RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Don, We just released an interim version 4.10.41 in which we have added the variable %AUTH% David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Wednesday, November 04, 2009 4:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes David, Thanks for adding the HiJack email. I had performed the same function through a background task that would monitor the hold2 directory. I had previously sent a suggestion to add a variable to Declude that would contain the user authentication email address. Is this anywhere on the suggestion list? Any possibility of seeing this down the road or anytime soon? Thanks, Don Winsauer Net1 Media - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.vi...@declude.com ; declude.junkmail@declude.com Sent: Wednesday, November 04, 2009 11:11 AM Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [195.248.173.117] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, November 05, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, Great suggestion. Can you send some full header examples to me directly so we can review this, if you have the matching pair files even better as we can use them to test specifically. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, November 05, 2009 10:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Dave, You might want to test this new option very carefully! You could be right, the original Declude code may have had an issue parsing the second IP. I do not know if this was by design or just bad code. I think the explanation/reason was, that Scott was having issues with RECEIVED Headers where the sender's reverse DNS was set up to point to an apparent IP address or where the HELO/EHLO string was using an IP address. He might have encountered RECEIVED headers like this: Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1) by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63) (envelope-from fredrik.karlb...@jameslist.com) id 1N5zih-0005FR-15 for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 + And eventually decided to ignore the first IP address and go for the last IP address in the first line - or something like that. This parsing problem is rather old and reported occasionally. I even recall this being an issue with spamrouting causing false positives if the header had more than one IP address - because it would pick up wrong IP addresses and think the routing was suspicious. If I can make a (VERY important) suggestion. Since this clearly is NOT at all a Postini issue and certainly NOT LIMITED to Postini - how about NOT giving that feature/directive a totally misleading/inappropriate name: POSTINIFIXON Example - out of 10 emails in my current inbox, I instantly found THIS (non-Postini) sample: Received: from sha-exch9.shared.ifeltd.com ([10.1.20.9]) by sha-exch9.shared.ifeltd.com ([10.1.20.9]) with mapi; Thu, 5 Nov 2009 10:36:21 + Calling it PostiniFix implies to people who don't use a Postini gateway, that they don't need that option. In reality this is an attempt at (finally) making Declude's Received header parsing RFC-compliant and should be the default way that Declude works all the time so that spamrouting and other features pick up the CORRECT ( from clause IP address ) and not get confused by any optional by clause IP address. If you want to make it an option (that propbably should default to ON if ommitted), I would suggest naming it something like: USEFROMCLAUSEIP ON or IGNOREBYCLAUSEIP ON depending on how your new parsing logic is set up (I would look for the 'BY' clause, if any, and then parse the IP addresses prior to the BY clause - possibly starting from the end - so to mimic
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [*195.248.173.117*] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, November 05, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, Great suggestion. Can you send some full header examples to me directly so we can review this, if you have the matching pair files even better as we can use them to test specifically. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, November 05, 2009 10:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Dave, You might want to test this new option very carefully! You could be right, the original Declude code may have had an issue parsing the second IP. I do not know if this was by design or just bad code. I think the explanation/reason was, that Scott was having issues with RECEIVED Headers where the sender's reverse DNS was set up to point to an apparent IP address or where the HELO/EHLO string was using an IP address. He might have encountered RECEIVED headers like this: Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1) by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63) (envelope-from fredrik.karlb...@jameslist.com) id 1N5zih-0005FR-15 for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 + And eventually decided to ignore the first IP address and go for the last IP address in the first line - or something like that. This parsing problem is rather old and reported occasionally. I even recall this being an issue with spamrouting causing false positives if the header had more than one IP address - because it would pick up wrong IP addresses and think the routing was suspicious. If I can make a (VERY important) suggestion. Since this clearly is NOT at all a Postini issue and certainly NOT LIMITED to Postini - how about NOT giving that feature/directive a totally misleading/inappropriate name: POSTINIFIXON Example - out of 10 emails in my current inbox, I instantly found THIS (non-Postini) sample: Received: from sha-exch9.shared.ifeltd.com ([10.1.20.9
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Matt, Sorry - but some of these are actually headers inserted by my OWN server. So they are NOT forged. Most of them are spam, but some of them were even false positives. Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt Sent: Thursday, November 05, 2009 4:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for mailto:jul...@websterwatch.com jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [195.248.173.117] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Thursday, November 05, 2009 10:57 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, Great suggestion. Can you send some full header examples to me directly so we can review this, if you have the matching pair files even better as we can use them to test specifically. Thanks David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Thursday, November 05, 2009 10:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Dave, You might want to test this new option very carefully! You could be right, the original Declude code may have had an issue parsing the second IP. I do not know if this was by design or just bad code. I think the explanation/reason was, that Scott was having issues with RECEIVED Headers where the sender's reverse DNS was set up to point to an apparent IP address or where the HELO/EHLO string was using an IP address. He might have encountered RECEIVED headers like this: Received: from 192.168.0.1 [10.1.20.1] (helo=192.168.0.1) by mx-out-manc2.simplymailsolutions.com with esmtp (Exim 4.63) (envelope-from mailto:fredrik.karlb...@jameslist.com fredrik.karlb...@jameslist.com) id 1N5zih-0005FR-15 for andy_schm...@hm-software.com; Thu, 05 Nov 2009 10:37:35 + And eventually decided to ignore the first IP address and go for the last IP address in the first line - or something like that. This parsing problem is rather old and reported occasionally. I even recall this being an issue with spamrouting causing false positives if the header had more than one IP address - because it would pick up wrong IP addresses and think the routing
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
You are right that I messed up on three of these. The following ones were definitely entirely forged: Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 All but one of the connecting servers in the other 5 examples forged the HELO value (which is where my brain farted), which some servers don't properly bracket. Regardless, my recommendation on how to parse the proper IP would work in every example except for the forged Received headers above (which is fake data anyway and should be ignored if at all possible, so that is better). The problem is that not all servers properly bracket and order the actual IP, which means that HELO's that come as IP's can be misleading. This is why you have to start off with the best method, and if that doesn't produce results, fall back to another method that is just simply guessing (which is what Declude actually does now). So you first throw out all data before the FROM up till the next descriptor BY/WITH/FOR or end of the header, then you search for square brackets with an IP inside and nothing else, and take the last value that appears in that format in the trimmed piece of the Received header. If you don't get any result from that, you search for all IP's that are either surrounded by spaces or parenthesis, and you take the last such value found. Note that the delimiters are very important in getting the correct IP. Also note that legitimate headers are rare where the IP is neither bracketed or enclosed at the boundary with parenthesis, but it does happen. Matt Andy Schmidt wrote: Hi Matt, Sorry -- but some of these are actually headers inserted by my OWN server. So they are NOT forged. Most of them are spam, but some of them were even false positives. Best Regards, Andy *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Matt *Sent:* Thursday, November 05, 2009 4:14 PM *To:* declude.junkmail@declude.com *Subject:* Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Andy, One important thing of note here is that the first 5 examples you gave are in fact forged headers, and the information contained within them is fake and not at all useful. While I don't expect Declude to figure out that these are forged Received headers, one shouldn't worry about how they are parsed as they can be malformed anyway (as was the case in several examples shown). As a good rule of thumb, you def-old the entire Received header and then take the data in between the FROM and the BY/WITH/FOR or the end of the header, whichever appears first, and then take the last braketed IP value. If you can't find a bracketed IP value, you should take the last IP shown (which won't be perfect, but this would not be RFC compliant anyway). I would guess that this would take a programmer maybe an hour to code up and test. Matt Andy Schmidt wrote: Hi Dave, just sent you a zip file - hope it made it past your virus check. It has a few interesting cases to see if your new code picks up the CORRECT IP address. Always picking the first or the last IP address is not at all necessarily reliable. Received: from unknown (HELO 192.168.10.1) (72.167.113.99) by k2smtpout02-01.prod.mesa1.secureserver.net (64.202.189.90) with ESMTP; 04 Nov 2009 08:29:08 - Received: from 58.92.178.208 ([208.178.92.58]) by smtp.webhost.hm-software.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 2 Nov 2009 10:43:37 -0500 Received: from admd.net ([:::187.3.43.120]) (AUTH: LOGIN audito...@vazemaia.com.br mailto:audito...@vazemaia.com.br) by mail4.task.com.br with esmtp; Wed, 04 Nov 2009 01:53:07 -0200 id 006788A4.4AF0FAA3.242C Received: from (]) by mx1.businessprocessware.com [66.232.102.164] (8.13.8/8.13.8) STMP id mzqbrzhqqbq; for jul...@websterwatch.com mailto:jul...@websterwatch.com; Wed, 04 Nov 2009 14:40:40 -0500 Received: from 105.188.233.220.static.exetel.com.au [220.233.188.105] by Mail.Webhost.HM-Software.com with ESMTP (SMTPD-11.0) id 0afd0fb0197a; Thu, 5 Nov 2009 06:45:55 -0500 Received: from mail.headquarters.qts.local ([192.168.0.103]) by mail.headquarters.qts.local ([70.99.176.211]) with mapi; Thu, 5 Nov 2009 09:40:05 -0600 Received: from [*195.248.173.117*] (HELO 192.168.1.75) by mail.alkar.net (CommuniGate Pro SMTP 5.2.16) with SMTP id 2124311918 for abus...@ultirisk.com mailto:abus...@ultirisk.com; Tue, 03 Nov 2009 14:58:19 +0200 Best Regards, Andy -Original Message- From
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfailed DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Guaranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsprocessgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJABL=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: “POSTINIFIXON “ in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB unsubscribe, just send an E-mail to imail...@declude.com, and DB type unsubscribe Declude.JunkMail. The archives can be found DB at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Andy, The interim is available from the interim location http://interim.declude.com \4939 and is only for use if you have a valid service agreement or subscription. The username and pass is available from http://www.declude.com/myaccount.asp My Account page at www.Declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of an...@thumpernet Sent: Wednesday, November 04, 2009 12:32 PM To: David Barker Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB unsubscribe, just send an E-mail to imail...@declude.com, and DB type unsubscribe Declude.JunkMail. The archives can be found DB at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
HAHAHAHA!! There ya go Andy!! We work fast as lightning ;-) - Original Message - From: an...@thumpernet an...@thumpernet.com To: David Barker declude.junkmail@declude.com Sent: Wednesday, November 04, 2009 11:32 AM Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: “POSTINIFIXON “ in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB unsubscribe, just send an E-mail to imail...@declude.com, and DB type unsubscribe Declude.JunkMail. The archives can be found DB at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Can you please clarify or expand on 4.8.37 PostiniFix? The description doesn't tell me what a posting fix is. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 11:12 AM To: declude.vi...@declude.com; declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hello David, Do we need to restart Declude when we do a change in the whitelist file? Also, if we have a whitelist file under a domain folder, it should use this one instead of the default one at the root? Thanks Stephan -Message d'origine- De : supp...@declude.com [mailto:supp...@declude.com] De la part de David Barker Envoyé : 4 novembre, 2009 12:42 À : declude.junkmail@declude.com Objet : RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, The interim is available from the interim location http://interim.declude.com \4939 and is only for use if you have a valid service agreement or subscription. The username and pass is available from http://www.declude.com/myaccount.asp My Account page at www.Declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of an...@thumpernet Sent: Wednesday, November 04, 2009 12:32 PM To: David Barker Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to DB the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|tes Date|time|tsfa iled DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59 |]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2, CONFIRMATION|NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in DB the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to DB e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB unsubscribe, just send an E-mail to imail...@declude.com, and type DB unsubscribe Declude.JunkMail. The archives can be found at DB http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260. http://exprod5mx260.postini.com postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIXON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIXOFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Wednesday, November 04, 2009 2:41 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Can you please clarify or expand on 4.8.37 PostiniFix? The description doesn't tell me what a posting fix is. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 11:12 AM To: declude.vi...@declude.com; declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Stephan, No need to restart. The only time you need to restart is if you change the declude.cfg. Regarding whitelist.txt the following directive located in your global.cfg DOMAINWHITELISTSON When enabled, Declude JunkMail looks for a \Declude\example.com\whitelist.txt file which is a per-domain setting. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Stephan Chayer Sent: Wednesday, November 04, 2009 2:41 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hello David, Do we need to restart Declude when we do a change in the whitelist file? Also, if we have a whitelist file under a domain folder, it should use this one instead of the default one at the root? Thanks Stephan -Message d'origine- De : supp...@declude.com [mailto:supp...@declude.com] De la part de David Barker Envoyé : 4 novembre, 2009 12:42 À : declude.junkmail@declude.com Objet : RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Andy, The interim is available from the interim location http://interim.declude.com \4939 and is only for use if you have a valid service agreement or subscription. The username and pass is available from http://www.declude.com/myaccount.asp My Account page at www.Declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of an...@thumpernet Sent: Wednesday, November 04, 2009 12:32 PM To: David Barker Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi, Yea! Where is the update? I'd like to install it... Thanks, Andrew Baldwin an...@thumpernet.com http://www.thumpernet.com 315-282-0020 Wednesday, November 4, 2009, 12:11:50 PM, you wrote: DB Please note these releases are interim and still considered beta. DB Any test feedback would be appreciated. DB DB DB 4.9.39 Added a function to send a notify e-mail when hijack is DB triggered and e-mails are being held in the Hold2 folder DB DB To turn the Hijack e-mail notify on add the following directive to DB the hijack.cfg. DB DB HIJNOTIFY ON DB DB Add the include HijackNotify.eml into the \Declude directory. The DB recipient of the email can be modified. DB DB DB 4.8.39 IPBYPASS can be configured with CIDR DB DB DB 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. DB DB the format blklst.txt file is DB DB DB Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|tes Date|time|tsfa iled DB DB DB Example: DB DB Multiple Recipients: DB DB 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, DB |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59 |]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL DB EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| DB DB DB One Recipient: DB DB 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR DB CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2, CONFIRMATION|NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS DB =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| DB DB DB DB 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in DB the declude.cfg file DB DB Configuration: DB DB In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work DB DB DB DB 4.8.36 Fix for Virus test was not catching the EICAR test due to DB e-mail formatting DB DB DB DB 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. DB DB DB DB David Barker DB VP Operations Declude DB Your Email security is our business DB 978.499.2933 office DB 978.988.1311 fax DB dbar...@declude.com DB DB --- DB This E-mail came from the Declude.JunkMail mailing list. To DB
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi David: I'm interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by http://exprod5mx260.postini.com exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isn't the MX of the recipient domain pointed to Postini's server? So Postini would be the first received header to be inserted before relaying the message to the client's internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what I'm not grasping is, who inserted the original header that Postini has tampered with - if Postini is the domain's MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260. http://exprod5mx260.postini.com postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIXON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIXOFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Here is a message going through a Postini server. ---EXAMPLE 1--- -- Received: from .x.local ([127.0.0.1]) by xx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: dbar...@declude.com Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: dbar...@declude.com From: David Barker dbar...@declude.com To: xxx ' x...@x.com --- This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: Im interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isnt the MX of the recipient domain pointed to Postinis server? So Postini would be the first received header to be inserted before relaying the message to the clients internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what Im not grasping is, who inserted the original header that Postini has tampered with if Postini is the domains MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIX ON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIX OFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Dave, That's not an RFC violation, it's a problem with the code used to extract the IP from the Received headers. Matt David Barker wrote: Here is a message going through a Postini server. ---EXAMPLE 1--- -- Received: from .x.local ([127.0.0.1]) by xx.xom with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Sep 2009 12:18:03 -0400 Return-Path: dbar...@declude.com Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; Wed, 30 Sep 2009 12:12:56 -0400 Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Sep 2009 11:16:38 CDT Received: from 65.newburyport.dnsstuff.com [173.9.86.65] by smtp.declude.com with SMTP; Wed, 30 Sep 2009 11:16:11 -0500 Reply-To: dbar...@declude.com From: David Barker dbar...@declude.com To: xxx ' x...@x.com --- This line is good. Received: from exprod5mx277.postini.com [64.18.0.101] by mail3.xx.net with SMTP; However this line is a problem. Received: from source ([216.144.195.81]) by exprod5mx277.postini.com ([64.18.4.10]) with SMTP; This IP exprod5mx277.postini.com ([64.18.4.10]) should be on its own line. The problem occurs when there are two IP addresses on the same line. The first IP is considered as BOGUS and Declude picks up the second IP address on this line. For more information please review RFC 5321: [4.4] David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy Schmidt Sent: Wednesday, November 04, 2009 3:11 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi David: I’m interested to better understand this feature. The line you posted looks like a legit received header that Postini indeed should add to the top of the headers when it receives the message from the source? Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT Isn’t the MX of the recipient domain pointed to Postini’s server? So Postini would be the first “received” header to be inserted before relaying the message to the client’s internal mail server? It might help if you actually posted what a header looked like before Postini mangled it and what it looked like after Postini mangled it? I guess, what I’m not grasping is, who inserted the “original” header that Postini has tampered with – if Postini is the domain’s MX? Best Regards, Andy From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David Barker Sent: Wednesday, November 04, 2009 2:54 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Hi Scott, Postini is violating RFC RFC 5321: [4.4] An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section. SMTP servers MUST prepend Received lines to messages; they MUST NOT change the order of existing lines or insert Received lines in any other location. Postini is changing the headers received line by adding the additional IP as the example below. Received: from source ([209.85.221.110]) by exprod5mx260.postini.com ([64.18.4.10]) with SMTP; Wed, 25 Mar 2009 14:45:20 CDT The problem is that a changed received line is an indication of a forged header and is a flag for a bogus received line (a technique often used by spammers). Because of this, the actual IP of the sender is not where it should be, so we are giving our customers the option: POSTINIFIXON Will identify the sending IP as 209.85.221.110 By Default if not present POSTINIFIXOFF Will identify the sending IP as 64.18.4.10 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
David, Thanks for adding the HiJack email. I had performed the same function through a background task that would monitor the hold2 directory. I had previously sent a suggestion to add a variable to Declude that would contain the user authentication email address. Is this anywhere on the suggestion list? Any possibility of seeing this down the road or anytime soon? Thanks, Don Winsauer Net1 Media - Original Message - From: David Barker To: declude.vi...@declude.com ; declude.junkmail@declude.com Sent: Wednesday, November 04, 2009 11:11 AM Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfailed Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Guaranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5,FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsprocessgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJABL=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes
Hi Don, We are in the process of reviewing hijack functionality we can certainly add this to the list for review. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Wednesday, November 04, 2009 4:53 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes David, Thanks for adding the HiJack email. I had performed the same function through a background task that would monitor the hold2 directory. I had previously sent a suggestion to add a variable to Declude that would contain the user authentication email address. Is this anywhere on the suggestion list? Any possibility of seeing this down the road or anytime soon? Thanks, Don Winsauer Net1 Media - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.vi...@declude.com ; declude.junkmail@declude.com Sent: Wednesday, November 04, 2009 11:11 AM Subject: [Declude.JunkMail] Declude 4.9.39 Interim Release Notes Please note these releases are interim and still considered beta. Any test feedback would be appreciated. 4.9.39 Added a function to send a notify e-mail when hijack is triggered and e-mails are being held in the Hold2 folder To turn the Hijack e-mail notify on add the following directive to the hijack.cfg. HIJNOTIFY ON Add the include HijackNotify.eml into the \Declude directory. The recipient of the email can be modified. 4.8.39 IPBYPASS can be configured with CIDR 4.8.38 Add the Recipient, mailfrom and subject information to the blklst.txt file. the format blklst.txt file is Date|time|spool#|IP|TotalWeight|LastAction|RecpList|mailfrom|subject|testsfa iled Example: Multiple Recipients: 10/14/2009|11:40:06.109|53|24.177.234.76|18|s...@hcss.net,s...@hcss.net,test i...@yahoo,beg...@yahoo.com,donotl...@gmail, |owner-nolist-30960_*bigm**ridgewoodcable*-...@soar.soulfulbliss.com|[59]Gua ranteed*-payment-center|CATCHALLMAILS=0,NOL EGITCONTENT=0,IPNOTINMX=0,SORBS-DUL=5,FIVETEN-SRC=2,ZEN=7,SORBS=7,DYNHELO=5, FROMNOMATCH=2,WEIGHT10=10,WEIGHT14=14,| One Recipient: 10/14/2009|11:40:06.296|15|218.16.123.185|37|s...@hcss.net,|info_claimsproce ssgabjgfu...@gmx.net|CONTACT AGENT FOR CONFIRMATION|CATCHALLMAILS=0,NOLEGITCONTENT=0,IPNOTINMX=0,FIVETEN-SRC=2,NJAB L=4,BASE64=4,CMDSPACE=8,DYNHELO=5,HELOBOGUS =5,REVDNS=10,SPFFAIL=10,WEIGHT10=10,WEIGHT14=14,WEIGHT20=20,WEIGHT30=30,| 4.8.37 PostiniFix, Add a new directive POSTINIFIX ON/OFF goes in the declude.cfg file Configuration: In declude.cfg file: POSTINIFIXON in order for the Posting Fix to work 4.8.36 Fix for Virus test was not catching the EICAR test due to e-mail formatting 4.7.35 Added support for IMail SQL Database for AUTOWHITELIST. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
