Fred,
While invURIBL will catch a lot of SPAM - I still would recommend folks use
Sniffer. The thing to keep in mind is that Sniffer triggers on many other
aspects of SPAM other than URI data.
Darrell
Frederick Samarelli writes:
It looks like it may be a redundant test to sniffer.
Has anyone had any success with bumping that up? If so, what values seemed
to work for you? I know the big concern is hitting the mystery heap limit.
Darrell
Check out http://www.invariantsystems.com for utilities for
I have just spent the last 24 hours slowly feeding messages back into
the message queue after queue manager quit delivering. It has happened
before, and I have seen posts on the Imail list discussing queue
manager hanging. The real problem is, the service is running, it just
isn't doing anything.
Does anyone know if relays.visi.com is officially down? I havent had a hit
against it since early November.
RSL - relays.visi.com
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail.
Does anyone have any feedback on E-Dialog.com. It appears their are several
reputable companies using them (NFL, Reuters, etc).
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail.
Rick,
My understanding is if the packet is rejected or allowed before the port
information is needed for comparison Cisco IOS will log it as port 0.
Darrell
Check out http://www.invariantsystems.com for utilities for
Matt,
It's possible its a locking issue. What specifically is the error message
it is returning?
I ran into similar issue with a log rotating script I wrote to move logs
around into WebTrends. I was trying to rotate a log file still being
downloaded and it would cause an issue.
When I
Katie,
SKIPIFWEIGHT only works in filter files and you will need the latest version
of Declude to use this feature. From my experience DNS based tests and
external tests are ran before the filter tests are ran. Most folks use the
SKIPIFWEIGHT test to bypass CPU consuming filter files if the
Kris,
The syntax would be
66.54.138.0/24 Description Of Why
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and
Dean,
The best thing to do is lower your TTL well ahead of time of the move. If
you lower your TTL down to about 5 minutes on your records your cutover
should not take that long for mail to cutover to your new IP. Also, make
sure you get your PTR records added ahead of time.
Also you have
Darin,
If its an unsigned 4-byte wouldnt it be 4,294,967,295 tests?
Darrell
Darin Cox writes:
This is the same idea I mentioned a year ago when we were all talking about combo tests in Decludeonly problem being if you use more unique tests than the numeric type supported. Assuming the
Mark,
You will lose some functionality on log level MID. I am not exactly sure
which reports you are currently running, but if you check out
http://www.invariantsystems.com/dlanalyzer/support.htm it will let you know
which log levels are required for each specific report.
If you need any
Those are both great tools. My only complaint with BareTail is I get a lot
of flicker under TS. However, their older wintail has no flicker...
Darrell
Check out http://www.invariantsystems.com for utilities for Declude
David,
We limit around 10MB. It has worked well. That not to say several folks
havent tried to email 50+MB files..
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail.
It is using yahoo to query for more email addresses. Here is Mcafee's write
up.
http://vil.nai.com/vil/content/v_127175.htm
Darrell
Check out http://www.invariantsystems.com for utilities for Declude And
Imail.
We are pleased to announce that DLAnalyzer 3.0 is now available. With
version 3.0 we are introducing a Lite version that is FREE.
To download DLAnalyzer 3.0, please visit:
http://www.invariantsystems.com/
New Features In DLAnalyzer 3.0
* Last Action Summary Report
* Test Breakdown Summary
John,
It suppose to be #09;
i.e. character code 09.
Darrell
-
Check out http://www.invariantsystems.com for utilities for Declude and
Imail. Now released QueueMon an Imail/Declude Queue Monitoring Application.
John Tolmachoff (Lists)
Andy,
I know I am not Matt, but I wanted to chime in here. We have a lot of body
filters and we use sniffer as well. Mostly because we can quickly code
rules to block spam that is coming in at that momemnt instead of waiting for
a rule base update. Also, not all of the spam we get ends up
I seen this post below and wanted to implement the TESTSFAILED to exit out
of one of my body filters based on if another test was already triggered.
Is the below line correct (assuming REVERSEDNSFILTER is one of my filters
that occurs before the filter I put the below line in)?
TESTSFAILED
Scott/Anyone,
What is the RFC that covers HELO BOGUS? I had wrote down RFC 821 4.3.
However, when looking at that sub heading it covers Sequencing of Commands
and Replies. So I am thinking I must be wrong, because the only thing that
I see relevant is the following lines
Note: all the
I am sure this may just be a typo but you put CONTRAINS opposed to
CONTAINS?
Darrell
-
Check out http://www.invariantsystems.com for utilities for Declude and
Imail.
Kris McElroy writes:
I am wanting to block anything in the From line
Correct...
Darrell
John Tolmachoff (Lists) writes:
A space is %20, correct?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.
Terry,
I orginally looked at the argolink spam graph, but as the doc's mentioned it
goes through the full log file from beginning to end. Our log files are
big, but it would tie up the cpu for a bit ~10-15 minutes.
We just finished a seperate program that can be used with MRTG to graph
Matt,
I monitor a bunch of counters (memory, cpu, process, disk, network, etc) on
our servers. I roll the perf logs on a daily basis. The hard thing in
tracking this stuff is that when you add process counters there is no way to
track all of the individual processes for
Matt,
I used to put routers in these types of situations, but now I don't. I
would suggest you/your customer look at some of the low end Netscreen
firewalls like a 5GT. You can get these under $500 and they have way more
value than a router..
One of the best things about the netscreen
DNS line in the \IMail\Declude\global.cfg file). Note that it is
recommended (with or without Declude) that you only use 1 DNS server in
the IMail SMTP settings.
What types of problems tend to crop up with multiple DNS servers listed in
Imail?
Darrell
---
[This E-mail was scanned for viruses
We are setup currently using HOPHIGH 1. With using a HOPHIGH setting of
1. What we are seeing is an increase in messages that are gettng caught
with XBL, DSBL, SORBS, and other tests along this line on the second HOP
even though they were legit messages that were sent through normal ISP
a domain from the MAILFROM instead of
the hops, so you don't need to do anything special with these tests.
Matt
DLAnalyzer Support wrote:
We are setup currently using HOPHIGH 1. With using a HOPHIGH setting
of 1. What we are seeing is an increase in messages that are gettng
caught with XBL
and that helps with forwarding). I've only seen a few FP's as a result of
tagged zombies sending legit E-mail, maybe a couple a week and always just
barely failing. Note that all of these scored are based on a hold weight
of 10 or 13.
Matt
DLAnalyzer Support wrote:
Matt,
Thats
Actually, Bill announced today at the RAS conference that Windows XP SP2
should fix the virus issue.
Beyond the Windows service release, Gates also showed off ``active
protection technologies'' that will gird Windows computers against attacks
by sensing changes in the network that indicate
That was our log parsing tool (DLAnalyzer). Our mail servers are very busy
and we often see a lot of the lines intermixed during peak times. We make
every attempt to interpet mixed logging lines to extract as much information
out of the lines, but sometimes its so intermixed its impossible so
Todd,
Yes we do have a version that is compatible with the new log file changes.
You need to download 2.0.6R.
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
Todd writes:
Snort...
darrell
Sharyn Schmidt writes:
I have been asked to research Intrusion Detection Software.
I have done a Google search, but most of what I see is an actual
appliance.
All I am looking for is software that will notify me when something
suspicious attempts to hit our network.
Todd,
Dotster.com has always been good to us.
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
Todd writes:
Anyone using a registrar that they like? I want to get some of my
Winzip has a command line utility add in.
Darrell
ISPhuset Nordic AS writes:
Hi a little off topic
Anyone knowing off a free or nearly free zip utility which can pack some files to a zip archive.
unpacking isn't a problem
It is a must that it can run for a command prompt
Benny
---
For those who have downloaded/currently using DLAnalyzer to process thier
Declude Junkmail Logs an update is available that supports the new log file
format found in 1.77i15+. It is also backward compatible and will still
continue to work with the older log files as well.
Please see the read
Has there been any real stance on what people are actually doing with this
test? negative weight is it returns PASS, adding weight if it fails?
Darrell
Bill Landry writes:
SPF counts for the past couple of weeks:
==
1 1st.net PASS
1 accesscomm.ca FAIL
8 alta-vista.com FAIL
Personally I try not to whitelist. If the mail comes from a few servers
than you can setup a reverse weight IPFILE for there specific IP addresses.
Whitelisting is very suspectible to forging. I learned the hardway by
whitelisting @dell.com and a spammer took me to town with that. Now I
Nick,
You can score the various result codes of sniffer differently.
SNIFFEREXP external 62 X:\Sniffer\your sniffer.exe 7 0
SNIFFEROBFUS external 61 X:\Sniffer\your sniffer.exe
10 0
SNIFFERGREY external 60 X:\Sniffer\your sniffer.exe 5 0
PROTECTED] On Behalf Of DLAnalyzer Support
Sent: Tuesday, January 06, 2004 9:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] New CMDSPACE test in latest interim release
Also, remember if you are using the bounce action for anything it has been
renamed to bounceifyoumust.
Darrell
Glenn,
No DLAnalyzer will still work fine under log level high. We will however be
updating the program to support the new changes by the end of this weekend.
Darrell
Glenn \\ WCNet writes:
I'm using DLAnalyzer, with LogLevel High. I haven't updated to the latest
interim . . but would
Also, remember if you are using the bounce action for anything it has been
renamed to bounceifyoumust.
Darrell
Jonathan writes:
Can't imagine why you'd need to restart .. it hooks the EXE each time it
spawns an smtp thread, so the next message after the EXE is in place,
should use the new
Dan,
One problem I have is that when Declude Junkmail processes a message that
has attachments it process the attachment how it was encoded typically base
64 (of couse assuming it is under the limit of what declude scans).
When you have a filter with a small word like c u m or s e x it tends
Gene,
Sounds like you may have the weights configured as weight instead of
weightrange.
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
Gene Head writes:
I have 4 entries
Nick,
FYI - You can do this with DLAnalyzer. On one of our last discussions we
talked about having a weight range that spanned from zero. This way you
could see the messages that were delivered.
If you specify spamdomains and that weight range as a test in the advanced
report and set the
Ron,
The best thing for hotmail is to setup spamdomains. For hotmail we use the
following in our spamdomains file
hotmail.com msn.com
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs -
Todd,
I suspect no one has an issue with what AOL is doing is because we are so
close to the situation (i.e. we are all trying to block spam).
Darrell
Todd Holt writes:
I know this will stir a few people the wrong way, but.
If so many people are upset that MS is being monopolistic by
Greg,
20% of our hold weight on our primary mx
30% of our hold weight on our backup mx
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
System Administrator writes:
I'm curious
For the folks I have helped get out of spamcop you basically go to the site
and thier listing and request removal. Has this process changed?
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs -
We have been creating negative weight filters based on reverse DNS.
REVDNS-3 ENDSWITH .dell.com
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
Administration
Serge,
I know exactly what you mean. Looking below its obvious that ORDB catches
very little. Is it worth doing a DNS request over 864K times for it to just
catch 7K peices of mail.
One thing I do know is that I am goign to miss the Easynet tests...
Darrell
DLAnalyzer(v2.0R) Report
Brad,
Sniffer has a rule base that they code based on spam they receive.
Depending on the type of spam it is (porn, av, hosting, etc) they place that
rule in an appropriate category. When sniffer scans a message it will
return a code. The code that is returned is what you will use in your
Absolutly worth it's cost...
Darrell
andyb writes:
Is sniffer worth the $300/year?
Thinking about trying it.
Thanks, andy
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe,
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of DLAnalyzer Support
Sent: Wednesday, November 26, 2003 6:52 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] DLAnalyzer
John,
Those are excellent suggestions
NJABL for the most part is like ORDB. They test open relays and list them.
Folks that are listed can easily request to be de-listed, but of course they
are not removed if njabl finds them relaying still.
Darrell
Matthew Bramble writes:
I haven't tested these, however I would very much
PROTECTED] On Behalf Of DLAnalyzer Support
Sent: Tuesday, November 25, 2003 8:01 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] DLanalyzer
The latest version of DLAnalyzer was released last week. The current
version is 2.0R. Many new features were added including a GUI based
configuration
Andy,
When a new beta comes out we test it on our backup mail servers. They get
the least amount of production traffic. If the beta is stable after a
couple of days we will move the beta to the production server.
One thing that we don't do is run interim release at all unless there is a
The latest version of DLAnalyzer was released last week. The current
version is 2.0R. Many new features were added including a GUI based
configuration utility to ease configuration. There are many other reports
it can generate besides the one listed below (Domain Summaries
A novel idea which I can't imagine will do anything...
Darrell
http://www.reuters.co.uk/newsArticle.jhtml;jsessionid=EBA1FMHYFTOGUCRBAE0CF
EY?type=internetNewsstoryID=3875381section=news
U.S. passes anti-Internet spam bill
Sat 22 November, 2003 12:09
By Andy Sullivan
WASHINGTON (Reuters)
Keith,
If you are using a new interim release the bounce action has changed to
bounceonlyifyoumust.
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com
Keith Anderson writes:
Frederick,
Is your DNS server responding properly. We had this same type of problem
when our ISP's DNS server stopped responding.
Darrell
Check Out DLAnalyzer 2.0 a comprehensive reporting tool for
Declude Junkmail Logs -
Debug. We currently log with high and that information is not present in
the logs. However, it is with DEBUG.
Darrell
John Tolmachoff (Lists) writes:
At what log level does Declude record the total processing time?
Or how can I otherwise find out the processing time per message?
John
Paul,
The feature you request is available in DLAnalyzer
(http://www.dlanalyzer.com). That report you would be looking to pull would
be the advanced report.
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail
Is anyone else compensating for this with a filter?
HEADERS -3 CONTAINS X-Mailer: Microsoft Office Outlook, Build 11.0
Has anyone else seen any different builds? The build below should be the
release build.
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Darrell
Nathan,
Please check out DLAnalyzer. It can provide you with the summaries you are
looking for in addition to many other different types of reports that are
useful to analyzing your server.
Here are some examples of repors you can generate.
*Overall Server Summaries
*Incoming Domain
Serge,
Just one clarification for your 172.x.x.x address space. Those start at
172.16.x.x and end at 172.31.x.x. So your whitelist entry for that would be
172.16.0.0/12
instead of
172.18.0.0/13
But, then again you may care about those first two networks and
intentionally excluded
the overflow queue to fill up very fast in a short period of time when your
DNS server is down.
Darrell
Matthew Bramble writes:
DLAnalyzer Support wrote:
Unfortunately, Declude does not utilize the second DNS server if
specified in IMail. In turn if you use several RBL's will still cause
Another thing to check is your DNS and if it is resolving properly. It
could be that a reboot might resolve problems in DNS, or with IMail
connecting to DNS. It might also be a good idea to configure IMail for
Unfortuantly, Declude does not utilize the second DNS server if specified in
This is what I use and I have been very pleased with the results..
Global.cfg entry
REVERSEWEIGHTDNS filter x:\IMail\Declude\ReverseDNSFilter.txt x 0
0
Sample File Contents
REVDNS -3 ENDSWITH .kodak.com
REVDNS -3 ENDSWITH .mx.aol.com
REVDNS -3 ENDSWITH .dell.com
Hope this
Donna,
When editing the *.eml files that are returned back to the users in cases of
banned extensions and the like you will need to use just plain old regular
notepad or other basic text editor.
Darrell
Check Out DLAnalyzer a comprehensive
Whitelisting supports CIDR notation..
I just grabbed this paragraph out of the manual, because it explains it
better than I could.
To whitelist an IP address, add a line WHITELIST IP 127.0.0.1 to the
\IMail\Declude\global.cfg file (replacing 127.0.0.1 with the IP you wish to
whitelist). If
Bill,
I see these same errors on my backup mail server from time to time. The
backup server is running Imail v8.0 and the erros only seem to crop up when
the server is under heavy load (i.e. processor at 100%). Is this situation
comparable to yours?
Darrell
We applied the patches several days ago. We do about 20-25K messages a day
and have not seen any ill effects from the patch. What type of volume do
you have on the server that you removed the patch from?
Darrell
John Tolmachoff (Lists) writes:
FYI, although I have not yet removed the
John,
DLAnalyzer has the capabilities you are looking for in the enterprise
version and much more. With the advanced reporting capabilities it can get
even more granular than what you are requesting..
Check it out at http://www.dlanalyzer.com and make sure you request the
unrestricted
Josh,
IPNOTINMX = IP NOT IN MX. As you said earlier there are no MX records for
the IP address of the server you received that mail from. Declude looks at
the senders mail from domain and compares it to the the IP address the
server received the mail from looking for an MX.
In this case
It's reachable from here...
Darrell
Kevin Bilbee writes:
I am trying to get to the manual.
Is the declude website down?
Kevin Bilbee
Network Administrator
Standard Abrasives, Inc.
[EMAIL PROTECTED]
(805) 520-5800 x7332
Changing the way industry works.
Keith,
One of the lists I use is Tom's from ImageFx. It's pretty good and always
seems to be updated.
http://www.imagefxonline.net/apps/delog/fromfile.txt
Darrell
Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail
Darryl,
I use wintail from http://www.wintail.com. It's windows based, and I would
prefer more of a unix based command line driven so that I could grep on it,
but I havent ran across a very good one yet.
Nonetheless, Wintail does the job.
Darrell
Invariant Systems
and work great,
no different than we find on our Linux servers.
Bill
- Original Message -
From: DLAnalyzer Support [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, September 13, 2003 10:30 AM
Subject: Re: [Declude.JunkMail] tailing a log file
Darryl,
I use wintail from http
Jeff,
This is similar to the issue of whitelisting the postmaster account.
Spammer's got hip to the fact that most people whitelist the postmaster
account and would include as a recipient for the spam the postmaster.
We were getting burned by this due to the high amount of porn spam that
Michael,
You would set this up like any of your other non RBL tests
COMMENTS comments 5 x 3 0
The first number is the number of comments. As with all of the other tests
the 3 is the weight assigned.
With having it set at five comments only a small handful of messages fail
this test for
81 matches
Mail list logo