Sounds like you have a larger problem than you think. The only way they can log
onto an account is to know the password. There are only 4 ways that they would
know the password:
1) Brute Force on the account in question. Highly unlikely in this case if it
is happening to so many accounts.
2)
ROFLMAO
-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Tuesday, September 23, 2014 9:49am
To: community@mailsbestfriend.com
Subject: [MBF] Re: Dumb Question
Apple?
-Original Message-
From: community@mailsbestfriend.com
Actually, if I remember correctly, it is not the number of addresses but the
total number of characters of all the addresses. If I am remembering correctly,
it is less than 256 characters because of inferred characters added per address.
I THINK!
John T
eServices For You
-Original
I am trying to figure out a way to create a test in Declude for the quantity of
symbols in the subject line. I am guessing this would have to be done via a
REGEX test but I am not sure how to create it.
Any one have an idea?
John T
eServices For You
Try putting quotes around Junk E-mail?
John T
eServices For You
-Original Message-
From: SM Admin imailad...@bcwebhost.net
Sent: Wednesday, October 29, 2014 11:08am
To: community@mailsbestfriend.com
Subject: [MBF] delivery failure for junk mailbox
Hi,
I had an email that failed to be
Hello Chris, thanks for the shoutout.
Yes, I still sell AutoWhite for Declude and yes it will work with Smartermail
but though a manual registry trick. It is not suitable for ISPs or enviornments
with a large number of mailboxes or with a lot of turnover in mailboxes.
-Original
Imail 8.22, wow now there is an oldy.
Man, why are you making us think so hard on a Friday?
Lets see how good my memory is.
Are you using an external database or the Imail Database, OKA the registry? If
an external MS Access database, you might be bumping up against maximum
connections/calls
Friends don't let friends use a Cuda.
-Original Message-
From: Carl Wagar jcwa...@entrenet.com
Sent: Wednesday, November 12, 2014 9:45am
To: community@mailsbestfriend.com
Subject: [MBF] BARRACUDA
Does everyone find that BARRACUDA is increasingly wrong these days?
I have reduced the
I am seeing evidence that SPFFAIL is not always being triggered.
We received several of the fake ADP Past Due notices today and none of them
failed SPFFAIL even though review of the headers shows they should have, since
ADP has a valid ABSOLUTE SPF record.
Any one else seeing this? This is on
For the last couple of weeks, I have been seeing emails with malicious DOC
attachments. ESET (NOD32) and ClamAV is not catching them.
Any one else seeing these and what are you doing to catch them, besides banning
(guaranteeing) DOC attachments?
John T
eServices For You
you
have provided:
(?i:@[0-9a-z]+\..+\..+)
Can you be more specific ?
David
On 12/16/2014 3:17 PM, John Tolmachoff wrote:
I am seeing an increase in spam and using an email in the format of
blabla...@host.domain.moc.
I would like to find the right regex to use to look
I can not find what triggered an END on the GAUNTLET test.
Doing filter file C:\Interceptor\Alligate\Declude\filters\gauntlet.txt.
Filter GAUNTLET: Not skipping E-mail due to current weight of 8.
Checking TESTSFAILED: IPNOTINMX ALLIGATETESTS WHITEFILTER2 GRAYFILTER1
DYNREVDNS COMBO_K COMBO_D .
What is the practical limit to the number of lines in a filter file or in a
fromfile?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list community@mailsbestfriend.com.
To
Any one evaluating or implementing DMARC either on the sending side or the
receiving side?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list community@mailsbestfriend.com.
To
)
that was in spam.dnsbl.sorbs.net but wasn't in dnsbl.sorbs.net. Better to
use the individual zones for testing, but be careful about using
overlapping zones.
Gary Steiner
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Friday, January 23
Not your problem, theirs. See attached screen shot.
John T
eServices For You
-Original Message-
From: SM Admin imailad...@bcwebhost.net
Sent: Sunday, January 18, 2015 10:20pm
To: community@mailsbestfriend.com
Subject: [MBF] help on return error message
Hi,
I got a reject on an email
Here is the problem:
MIME-Version: 1.0
Content-transfer-encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The headers are stating 2 different encodings, but only one is allowed.
From the AM Manual:
Conflicting Encoding
Can I use COUNTRYCHAIN variable as part of a filter?
Example: COUNTRYCHAIN 10 CONTAINS IRAN
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list community@mailsbestfriend.com.
To
In reality, if you are not using a -all SPF record, then might as well have
no SPF record at all. From a receiving point, the only time you can reliably
take action (or weight) is on an absolute record which is -all anything else
equals maybe in which case is meaningless.
John T
eServices For
:
IRAN-destination
You can find the ISO codes for countries here: http://www.countryareacode.net/
David
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Tuesday, March 17, 2015 1:01 PM
To: community
Bueller? Bueller? Bueller?
-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Tuesday, April 14, 2015 8:59am
To: community@mailsbestfriend.com
Subject: [MBF] SPAMDOMAINS
Does any one still use this test and have an updated file for it?
John T
eServices For You
-Ursprüngliche Nachricht-
Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im
Auftrag von John Tolmachoff
Gesendet: Dienstag, 21. April 2015 17:26
An: community@mailsbestfriend.com
Betreff: [MBF] Re: SPAMDOMAINS
Bueller? Bueller? Bueller?
-Original Message-
From
:10pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: SPF Records
Soft fail can still be useful to prevent forged spam sent to your users
where the from address is also the user's address.
Darin.
-Original Message-
From: John Tolmachoff
Sent: Wednesday, April 01, 2015 11:50 AM
I am guessing it is a configuration error in either the global.cfg file or a
filter file.
What version did you upgrade from?
Do you have iMail properly configured?
-Original Message-
From: Brandon Rowlett bran...@sageisland.com
Sent: Wednesday, May 20, 2015 9:06am
To:
Email : david.bar...@mailsbestfriend.com
Web : www.mailsbestfriend.com
Office: 866.919.2075
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Wednesday, August 12, 2015 4:33 PM
To: community
With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis
line with Source New as a catch for GAUNTLET.
Any thoughts?
What would the line in the GAUNTLET file be for that?
HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New))
John T
eServices For You
OK, here is one I do not understand. This has happened at least 6 times that I
know of in the last 2 days. An email was received and processed by Declude. It
contained an attachment winmail.dat. BUT the sender had attached an XLSX file.
After talking to the intended recipient (who also talked
In trying to capture DOC attachments, some one provided the following line a
while back:
BODY 0 PCRE (?i:filename=[a-z0-9-_ ]\.doc)
That was not working. After my fumbling around and testing, the correct line is
as follows:
BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc)
Note the quotation
to be formatted in different ways,
yielding different results, for different recipients (but I'm vague on that
one).
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Friday, August 21, 2015 2:43 PM
To: community
@mailsbestfriend.com [mailto:community@mailsbestfriend.com]
On Behalf Of John Tolmachoff
Sent: Monday, August 24, 2015 1:46 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet
XLSX correctly
Thanks for the explanation Andy. But that still
In dealing with emails with winmail.dat attachments, Declude does not send out
any email saying it is a forging virus, yet I do not see anywhere in the
configuration where it would treat it as forging.
08/19/2015 06:36:12.618 002351919 Not sending .eml file since AUTOFORGING
detected a forging
Thanks David.
A question, why is the following line in GAUNTLET? I realize it can have a high
hit rate but with the proliferation of malicious emails that are playing with
the encoding, shouldn't this line be removed?
BODYEND PCRE(?i:Content-Transfer-Encoding: base64)
Bueller? Bueller?
-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Tuesday, July 28, 2015 1:21pm
To: community@mailsbestfriend.com
Subject: [MBF] Gauntlet not moving files back into spool
I have just discovered that files (Alligate Gateway which is Imail server
I have just discovered that files (Alligate Gateway which is Imail server)
being caught by the Declude Gauntlet test are never moved from the Gauntlet
folder back to the spool. DRGOutflow.exe is running and I can see it checking
the directory every minute using Process Monitor, but no action is
Anybody using VIPRE AV?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list community@mailsbestfriend.com.
To unsubscribe, E-mail to: community-...@mailsbestfriend.com
To switch to
community purpose with such commentary
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 2:39 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV
ACK, Sunbelt, yuck patoooy
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Tuesday, August 04, 2015 2:14 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: VIPRE AV
Is there a command line option?
-Original Message-
From
PING
I am still seeing these HTML attachments getting through.
-Original Message-
From: John Tolmachoff johnl...@eservicesforyou.com
Sent: Friday, July 17, 2015 10:14am
To: community@mailsbestfriend.com
Subject: [MBF] Re: HTML attachment got through, why?
Andy, good question. The body
Here is something I do quite often, and have a little utility to run instead
would help:
I often get requests from users say I am expecting an email from so-and-so and
have not received it, can you check?
What I would love to see is a utility that I can run that will prompt me for an
email
I have HTM and HTML attachments banned. (No valid reason for them.) Yet one got
through. Can some one help me on this as to why? And it was malicious
containing Trojan.HTML.Phishing.GL
07/17/2015 06:45:41.804 002298363 Vulnerability flags = 93
07/17/2015 06:45:41.806 002298363 MIME file:
Andy, good question. The body of the email was indeed text/html formatted. And
the email was base-64 encoded.
The virus was indeed really in the attachment, not in the body.
-Original Message-
From: Andy Schmidt andy_schm...@hm-software.com
Sent: Friday, July 17, 2015 9:20am
To:
Seen in the Declude Virus log set to Debug, with the AV scanner set at max
number of processes.
08/24/2015 12:25:10.338 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:10.645 002358216 Sleeping; dreaming of free processes.
08/24/2015 12:25:10.954 002358216 Sleeping; dreaming of
I have a test idea but not sure how to implement it. (Suffering from head cold
for last 5 days so not thinking clearly)
Test to see if the "TO" field in the headers contains more than 3 of the same
name. Here is an example:
To: daryl , dave heasman
Which of the following is correct:
BODY 0 PCRE (?i:filename="[a-z0-9-_ ]{1,100}\.doc")
BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc)
To catch the following:
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=receipt.doc
I had thought the quotes were
SKIPIFWEIGHT: If testing of the message has so far resulted in a weight greater
than the number her, this particular test will end and not be ran. It has no
bearing on any other test.
MINWEIGHTTOFAIL: Same, only affects this particular test. It has no bearing on
any other test.
hricht-
Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im
Auftrag von John Tolmachoff
Gesendet: Dienstag, 17. November 2015 19:25
An: community@mailsbestfriend.com
Betreff: [MBF] Test for short small HTML body with a URL in it
I am seeing obvious spam emails getting through bec
ound! I'm hoping to have a perm fix for you soon.
Linda Pagillo
Mail's Best Friend
Email: linda.pagi...@mailsbestfriend.com
Web: www.mailsbestfriend.com
Office: 703.988.3606
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John
OK, so just in case I am NOT the last one to learn this, Verizon.net email now
goes through AOL servers. This affects the SPAMDOMAINS test.
Very sad. I mean, Verizon is bad enough, but moving to America Off Line is
going backwards.
This only affects Verizon.net customers in CA, FL and TX.
ROFLMAO
Thanks David, I needed the laugh.
-Original Message-
From: "David Barker | Mail's Best Friend | 1-866-919-2075"
Sent: Thursday, April 21, 2016 2:00pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Filter flub?
Ah it was an HP Support
What is the proper way to use BANNAME in the virus.cfg for an attachment that
has a space in it?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list .
I have a weightrange setup for negative totals, but it does not seem to be
working.
WEIGHTNEGATIVE weightrange x x -1 -1000
Any thoughts?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the
Friends don't let friends use a Cuda!
Although they do make good bait for big Groupers.
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list .
To
To block or not to block, what are you doing?
oledata.mso file contains images that a sender has embedded into an HTML email
message created by Outlook. The problem I believe is the Declude AV can only
scan the oledata.mso as a file, but it can not really know what is within the
file without
To clarify, is it possible to have Declude look for a line like this:
">>/Encoding<>endobj39 0 obj<
Sent: Wednesday, July 6, 2016 11:37am
To: community@mailsbestfriend.com
Subject: [MBF] Scanning a PDF
When Declude finds a PDF attachment does it decode it (base64) and then scan it?
John T
When Declude finds a PDF attachment does it decode it (base64) and then scan it?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe,
And does this REGEX string look right?
(?i:\>\>\/Encoding\<\<\/pdfdocencoding([A-Z 0-9\>]+)\<\<\/javascript([A-Z
0-9]+)\/embeddedfiles)
-Original Message-
From: "John Tolmachoff" <johnl...@eservicesforyou.com>
Sent: Wednesday, July 6, 2016 11:4
What is the limit in length for a REGEXT PCRE statement in Declude?
John T
eServices For You
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to:
ually. If
they do, this email structure is NOT MIME compliant which typically means it
was created by some application programmer who knows his programming language,
but is ignorant about the environment he is targeting.
-Original Message-
From: community@mailsbestfriend.com [mail
t; BADHEADERS " is NOT a match for " HEADERS ", etc.
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Friday, August 26, 2016 7:25 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE
OK
Now using SmarterMail with Declude. Used to use Alligate with Declude. Alligate
had a test that compared the HELO to the REVDNS and if the domain portion did
not match it failed.
I am looking to replicate that in Declude. Any one have a way to do that?
John T
eServices For You
Sort of answering my own question, I have a REGEX PCRE statement that is 169
characters long with no problems.
-Original Message-
From: "John Tolmachoff" <johnl...@eservicesforyou.com>
Sent: Wednesday, August 17, 2016 2:14pm
To: community@mailsbestfriend.com
Subject:
I have captured a valid email message with the following for an Excel
attachment:
--_42177162-4ccf-48c3-8dd6-dfe95c8acffa_
Content-Type: application/vnd.ms-excel
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="INV OFFER 081816.xls"
What is ODD is that I have all
I am trying to create a Regex filter that will only trigger if 4 or more tests
have failed. This is what I have so far but it is not working:
(?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10})
It is triggering if only one has failed. I am trying to have it
: Help with PCRE
(?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}
Move the quantifier OUTSIDE your token list.
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Friday, August
pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Help with PCRE
What is a sample of the actual string you are searching? Are there any
separation characters we need to allow for?
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John
It is still a very legitimate tool. However, what you should do about the
results depends upon why you are checking a domain. Also, failure of a domain
on the abuse and postmaster really mean nothing in terms of anti-spam scanning.
I do not know of any system that would do a direct test of a
66 matches
Mail list logo