[MBF] Re: hijacked accounts

Sounds like you have a larger problem than you think. The only way they can log onto an account is to know the password. There are only 4 ways that they would know the password: 1) Brute Force on the account in question. Highly unlikely in this case if it is happening to so many accounts. 2)

[MBF] Re: Dumb Question

ROFLMAO -Original Message- From: David Barker david.bar...@mailsbestfriend.com Sent: Tuesday, September 23, 2014 9:49am To: community@mailsbestfriend.com Subject: [MBF] Re: Dumb Question Apple? -Original Message- From: community@mailsbestfriend.com

[MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs

Actually, if I remember correctly, it is not the number of addresses but the total number of characters of all the addresses. If I am remembering correctly, it is less than 256 characters because of inferred characters added per address. I THINK! John T eServices For You -Original

[MBF] Test to check the quantity of symbols in a subject line.

I am trying to figure out a way to create a test in Declude for the quantity of symbols in the subject line. I am guessing this would have to be done via a REGEX test but I am not sure how to create it. Any one have an idea? John T eServices For You

[MBF] Re: delivery failure for junk mailbox

Try putting quotes around Junk E-mail? John T eServices For You -Original Message- From: SM Admin imailad...@bcwebhost.net Sent: Wednesday, October 29, 2014 11:08am To: community@mailsbestfriend.com Subject: [MBF] delivery failure for junk mailbox Hi, I had an email that failed to be

[MBF] Re: Thoughts on how to deal with the current SPAM campaigns

Hello Chris, thanks for the shoutout. Yes, I still sell AutoWhite for Declude and yes it will work with Smartermail but though a manual registry trick. It is not suitable for ISPs or enviornments with a large number of mailboxes or with a lot of turnover in mailboxes. -Original

[MBF] Re: mail processing suddenly stops

Imail 8.22, wow now there is an oldy. Man, why are you making us think so hard on a Friday? Lets see how good my memory is. Are you using an external database or the Imail Database, OKA the registry? If an external MS Access database, you might be bumping up against maximum connections/calls

[MBF] Re: BARRACUDA

Friends don't let friends use a Cuda. -Original Message- From: Carl Wagar jcwa...@entrenet.com Sent: Wednesday, November 12, 2014 9:45am To: community@mailsbestfriend.com Subject: [MBF] BARRACUDA Does everyone find that BARRACUDA is increasingly wrong these days? I have reduced the

[MBF] SPFFAIL

I am seeing evidence that SPFFAIL is not always being triggered. We received several of the fake ADP Past Due notices today and none of them failed SPFFAIL even though review of the headers shows they should have, since ADP has a valid ABSOLUTE SPF record. Any one else seeing this? This is on

[MBF] Malicious DOC file attachments

For the last couple of weeks, I have been seeing emails with malicious DOC attachments. ESET (NOD32) and ClamAV is not catching them. Any one else seeing these and what are you doing to catch them, besides banning (guaranteeing) DOC attachments? John T eServices For You

[MBF] Re: Need regex help

you have provided: (?i:@[0-9a-z]+\..+\..+) Can you be more specific ? David On 12/16/2014 3:17 PM, John Tolmachoff wrote: I am seeing an increase in spam and using an email in the format of blabla...@host.domain.moc. I would like to find the right regex to use to look

[MBF] GAUNTET END triggered by why

I can not find what triggered an END on the GAUNTLET test. Doing filter file C:\Interceptor\Alligate\Declude\filters\gauntlet.txt. Filter GAUNTLET: Not skipping E-mail due to current weight of 8. Checking TESTSFAILED: IPNOTINMX ALLIGATETESTS WHITEFILTER2 GRAYFILTER1 DYNREVDNS COMBO_K COMBO_D .

[MBF] Practical limit to number of lines in a filter or fromfile?

What is the practical limit to the number of lines in a filter file or in a fromfile? John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To

[MBF] DEMARC

Any one evaluating or implementing DMARC either on the sending side or the receiving side? John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To

[MBF] Re: False positives rising with SORBS

) that was in spam.dnsbl.sorbs.net but wasn't in dnsbl.sorbs.net. Better to use the individual zones for testing, but be careful about using overlapping zones. Gary Steiner From: John Tolmachoff johnl...@eservicesforyou.com Sent: Friday, January 23

[MBF] Re: help on return error message

Not your problem, theirs. See attached screen shot. John T eServices For You -Original Message- From: SM Admin imailad...@bcwebhost.net Sent: Sunday, January 18, 2015 10:20pm To: community@mailsbestfriend.com Subject: [MBF] help on return error message Hi, I got a reject on an email

[MBF] Re: FW: Declude Virus caught a virus

Here is the problem: MIME-Version: 1.0 Content-transfer-encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The headers are stating 2 different encodings, but only one is allowed. From the AM Manual: Conflicting Encoding

[MBF] COUNTRYCHAIN

Can I use COUNTRYCHAIN variable as part of a filter? Example: COUNTRYCHAIN 10 CONTAINS IRAN John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To

[MBF] Re: SPF Records

In reality, if you are not using a -all SPF record, then might as well have no SPF record at all. From a receiving point, the only time you can reliably take action (or weight) is on an absolute record which is -all anything else equals maybe in which case is meaningless. John T eServices For

[MBF] Re: COUNTRYCHAIN

: IRAN-destination You can find the ISO codes for countries here: http://www.countryareacode.net/ David -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Tuesday, March 17, 2015 1:01 PM To: community

[MBF] Re: SPAMDOMAINS

Bueller? Bueller? Bueller? -Original Message- From: John Tolmachoff johnl...@eservicesforyou.com Sent: Tuesday, April 14, 2015 8:59am To: community@mailsbestfriend.com Subject: [MBF] SPAMDOMAINS Does any one still use this test and have an updated file for it? John T eServices For You

[MBF] Re: SPAMDOMAINS

-Ursprüngliche Nachricht- Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von John Tolmachoff Gesendet: Dienstag, 21. April 2015 17:26 An: community@mailsbestfriend.com Betreff: [MBF] Re: SPAMDOMAINS Bueller? Bueller? Bueller? -Original Message- From

[MBF] Re: SPF Records

:10pm To: community@mailsbestfriend.com Subject: [MBF] Re: SPF Records Soft fail can still be useful to prevent forged spam sent to your users where the from address is also the user's address. Darin. -Original Message- From: John Tolmachoff Sent: Wednesday, April 01, 2015 11:50 AM

[MBF] Re: Declude Error

I am guessing it is a configuration error in either the global.cfg file or a filter file. What version did you upgrade from? Do you have iMail properly configured? -Original Message- From: Brandon Rowlett bran...@sageisland.com Sent: Wednesday, May 20, 2015 9:06am To:

[MBF] Re: Gauntlet addition suggestion

Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 4:33 PM To: community

[MBF] Gauntlet addition suggestion

With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis line with Source New as a catch for GAUNTLET. Any thoughts? What would the line in the GAUNTLET file be for that? HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New)) John T eServices For You

[MBF] winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly

OK, here is one I do not understand. This has happened at least 6 times that I know of in the last 2 days. An email was received and processed by Declude. It contained an attachment winmail.dat. BUT the sender had attached an XLSX file. After talking to the intended recipient (who also talked

[MBF] Re: Gauntlet addition suggestion

In trying to capture DOC attachments, some one provided the following line a while back: BODY 0 PCRE (?i:filename=[a-z0-9-_ ]\.doc) That was not working. After my fumbling around and testing, the correct line is as follows: BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc) Note the quotation

[MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly

to be formatted in different ways, yielding different results, for different recipients (but I'm vague on that one). -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August 21, 2015 2:43 PM To: community

[MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly

@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Monday, August 24, 2015 1:46 PM To: community@mailsbestfriend.com Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly Thanks for the explanation Andy. But that still

[MBF] Declude AV recip.eml not sent because forging virus???

In dealing with emails with winmail.dat attachments, Declude does not send out any email saying it is a forging virus, yet I do not see anywhere in the configuration where it would treat it as forging. 08/19/2015 06:36:12.618 002351919 Not sending .eml file since AUTOFORGING detected a forging

[MBF] Re: Gauntlet addition suggestion

Thanks David. A question, why is the following line in GAUNTLET? I realize it can have a high hit rate but with the proliferation of malicious emails that are playing with the encoding, shouldn't this line be removed? BODYEND PCRE(?i:Content-Transfer-Encoding: base64)

[MBF] Re: Gauntlet not moving files back into spool

Bueller? Bueller? -Original Message- From: John Tolmachoff johnl...@eservicesforyou.com Sent: Tuesday, July 28, 2015 1:21pm To: community@mailsbestfriend.com Subject: [MBF] Gauntlet not moving files back into spool I have just discovered that files (Alligate Gateway which is Imail server

[MBF] Gauntlet not moving files back into spool

I have just discovered that files (Alligate Gateway which is Imail server) being caught by the Declude Gauntlet test are never moved from the Gauntlet folder back to the spool. DRGOutflow.exe is running and I can see it checking the directory every minute using Process Monitor, but no action is

[MBF] VIPRE AV

Anybody using VIPRE AV? John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to

[MBF] Re: VIPRE AV

community purpose with such commentary -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Tuesday, August 04, 2015 2:39 PM To: community@mailsbestfriend.com Subject: [MBF] Re: VIPRE AV ACK, Sunbelt, yuck patoooy

[MBF] Re: VIPRE AV

-Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Tuesday, August 04, 2015 2:14 PM To: community@mailsbestfriend.com Subject: [MBF] Re: VIPRE AV Is there a command line option? -Original Message- From

[MBF] Re: HTML attachment got through, why?

PING I am still seeing these HTML attachments getting through. -Original Message- From: John Tolmachoff johnl...@eservicesforyou.com Sent: Friday, July 17, 2015 10:14am To: community@mailsbestfriend.com Subject: [MBF] Re: HTML attachment got through, why? Andy, good question. The body

[MBF] Re: Utilities

Here is something I do quite often, and have a little utility to run instead would help: I often get requests from users say I am expecting an email from so-and-so and have not received it, can you check? What I would love to see is a utility that I can run that will prompt me for an email

[MBF] HTML attachment got through, why?

I have HTM and HTML attachments banned. (No valid reason for them.) Yet one got through. Can some one help me on this as to why? And it was malicious containing Trojan.HTML.Phishing.GL 07/17/2015 06:45:41.804 002298363 Vulnerability flags = 93 07/17/2015 06:45:41.806 002298363 MIME file:

[MBF] Re: HTML attachment got through, why?

Andy, good question. The body of the email was indeed text/html formatted. And the email was base-64 encoded. The virus was indeed really in the attachment, not in the body. -Original Message- From: Andy Schmidt andy_schm...@hm-software.com Sent: Friday, July 17, 2015 9:20am To:

[MBF] OK, who is the comedian?

Seen in the Declude Virus log set to Debug, with the AV scanner set at max number of processes. 08/24/2015 12:25:10.338 002358216 Sleeping; dreaming of free processes. 08/24/2015 12:25:10.645 002358216 Sleeping; dreaming of free processes. 08/24/2015 12:25:10.954 002358216 Sleeping; dreaming of

[MBF] TEST IDEA

I have a test idea but not sure how to implement it. (Suffering from head cold for last 5 days so not thinking clearly) Test to see if the "TO" field in the headers contains more than 3 of the same name. Here is an example: To: daryl , dave heasman

[MBF] REGEX help in GAUNTLET filter

Which of the following is correct: BODY 0 PCRE (?i:filename="[a-z0-9-_ ]{1,100}\.doc") BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc) To catch the following: Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=receipt.doc I had thought the quotes were

[MBF] Re: SKIPIFWEIGHT, MINWEIGHTTOFAIL and other

SKIPIFWEIGHT: If testing of the message has so far resulted in a weight greater than the number her, this particular test will end and not be ran. It has no bearing on any other test. MINWEIGHTTOFAIL: Same, only affects this particular test. It has no bearing on any other test.

[MBF] Re: Test for short small HTML body with a URL in it

hricht- Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von John Tolmachoff Gesendet: Dienstag, 17. November 2015 19:25 An: community@mailsbestfriend.com Betreff: [MBF] Test for short small HTML body with a URL in it I am seeing obvious spam emails getting through bec

[MBF] Re: Gauntlet not moving files back into spool

ound! I'm hoping to have a perm fix for you soon. Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3606 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John

[MBF] Verizon.net email now AOL

OK, so just in case I am NOT the last one to learn this, Verizon.net email now goes through AOL servers. This affects the SPAMDOMAINS test. Very sad. I mean, Verizon is bad enough, but moving to America Off Line is going backwards. This only affects Verizon.net customers in CA, FL and TX.

[MBF] Re: Filter flub?

ROFLMAO Thanks David, I needed the laugh. -Original Message- From: "David Barker | Mail's Best Friend | 1-866-919-2075" Sent: Thursday, April 21, 2016 2:00pm To: community@mailsbestfriend.com Subject: [MBF] Re: Filter flub? Ah it was an HP Support

[MBF] BANNAME with space

What is the proper way to use BANNAME in the virus.cfg for an attachment that has a space in it? John T eServices For You # This message is sent to you because you are subscribed to the mailing list .

[MBF] Action on negative weghtrange

I have a weightrange setup for negative totals, but it does not seem to be working. WEIGHTNEGATIVE weightrange x x -1 -1000 Any thoughts? John T eServices For You # This message is sent to you because you are subscribed to the

[MBF] Re: how to deal with emailreg.org?

Friends don't let friends use a Cuda! Although they do make good bait for big Groupers. John T eServices For You # This message is sent to you because you are subscribed to the mailing list . To

[MBF] oledata.mso question

To block or not to block, what are you doing? oledata.mso file contains images that a sender has embedded into an HTML email message created by Outlook. The problem I believe is the Declude AV can only scan the oledata.mso as a file, but it can not really know what is within the file without

[MBF] Re: Scanning a PDF

To clarify, is it possible to have Declude look for a line like this: ">>/Encoding<>endobj39 0 obj< Sent: Wednesday, July 6, 2016 11:37am To: community@mailsbestfriend.com Subject: [MBF] Scanning a PDF When Declude finds a PDF attachment does it decode it (base64) and then scan it? John T

[MBF] Scanning a PDF

When Declude finds a PDF attachment does it decode it (base64) and then scan it? John T eServices For You # This message is sent to you because you are subscribed to the mailing list . To unsubscribe,

[MBF] Re: Scanning a PDF

And does this REGEX string look right? (?i:​\>\>\/Encoding\<\<\/pdfdocencoding([A-Z 0-9\>]+)\<\<\/javascript([A-Z 0-9]+)\/embeddedfiles) -Original Message- From: "John Tolmachoff" <johnl...@eservicesforyou.com> Sent: Wednesday, July 6, 2016 11:4

[MBF] REGEX line length limit

What is the limit in length for a REGEXT PCRE statement in Declude? John T eServices For You # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to:

[MBF] Re: Odd attachment header for an Excel file

ually. If they do, this email structure is NOT MIME compliant which typically means it was created by some application programmer who knows his programming language, but is ignorant about the environment he is targeting. -Original Message- From: community@mailsbestfriend.com [mail

[MBF] Re: Help with PCRE

t; BADHEADERS " is NOT a match for " HEADERS ", etc. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August 26, 2016 7:25 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Help with PCRE OK

[MBF] Test to match the HELO with REVDSN

Now using SmarterMail with Declude. Used to use Alligate with Declude. Alligate had a test that compared the HELO to the REVDNS and if the domain portion did not match it failed. I am looking to replicate that in Declude. Any one have a way to do that? John T eServices For You

[MBF] Re: REGEX line length limit

Sort of answering my own question, I have a REGEX PCRE statement that is 169 characters long with no problems. -Original Message- From: "John Tolmachoff" <johnl...@eservicesforyou.com> Sent: Wednesday, August 17, 2016 2:14pm To: community@mailsbestfriend.com Subject:

[MBF] Odd attachment header for an Excel file

I have captured a valid email message with the following for an Excel attachment: --_42177162-4ccf-48c3-8dd6-dfe95c8acffa_ Content-Type: application/vnd.ms-excel Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="INV OFFER 081816.xls" What is ODD is that I have all

[MBF] Help with PCRE

I am trying to create a Regex filter that will only trigger if 4 or more tests have failed. This is what I have so far but it is not working: (?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10}) It is triggering if only one has failed. I am trying to have it

[MBF] Re: Help with PCRE

: Help with PCRE (?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,} Move the quantifier OUTSIDE your token list. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August

[MBF] Re: Help with PCRE

pm To: community@mailsbestfriend.com Subject: [MBF] Re: Help with PCRE What is a sample of the actual string you are searching? Are there any separation characters we need to allow for? -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John

[MBF] Re: Abuse & Postmaster

It is still a very legitimate tool. However, what you should do about the results depends upon why you are checking a domain. Also, failure of a domain on the abuse and postmaster really mean nothing in terms of anti-spam scanning. I do not know of any system that would do a direct test of a