RE: [Declude.JunkMail] Question about Filters
Scott, Is there any size limitation (# of entries per file) imposed on fromfiles or the number or fromfiles you can have listed in the Global.cfg? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, November 02, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Question about Filters After reviewing my Debug log, I found that the FromFiles are run first. Obviously, most email is spoofed and therefore will not show up, however, does Declude actually check fromfile for the mailfrom line or what it shows up as the X-Declude-Sender line? Both. The X-Declude-Sender: header displays the return address (MAIL FROM from the SMTP envelope), which is the same one that the fromfile test type (and anything else in Declude JunkMail) looks at. If it is indeed the X-Declude-Sender, it seems it would be benefical to move the domains from our filter files into fromfiles thus allowing for a reduction on CPU processing since they are run first (while using SKIPIFWEIGHT lines in filters). That sounds like it would work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question about Filters
Can you use the SKIPIFWEIGHT and MAXWEIGHT in the fromfiles? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, November 03, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Question about Filters Scott, Is there any size limitation (# of entries per file) imposed on fromfiles or the number or fromfiles you can have listed in the Global.cfg? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, November 02, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Question about Filters After reviewing my Debug log, I found that the FromFiles are run first. Obviously, most email is spoofed and therefore will not show up, however, does Declude actually check fromfile for the mailfrom line or what it shows up as the X-Declude-Sender line? Both. The X-Declude-Sender: header displays the return address (MAIL FROM from the SMTP envelope), which is the same one that the fromfile test type (and anything else in Declude JunkMail) looks at. If it is indeed the X-Declude-Sender, it seems it would be benefical to move the domains from our filter files into fromfiles thus allowing for a reduction on CPU processing since they are run first (while using SKIPIFWEIGHT lines in filters). That sounds like it would work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question about Filters
Is there any size limitation (# of entries per file) imposed on fromfiles or the number or fromfiles you can have listed in the Global.cfg? No. Can you use the SKIPIFWEIGHT and MAXWEIGHT in the fromfiles? No. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question about Filters
The skipifweight... the run order is (rbl tests, external tests, fromfile, ipfile, then filters). So weighting wise, you have only accumulated have your scores at this time. Maxweight: As of 1.78 the fromfile test type will now stop processing at first match. So Maxweight wouldn't be useful. - Original Message - From: Keith Johnson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 2:30 PM Subject: RE: [Declude.JunkMail] Question about Filters Can you use the SKIPIFWEIGHT and MAXWEIGHT in the fromfiles? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Johnson Sent: Wednesday, November 03, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Question about Filters Scott, Is there any size limitation (# of entries per file) imposed on fromfiles or the number or fromfiles you can have listed in the Global.cfg? Thanks, Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, November 02, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Question about Filters After reviewing my Debug log, I found that the FromFiles are run first. Obviously, most email is spoofed and therefore will not show up, however, does Declude actually check fromfile for the mailfrom line or what it shows up as the X-Declude-Sender line? Both. The X-Declude-Sender: header displays the return address (MAIL FROM from the SMTP envelope), which is the same one that the fromfile test type (and anything else in Declude JunkMail) looks at. If it is indeed the X-Declude-Sender, it seems it would be benefical to move the domains from our filter files into fromfiles thus allowing for a reduction on CPU processing since they are run first (while using SKIPIFWEIGHT lines in filters). That sounds like it would work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Question about Filters
After reviewing my Debug log, I found that the FromFiles are run first. Obviously, most email is spoofed and therefore will not show up, however, does Declude actually check fromfile for the mailfrom line or what it shows up as the X-Declude-Sender line? If it is indeed the X-Declude-Sender, it seems it would be benefical to move the domains from our filter files into fromfiles thus allowing for a reduction on CPU processing since they are run first (while using SKIPIFWEIGHT lines in filters). Thanks for the aid. --- Keith Johnson Senior Network Engineer Network Advocates, Inc. 9001 Shelbyville Road Burhans Hall, Suite 260 Louisville, KY 40228 TEL: 502.992.5928 FAX: 502.412.1058 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question about Filters
After reviewing my Debug log, I found that the FromFiles are run first. Obviously, most email is spoofed and therefore will not show up, however, does Declude actually check fromfile for the mailfrom line or what it shows up as the X-Declude-Sender line? Both. The X-Declude-Sender: header displays the return address (MAIL FROM from the SMTP envelope), which is the same one that the fromfile test type (and anything else in Declude JunkMail) looks at. If it is indeed the X-Declude-Sender, it seems it would be benefical to move the domains from our filter files into fromfiles thus allowing for a reduction on CPU processing since they are run first (while using SKIPIFWEIGHT lines in filters). That sounds like it would work fine. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Question about filters..
The text filters check on BODY or SUBJECT, What about the text on the HEADERS ?? Also, how can I put wildcards on filters ?? Couldn't find the manual at declude.com www.declude.com\manual.htm Anybody have the correct link ?? Thanks AV --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question about filters..
The text filters check on BODY or SUBJECT, What about the text on the HEADERS ?? Yes, the filters work fine on headers, such as: HEADERS 5 CONTAINS EvilWord Also, how can I put wildcards on filters ?? You cannot, but you can do things such as: HEADERS 5 STARTSWITH EvilWord to catch EvilWord*. Couldn't find the manual at declude.com www.declude.com\manual.htm Anybody have the correct link ?? You can use the old link http://www.declude.com/junkmail/manual.htm (which redirects to the new URL, which I can never remember). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] question about filters
From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Mon, 14 Jul 2003 08:11:55 -0400 To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] question about filters And wouldn't it be an IP address and/or a in-addr.arpa PTR when they connect? No reverse DNS entry should point to an in-addr.apra address (although some are incorrectly set up to do so). Most likely, the reverse DNS entry would point to something like HOST-192-0-2-25.example.com. That was what I was hoping for. A bunch of spam I got has that. -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] question about filters
It depends on which you are testing, what rule you might want to use. since outgoing mail uses different processing rules (in global.cfg, instead of junkmail), you can hold on fails for incoming and ignore outgoing, if you group them into one rule file, correct Scott? Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] question about filters
HELO/EHLO depends solely on the mail server, not internal vs exteral users addresses (unless they are running their own mail server on their desktops. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Joshua LevitskySent: Sunday, July 13, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] question about filters In trying to come up with filters I was thinking of checking for PTRs that end in in-addr.arpa and HELOs that begin with a [ but then it hit me... when one of my users sends mail to another user on the server then the mail is inbound mail and those filters apply to them.. that of course is bad because a Cable or DSL person sending mail would probably have PRTs with in-addr.arpa on them.
Re: [Declude.JunkMail] question about filters
If I have a user that is on a Verizon DSL. They go to email me from their Outlook Express, and they login to my server to send mail. Doesn't their mail client send a HELO/EHLO to my server when they go to send? And wouldn't it be an IP address and/or a in-addr.arpa PTR when they connect? (My users do SMTP Auth so they can use the server from anywhere.)Since the mail is to me then it would be considerend inbound email? Thus the HELO and PTR type filters in this case would be against them no? -Josh - Original Message - From: Karen D. Oland To: [EMAIL PROTECTED] Sent: Sunday, July 13, 2003 1:40 PM Subject: RE: [Declude.JunkMail] question about filters HELO/EHLO depends solely on the mail server, not internal vs exteral users addresses (unless they are running their own mail server on their desktops. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Joshua LevitskySent: Sunday, July 13, 2003 12:29 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] question about filters In trying to come up with filters I was thinking of checking for PTRs that end in in-addr.arpa and HELOs that begin with a [ but then it hit me... when one of my users sends mail to another user on the server then the mail is inbound mail and those filters apply to them.. that of course is bad because a Cable or DSL person sending mail would probably have PRTs with in-addr.arpa on them.
[Declude.JunkMail] question about filters
In trying to come up with filters I was thinking of checking for PTRs that end in in-addr.arpa and HELOs that begin with a [ but then it hit me... when one of my users sends mail to another user on the server then the mail is inbound mail and those filters apply to them.. that of course is bad because a Cable or DSL person sending mail would probably have PRTs with in-addr.arpa on them. Is this a problem because Imail hasn't had a way for declude to tell what is incoming from an authenticated user or am I thinking about the filters in a flawed way? Below is the filter that is a work in progress... perhaps someone could help me make it better or fix my flawed logic... I made this from posts here that I saw people post, and started to mash them together in to one good filter. 64.81.214.120 = mail.joshie.com I bounce from 20 to 39, and delete from 40 up. # catch attempt to pretend to be us HELO11CONTAINSjoshie.comHELO11CONTAINS64.81.214.120HELO11CONTAINS$domainHELO11ISlocalhostHELO11ISlocalhost.localdomainHELO4STARTSWITH[REVDNS4ENDSWITH.in-addr.arpa # prevent false positives internally (usually due to# forwarding false positives to correct person) REVDNS-100CONTAINSjoshie.com # mail servers with no real name HELO8ENDSWITH0HELO8ENDSWITH1HELO8ENDSWITH2HELO8ENDSWITH3HELO8ENDSWITH4HELO8ENDSWITH5HELO8ENDSWITH6HELO8ENDSWITH7HELO8ENDSWITH8HELO8ENDSWITH9 # many spams with our name in the mailfrom also contain two asterisks,# never seen it in legit mail mailfrom8contains**