that is authorized to send mail) or a virus (since the user would have to intentionally attach a file that happens to contain a virus). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %ALLRECIPS% Strange
X-RECIPIENTS: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] It show the same email address three times?? I would think it would show the aliases email addresses or or just the alias address. Declude version 1.82 What does the IMail SMTP log file show for the E-mail? Note that if for some odd reason the sender sent the E-mail with a list of three recipients (all the same), you could see that behavior. Or, if it was sent to three separate aliases (say webmaster, postmaster, and support were all aliases pointing to the france@ account), it could also result in this behavior. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] %ALLRECIPS% Strange
The france@ account is the alias and points to one alias and two accounts. This is a messages that was held and then moved back into the spool folder. In this case, Declude JunkMail is seeing three recipients (as the alias points to 3 different addresses). But, it displays the intended recipient rather than the actual recipient, in order to hide the actual recipient (as some people do not want others knowing what address(es) their aliases point to). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Time out
How long is the timeout ? It currently waits 5 minutes (it used to wait up to an hour, but then when external programs started hanging, it would cause serious problems with mail backing up). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF logs
Just noticed that the SPF logs that were stored in C:\ are gone. Did they get moved or where they done away with? They were done away with. They were part of the beta testing of SPF. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Time out
ERROR: External program pictest didn't finish quick enough; terminating. Does anyone no how to increase the time out for external tests ? There is no way. An external program should not be taking many minutes to process an E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Unknown error code
A message today from Len Conrad at IMGate failed the BADHEADERS and ROUTING tests. The error code returned by both tests was the same: a004010f The lookup on declude.com doesn't know what this means. That code is a combination of two things. The first is as John pointed out: Len will often use a computer in the U.S., send mail to someone in the U.S., but relay the mail through an offshore mailserver. Perfectly legal, but it will trigger the ROUTING test (since that is how the majority of spam was sent a couple years ago). The second problem is that the Message-ID: header was bogus, and did not conform to the RFCs, which caused the E-mail to fail the more serious BADHEADERS test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamCop not testing?
It is important to note that you should only have one DNS server listed in the IMail SMTP settings (IMail has a known sporadic issue if there are multiple DNS servers listed). Really? I've listed 3 DNS for over 4 years now without any problem. Is there any KB article? I'm not sure if they have a KB article about it. The issue I am aware of will occur when something goes wrong with the first DNS server (a simple dropped packet can do it), and the backup DNS server is denying DNS lookups. IMail will try an MX record lookup, it will fail, and IMail will then try the A record on the primary DNS server. This causes the E-mail to incorrectly be sent to the wrong IP address, causing bounces, deleted E-mails, and other such nasty things. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamCop not testing?
Do you have do you have any further information about this statement - what type of errors, etc. It is important to note that you should only have one DNS server listed in the IMail SMTP settings (IMail has a known sporadic issue if there are multiple DNS servers listed). The issue I am aware of will occur when something goes wrong with the first DNS server (a simple dropped packet can do it), and the backup DNS server is denying DNS lookups. IMail will try an MX record lookup, it will fail, and IMail will then try the A record on the primary DNS server. This causes the E-mail to incorrectly be sent to the wrong IP address, causing bounces, deleted E-mails, and other such nasty things. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Outgoing mail
To prevent Declude JM from scanning outbound mail I know I can whitelist IP ranges. Can they be anywhere in the global.cfg or do they need to be at the top. In general, any configuration options can go anywhere in the config files, with the exception of test actions in the global.cfg file (which must go after the test definition lines), and .eml files (where the configuration lines must go before the body of the E-mail). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] external program with quotes....
I'm writing my own external program to compare domain names. I need to pass the %REVDNS% parameter with quotes around it due to possible spaces in it. Is this possible? No, it is not possible, since the entire command line needs to be quoted. However, as Kevin pointed out, reverse DNS entries should never have a space in them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamCop not testing?
Has there been a change in the cfg files lately, or something? I've seen a few domains/IPs that Spamcop does have listed, yet, they don't appear to have failed the spamcop test. This is the line I have in my cfg file: SPAMCOP ip4r bl.spamcop.net 127.0.0.2 5 0 Is there something I should notice so that I can see why this test isn't being run? (I used to see it all the time too.) Are any E-mails failing the SPAMCOP test? If not, then there is probably a DNS or configuration issue. If some E-mails are failing the SPAMCOP test, the problem may just be that you are receiving the E-mail before the IP gets listed in the SPAMCOP database. Unfortunately, the company that now runs SPAMCOP no longer lets you see when the IP was added, so it is impossible to know for certain whether or not that is the case. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Google and/or Earthlink failing subjectchars
Just commenting about the semantics of what constitutes a release. I'm not sure that 1.82 fixes this since it was targeted at the SPAMDOMAINS issue (could have, but it isn't documented), but the latest beta release was definitely reported to have fixed it. Correct. 1.82 is just 1.81 with a patch that fixes the SPAMHEADERS issue. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting tactic..
http://www.eweek.com/article2/0,1759,1749328,00.asp\http://www.eweek.com/article2/0,1759,1749328,00.asp\ One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning. Interestingly, the main point of the article (that this technique wreaks havoc on DNS) is complete hogwash. I've informed the author of the article, and hope he posts a retraction. As far as the technique is concerned, it really seems silly -- I can't see what benefit a spammer would have from doing this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Calling an Executable - evaluating in multiple tests
SNIFFER external nonzero sniffer.exe authcode 1 0 SNIFFER-SCAMS external 053 sniffer.exe authcode 2 0 SNIFFER-PORN external 054 sniffer.exe authcode 2 0 SNIFFER-MALWARE external 055 sniffer.exe authcode 3 0 SNIFFER-OBFUSC external 062 sniffer.exe authcode 2 0 Actually, this should work fine. Declude JunkMail checks to see that the command line is the same (the sniffer.exe authcode, which is the same in all the above lines), and if so, it only runs the test if it has not yet been run (or if it has, it uses the exit code from when it was run). Declude JunkMail then handles the weights. So in this case, if Message Sniffer returned an exit code of anything except 0, the SNIFFER test would be triggered. If it returned 53, both the SNIFFER test and the SNIFFER-SCAMS test would be triggered. It should work in the same way as having multiple ip4r tests, one of which looks for * and others which look for specific return IPs. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Old email accounts
Is there a way to keep email that is sent to old non-existant email accounts on my server from being processed by Declude. I have noticed that a lot of the spam in spamreview is to email addresses that are no longer there.. If you have IMail reject those E-mails, Declude won't scan them. Otherwise, Declude will scan them. Note, however, that you may see E-mail addresses that do not exist (that IMail did not accept the E-mail for), if there was at least one valid recipient. In that case, IMail will process the E-mail, and have all the bogus recipients listed in the SMTP envelope. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HELOBOGUS for Email from Postfix Gateway
However, I'm having a problem with Declude triggering on reporting emails that are generated directly ON the gateway itself: That's because the gateway is running an MTA that adds very poor Received: headers. - Declude parses IP Address 0.0.0.0 - Declude parses HELO string of userid Here is the headers that Postfix generates for email that originates from that machine: Received: from mail.dollardays.com [67.132.45.18] by mail.webhost.hm-software.com with ESMTP (SMTPD32-8.14) id A4F0800114; Sat, 08 Jan 2005 04:16:32 -0500 That one is fine. Since you are IPBYPASSing 67.132.45.18, Declude JunkMail skips over that line. Received: by mail.dollardays.com (Postfix) id BD39835A9D2; Sat, 8 Jan 2005 04:16:24 -0500 (EST) This one is a very poor Received: header. It contains almost no useful information (since it is your server, you already know its name, and the time *could* be useful, but only if the server uses NTP). Received: by mail.dollardays.com (Postfix, from userid 0) id A8FC335A9CE; Sat, 8 Jan 2005 04:16:24 -0500 (EST) This, too, is a very poor Received: header. It, too, contains almost no useful information. As you can see, it a) has no FROM field in the received header - that's what's causing the 0.0.0.0 being reported as the IP address Correct. b) it picking up userid form inside an SMTP header comment - the string is included inside paranthesis, thus should NOT be interpreted by Declude. Correct. However, given how many poor (one step above very poor) mailservers there are out there, we have to check inside SMTP comments. There are mailservers out there that include the IP (and probably 'from') in SMTP comments. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] HELO Filter not Working?
Remember, Declude JunkMail looks at the HELO/EHLO of the remote mailserver, based on IPBYPASS/HOP Uh - that's the answer. Thanks for clearing this up. So the HELO is not necessarily taken from the HELO, but from the HEADER. Both, actually. Declude JunkMail gets the HELO from the real HELO/EHLO from the SMTP envelope. The method Declude JunkMail uses to obtain the HELO, however, is the headers. Note that if Declude JunkMail used IMail's SMTP envelope as the method of obtained the HELO, Declude JunkMail could get the wrong HELO (as would be the case if there are gateways). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 1.82 - Last Action no longer logged for IGNORE
Can you remind me, what additional messages/log lines I will see if #LOG_OK NONE is commented out? With v1.82, it will add back the Message OK line(s) and the Tests Failed line(s). Please note the subject: I AM running 1.82 (the SpamHeader fix!) Yes, I am aware of that. It's only missing if LOG_OK is NONE. Correct. You asked what additional lines you will see if you comment out LOG_OK NONE. Commenting it out will add back the Message OK line(s) and the Tests Failed line(s). I made the comment about 1.82 as it was the version you are running, and there were many changes to the logging in 1.75 and earlier. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] test.dat
An explanation of this file... it's purpose and how it gets there.. would be very beneficial. Is supposed to be there, or is it part of the beta testing? Will it re-create itself if deleted? One of the things that often happens in betas (and the old interims) is that files will be created for various purposes, so: We're still currently on 1.81 (didn't have time to update today) so it's not a problem here ... yet. In your case, I would recommend not upgrading to the next beta (or if so, asking any questions that might be relevant in your situation). Note that this is something in the latest beta, and is in not related to the recent SPAMHEADERS fix (1.82 should be identical to 1.81, except with the SPAMHEADERS fix). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 2005 SpamHeaders - Fix
I have not upgraded to fix the 2005 spamheaders test as of yet. Our CPU has been maxed out and the server bogged down since my return after the New Year. I have commented out the spamheaders test and the CPU is still maxed. I went into IMAIL and changed the delivery application from declude.exe to smtp32.exe and restarted the SMTP service and the processing dropped from 100% to approximately 13% - 20%. I placed the declude.exe back in as the delivery application and the processor utilization shot right back up. This narrows it down to declude however, I have not yet pin pointed exactly what is causing the increase in processor usage. When you go to the Process tab in the Task Manager, and click on the CPU button, which process(es) are nearest to the top? Note that this should not be related to the SPAMHEADERS issue. Did you make any changes to the Declude configuration recently (such as adding filters, which can eat up CPU time, depending on what they do and how they are designed)? I don't want to go through and comment out each test one at a time to find which the offender is. If it does come to that, you can do it the binary way. First, comment out 1/2 the tests. If the problem continues, uncomment the ones you just commented out, and comment out 1/2 of the ones that you did not comment out (if the problem does not continue, do the opposite -- uncomment 1/2 of the ones that you commented out originally). If you have 30 tests, you'll only have to do this 5 times. The drawback is that during the few minutes you are doing this, spam is more likely to come through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 2005 SpamHeaders - Fix -
Sorted by CPU the system process is first and second is a toss up between declude, smtpd32, and queuemgr followed by as many as 16 simultaneous instances of declude with cpu between 1 and 4. That normal indicates an above average volume of mail (or, in other words, the system is at full capacity). However, the fact that shutting off Declude lowers the CPU usage to 13-20% would indicate that Declude is using more CPU time than it normally should (which could be normal, depending on what filters you have set up). Does creating a domain folder with a blank $default$.junkamil file, as compared to whitelisting a domain in the global.cfg, use more processing power? No, both will use almost exactly the same amount of CPU time. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filter for blank subject lines
I have pro and my filters work, yet ISBLANK, IS BLANK, IS, and IS , all pass mail with blank subjects through. White listing plays no part. Do you know if that is supposed to work for sure? Are you creating a filter test for it? The SUBJECT 10 ISBLANK line should work with the latest version of Declude JunkMail Pro, if it appears in a filter file. It won't work on a line in the global.cfg file, however (or else Declude JunkMail won't know the weight or actions to use). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders - Fix
I have upgraded to the new Declude.exe v1.82. Within a matter of minutes of doing this upgrade I've noticed that my mail server has started to bog down. Were you running v1.81 before, or a different version? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ETA for SPAMHEADERS glitch
Just to let everyone know, we have identified the issue with the SPAMHEADERS test. As most people realized, most E-mails sent with a date involving a year after 2004 were failing the SPAMHEADERS test. For those that are interested in the details, if the SPAMHEADERS code matches the bitmask 0x4800, it means that an invalid year was detected for the SPAMHEADERS test. Normally, a code such as 0x4802 would be seen, but others such as 0xC0001802 could also be seen. And I feel that it is only fair for me to point out that this glitch was in code that I wrote (several years ago, actually). We expect to have a v1.82 ready by tomorrow morning that takes care of this issue. Part of the reason for the delay (aside from it first being reported on a holiday during a weekend) was that the fix involves changing old source code, which is something that has never been done with Declude before. In the past, when issues such as this were detected, a change would be made to the latest code (v2.0b in this case). However, management made the decision that it would be in the best interest for everyone to make the change to the 1.81 as well, which requires a more complicated procedure for implementing the change. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Notification Policy...
The urgent list you are referring to was for urgent virus notices, of which since inception there was only one use. I've considered this list not virus- or junkmail-specific. Maybe my mistake. It wasn't even specific to Declude Virus. The reason for the list was that there was a rash of new viruses, and there were concerns about blocking the viruses before the virus definitions were updated. The virusalert list for Declude Virus was added to let people know ASAP of new viruses, before virus definitions were available. The idea was that an initial alert would get sent out as soon as we detected that a major new virus was released, with a second E-mail including more details. Since no AV company supplied such a thing (they typically report all new viruses, and send the information hours after the virus starts spreading), it seemed like it would be very useful. But as soon as we created the list, the viruses died down almost immediately, so as John pointed out, it was only used once. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 2005 SpamHeaders Glitch?
I also agree it would have been nice to have a warning announcement about the Spam Header test being broken officially from Declude, more timely, and along with advice what to do in the interim. This is not the same Declude operation to me as in years past! FWIW, it was handled very similarly to how I would have handled it. I consider the SPAMHEADERS test to be a very minor test, as it did not catch a large amount of spam (about 8% when we last tested), and had a significant amount of false positives. As a result, we only counted SPAMHEADERS towards 15% of the default spam detection weight. The test can easily be commented out to prevent it from running. Yes, in the past, I could have come out with an interim version more quickly. However, it should also be noted that there was always a lot of debate about the interims; many people did not like them. And even so, I would have only come out with an interim for the latest version (in this case, a beta), which would not have provided any options for customers who can only run release versions. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] 2005 SpamHeaders Glitch?
1. An acknowledgement on the list from someone that they knew about the problem - it WAS a holiday and I think people should have lives - but just a hey we know within 24 hours would've been nice. Yes, that would have been nice. It did take a bit more than 24 hours for an official response on the list. 2. A simple e-mail note to all customers ASAP stating The spamheaders test has a bug causing it to catch and add weight to every e-mail sent in 2005. It is suggested that you comment it out or reduce (or remove) its weight to avoid false positives. We are working on a fix and will post it to the website as soon as possible The main reason this wasn't done was because it wasn't clear that this was going to be as big an issue for our customers as it turned out to be. The thought was that since this is normally a relatively minor test, anyone that it does affect adversely would just comment out the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 2005 SpamHeaders Glitch?
On another note... has anyone seen any sort of (cascading?) effect from the SpamHeaders glitch? There aren't any, designed effects. Specifically, all the SPAMHEADERS issue does is causes E-mails to fail the SPAMHEADERS test. That adds weight to the E-mail, and if any actions are performed on the SPAMHEADERS test, they would be performed. But nothing beyond that would occur. So if an E-mail would have failed the SPAMHEADERS test before, nothing different would happen now. Kami mentioned the cascading effect, which was occurring because of combo tests (for example, a test that fails if both the SPAMHEADERS and ROUTING tests fail). However, that is by design (although the design, of course, does not assume that there will be false positives). I seem to have a fair amount of email winding up in our hold file that failed both our weight tests and an IP hold test. They should have been deleted based on the weight test, but are being held based on the IP hold list. Have you checked the Declude JunkMail log file to see what actions were taken on the E-mail? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] corrupt RIPE data
What does this mean? X-Note: Reverse DNS IP: pop.gmx.net [213.165.64.20] X-Note: Country Chain: 'EU' [corrupt RIPE data]-GERMANY-destination This has triggered ROUTING test and I am just wondering if the all-dat file is corrupt or needs adjustment or ... That means that RIPE (the organization allocating IPs in Europe) made a mistake, and allowed the country code for the IP to appear as EU, which is not valid. However, the ROUTING test does not rely on the all_list.dat file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] corrupt RIPE data
I know this is a sore issue with you - but this is not a mistake. It is a policy (that you don't agree with). Without knowing that there *is* a policy, I cannot agree (or disagree!) with it. :) A) ISO has recognized that strict interpretation of the definitions of ISO 3166 prevent inclusion of EU. However, being pragmatic, it has RESERVED EU so that users of 3166 can use it absence of a formal country code. http://www.iso.ch/iso/en/prods-services/iso3166ma/10faq/frequently-asked-que stions.html#QS05 That's fine. I have no problem with the ISO doing that. My issue is that RIPE is allowing users to make up codes that aren't allowed. Of course, the fact that the people at RIPE that I've dealt with are quite clueless doesn't exactly help keep my opinion unbiased. B) Based on the ISO compromise, and recognizing the fact that several multi-national networks and address ranges do NOT stop at arbitrary country borders (think of countries like Luxemburg, Belgium, Netherlands, etc.), RIPE has established the policy of using (and allowing the use of) 'EU' in the country code field to more accurately represent the location. If they have, they haven't done so in an appropriate way. If the format of the data specifies one thing, and you put something else there, you can't expect people to just start adjusting to the bogus data without question. (It would be just as silly, if UUNET were forced to define a country code of Rhode Island for a cross-continental network - instead of US.) But that's how it works! The geolocation data has the country an IP was assigned to, not the city, not the continent, not the organization. ARIN can't just go and publish the country as US-RI to indicate the state of Rhode Island within the U.S. That would at least make the data more granular (once programs were fixed to accept it), rather than less granular (as RIPE appears to be doing). But once you break a standard it is no longer a standard (RIPE isn't Microsoft yet!). I think it would be appropriate to bring the all_list.dat in compliance with the policies of RIPE, which after all is authoritative for its database - even if don't agree how they define country for the purposes of THEIR database. It may be their database, but not their database format. They didn't design it. In any case, the all_list.dat file is in compliance (it just stores EU, which is what RIPE supplies). And the *only* way that it affects Declude JunkMail is in the header that is displayed by organizations that are allocated IPs from RIPE in this unrecognized format. Again, this has nothing to do with the European Union -- it has to do with RIPE and their lack of compliance with standards. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude on SmarterMail
Sent this previous email a couple of days back but since it is a beta I guess email support is not supported. FYI, we have no record of any support requests from you. So declude team, app does not work yet on SmarterMail. It does, but apparently not on your server. :) No logs generated, so looks like declude is not being called - and in SM protocol settings it is set to call declude d:\SmarterMail\Declude.exe %filepath But no mail gets delivered, it goes into a new folder called spool/proc which did not exist before so I guess this is a declude thing. But mail just sits there. So disabled Declude and mail is delivered again. If you send this information to [EMAIL PROTECTED], we can assist you with it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SmarterMail move, and some complaining
We curently own Declude Virus Pro, JMPro, and Hijack, and our support contract is up to date If we decide to move from Imail to Smarter mail, do we have to pay any (declude) upgrade fee ? No, there is no upgrade fee. :) Also, I think it is ironic that, after most of us decided to stay with Imail because of declude, we now are getting this treatment from CPHZ. I personally think that the free upgrade (crossgrade?) to the SmarterMail version was a very nice gesture. I do not understand why CPHZ expalined privatly to a few customers about what is going on, and still has not posted something on this list. Should we understand that CPHZ values some customers more than others ? It is the customers that had issues with the new system that were talking to Barry. The licensing system for v2 is still being tweaked, so it would not make sense for us to describe all the details if they are not finalized yet. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude incorrectly detecting subject.
Where can I download version 2.0? If you go to http://www.declude.com and log on to your account there, you can download it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNSstuff - NetGeo responding with empty page
http://www.dnsstuff.com/tools/netgeo.ch?ip=81.15.216.130http://www.dnsstuff.com/tools/netgeo.ch?ip=81.15.216.130 and any other IP Thanks for pointing that out -- it's fixed now. NetGeo hits were a major part of the DDoS attack that www.dnsstuff.com has been undergoing for a few months now, and it looks like one of the tweaks to reduce the DDoS traffic backfired. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Fw: [Declude.JunkMail] Declude incorrectly detecting subject.
Any thought on this. I upgraded to 2.0b and now get Failed to get temporary file name: 267 in the log file. That's something we are still working on. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Trouble with 2.0b installation...
Just ran through the 2.0b installation, get an error almost at completion Unable to copy file to target directory. After clicking OK a dozen or so times, it completes. I then dropped to a DOS prompt and ran declude to confirm the version, and got this: Declude v1.79 has already been installed; IMail will call it when necessary. You can ignore any warnings that appear after this. It backed up 1.80 and installed 1.79? Also, the creation date on the file is 8/18/2004... This appears to be due to a bug in the install program, where it will not properly copy in the Declude.exe file if there are copies of Declude already running. I would recommend stopping the IMail SMTP service and waiting for any Declude processes to go away before installing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude incorrectly detecting subject.
I am noticing some emails with this in the header. The problem is Declude is analyzing it as the subject when is should be using the one later in the email. See below. Any thoughts. This is fixed in v2.0b. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude problems after imail upgrade.
I did recive this spam in my inbox this morning. As you can see it does not have any declude info and no Imail spam info either. What do the IMail and Declude log files show for the E-mail?What version of IMail are you running? What version of Declude are you running? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude problems after imail upgrade.
I did search the declude log file for [EMAIL PROTECTED] but could not find anything.. If you use the XSPOOLNAME ON option in the \IMail\Declude\global.cfg file, it will be easy to find the entries for the E-mail in the log file. If you do not use the XSPOOLNAME ON option, you may need to look at the IMail SMTP log file to file the queue file name of the E-mail, and search the Declude JunkMail log file for it (minus the first character and extension; for example, if you see Q1234567.SMD in the IMail log, you would search the Declude JunkMail log for 1234567). IMail v8.14 takes care of most of the known bugs that could prevent it from calling Declude, but there are still one or two left (such as the possibility of it happening when the queue manager is stopped before the SMTP service is). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude problems after imail upgrade.
Here is 2 messages that did fail weight350 and did get saved in the weight350 directory. This is working correctly, expect there are no declude headers for the messages. Below each message is the lines from the declude log file: The only time that I have seen this happen (an E-mail that didn't appear to have Declude headers, but was indeed scanned by Declude without any problems) was when Declude *did* add the headers, but the spam was malformed so badly that the body of the spam was in the headers. If you check the D*.SMD file and see the Declude headers anywhere in there, then this is the case. The message below came to my inbox and has no declude headers and I can not find the sender [EMAIL PROTECTED] in the declude log file. You won't be able to. See my previous message. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail/Declude queues backing up - I think it's Declude
When the _{message_ID}.~MD messages appear, if I stop the queue service
and restart then they turn into Q{message_ID}.RMD files
In that case, it appears that the IMail queue service, when started, will
automatically unlock any locked E-mails. That is OK if they are at least 1
hour old, or a bad thing if they aren't yet 1 hour old (as it can interfere
with Declude, as Declude isn't expecting the files to be renamed, and IMail
will not call Declude if it hasn't already been called).
If I rename them from RMD to SMD then they are delivered ...
Correct.
... BUT the Declude Junkmail XNote signature info isn't in the SMTP header.
Correct. If the files are locked before Declude gets a chance to scan the
E-mail, when the queue manager unlocks them, it should send them to Declude
-- but it is not.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
This outgoing message is guaranteed to be authentic by Message Level users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and Overflow Directory
What is the max number of declude processes that will kick off if there are lots of Q*.SMD messages in the overflow directory? Is there an internal limit or is it based on some option? There is no limit, if you want to be technical. Specifically, Declude counts the total number of service-started processes (Declude.exe, SMTP32.exe, and a few others), as it is service-started processes that need to be counted. The number Declude looks for is by default 30, but is based on the IMail SMTP settings (or it may only be accessible via the registry? I cannot recall). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail/Declude queues backing up - I think it's Declude
How does Imail know if Declude has run on these files? It doesn't know. But since it doesn't keep track, it has to start Declude. Scanning an E-mail twice won't hurt (except for CPU usage), but not scanning it will hurt (it can cause Evil E-mails to come through). Ipswitch says that the problem is that declude is locking the file but not unlocking it when it's done. The best thing to do in this case is to look at the IMail and Declude log file entries for one of these E-mails, before restarting the queue manager. The entries for the E-mail should stop somewhere, which will provide clues as to what is happening to the E-mail. Having said that could it be one of the external tests that Declude is calling? In other words, it would appear that the problem is with Declude.exe but it's really with a shelled process that declude is calling? That shouldn't cause this -- Declude will timeout the external process if it takes too long. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] AutoWhiteList
Can we use @domain.com in our webmail adress book to whitelist all mail from specific domain ? No, IMail won't allow that, but you can add [EMAIL PROTECTED]. The all@ indicates that every E-mail address at the domain should be whitelisted. also, if one of the recepient has the sender in his adress book, this will whitelist for all recepients, correct ? Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP listed in MTLDB
I have this line in my config. MTLDB ip4rmtldb.declude.com* 8 0 One of my IP numbers is failing this test. How can I find out why. If you go to http://www.mtldb.org/ it should have the information there. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Upgraded Declude Thurs night -- since then getting false positives on MessageSniffer
I have commented out sniffer, ipnotinmx and nolegitcontent as those are my suspects... Everything else is how the configuration was when I became aware I had problems. #IPNOTINMX ipnotinmx x x 0 -3 #NOLEGITCONTENT nolegitcontent x x 0 -5 #SNIFFERexternalnonzero C:\IMail\Declude\Sniffer\wuckd6ww.exe y5abucz7zhoqeg0o0 9 These are all set up properly. Are you seeing SNIFFER in the X-Spam-Tests-Failed: header when you think that the E-mail didn't fail Message Sniffer but apparently did? If not, what makes you think that the E-mail is failing the Message Sniffer test? -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DomainKeys ?
Does Declude support Domain Keys or is there a DomainKeys external test available? No, it does not. When we last researched Domain Keys, it appeared to be quite complex, and not very popular. It does seem to be gaining some popularity, so we may do some more research about it in the near future. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Does STOPALLTESTS really stop all tests?
I've got a whitelist filter file where I use the action STOPALLTESTS: MAILFROMSTOPALLTESTSCONTAINS@netrends.com This rule is defined as the first rule in my global.cfg (above all of the IP4r, Catchall, externals, etc.) If it trips the WHITELIST filter, why do the other tests (see declog below) register? That's because it is only designed to stop tests that occur *after* this one. So any non-filter tests will still run, and any filter tests that are defined before this test will run. STOPALLTESTS was designed to minimize CPU usage. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log file locking
IF the log file is locked and declude tried to write to it, what happens if declude can't? The log file entry won't be saved. Declude will continue to function as it normally would, except with one (or more) less log file entries. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Large attachment -- black hole
I have a user that was sent a 10mb attachment. They report that it was kicked back to the sender saying max message size exceeded. This domain doesn't have a max message size set, nor does the particular user, nor does he have a max MAILBOX size. In the logs, I am seeing something very strange: SMTPD (b07e000b01ca61ae) [64.4.56.32 (bay101-f22.bay101.hotmail.com) ] EHLO hotmail.com SMTPD (b07e000b01ca61ae) [64.4.56.32 (bay101-f22.bay101.hotmail.com) ] MAIL FROM:[EMAIL PROTECTED] SMTPD (b07e000b01ca61ae) [64.4.56.32 (bay101-f22.bay101.hotmail.com) ] RCPT TO:[EMAIL PROTECTED] SMTP (b07e000b01ca61ae) processing S:\imail\spool\Qb07e000b01ca61ae.SMD There is about a 30 minute difference in the timestamps on the last two lines. These are ALL the lines containing the queue number. That is unusual. There definitely should have been a connect line. Note, however, that if this was at the beginning of the day (~12:00AM to 12:05AM), it could be that the connect line was in the previous log file. The log file seems incomplete, because on every incoming connection, I usually get first a connect REMOTEIP (REMOTE_SERVER) port PORTNO line, followed by the ehlo, mail from, rcpt to. Then I usually get a spoolfilepath line after the rcpt to. Then I usually get Imail's performing antispam checks before the processing line, even though I have completely disabled all of Imail's antispam features. So some lines seem to be missing. That too is unusual -- from the information so far, I would normally suspect that IMail mishandled the E-mail, and didn't pass it on to Declude. But since there are Declude log file entries, Declude did indeed scan it. After that is where it passes off to Declude, and Declude reports that its last action was IGNORE on this message (My logs are on HIGH, so I won't post the whole thing, just the last line, but all expected lines are there): 11/23/2004 17:19:08 Qb07e000b01ca61ae Last action = IGNORE. How does this time compare to the IMail log file times? Was there a long delay in the Declude processing of the E-mail? But there is no further mention of the queue number in the Imail logs. Did Declude bomb while passing back to Imail? Or did Imail drop the ball? How can I tell? Unfortunately, it isn't easy to tell. The Last action = IGNORE *should* mean that Declude ended up successfully passing the E-mail to IMail. But there is a very slight chance that something could have gone wrong after Declude logged that entry and before Declude passed the E-mail to IMail. You might want to try searching your hard drive for the Db07e000b01ca61ae.SMD file, to see if it is there somewhere. If Declude couldn't pass the E-mail on to IMail, the Db07e000b01ca61ae.SMD file should be in the \IMail\spool directory (but if that is the case, IMail should have delivered it within 1-2 hours later). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
