One Hotmail spammer peddling Chinese drugs is consistently getting through.
There just isn't enough wrong with the emails to get it stopped.
One oddity is the formatting of the subject line over multiple lines:
Subject: [Possible SPAM]
All of my samples have been send to madscientist@
From: Pete McNeil [mailto:madscient...@microneil.com]
Sent: Friday, January 13, 2012 10:10 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] regex help needed
On 1/13/2012 10:39 AM, Scott Fisher wrote:
One Hotmail spammer
Apparently I’m catching them on the way out with clamav .
Resending now
From: Pete McNeil [mailto:madscient...@microneil.com]
Sent: Friday, January 13, 2012 10:50 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] regex help needed
On 1/13/2012 11:24 AM, Scott Fisher wrote
wrong?
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL
60174-5410
630/462-2323 | Fax 630/462-2957 | mailto:sfis...@farmprogress.com
sfis...@farmprogress.com
http://www.farmprogress.com/ www.FarmProgress.com
This email message, including any
If you are using Alligate and Declude,
This will work in the Declude Filter:
HEADERS 1 PCRE(?i:X-Alligate-MsgScan.{1,80}NOTO)
-Original Message-
From: Brian Milburn [mailto:br...@spammanager.com]
Sent: Friday, September 23, 2011 10:45 AM
To:
I forced invuribl to return specific weights to offset this problem:
INV-URIBL-WEIGHT25 external 25
D:\IMAIL\DECLUDE\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 25
0
INV-URIBL-WEIGHT50 external 50
D:\IMAIL\DECLUDE\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%
The 127.0.0.4 is a gray listing for the uribl. I personally don't score
the gray result because of too many false positives.
!--URI LIST 2--
add key=URIBL_List2 value=multi.uribl.com /
add key=URIBL_Weight_List2 value=0 /
!-- BitValue_2 = comes from black.uribl.org --
Restore imail1.exe from a backup
Sent via BlackBerry by ATT
-Original Message-
From: John T johnl...@eservicesforyou.com
Sender: John T johnl...@eservicesforyou.com
Date: Sat, 26 Mar 2011 16:09:11
To: Declude.JunkMail@declude.com
Reply-to: Declude.JunkMail@declude.com
Subject:
1. The trouble with ivuribl is it doesn't work too well with
dbl.spamhaus.org.
And I wish we'd see some changes to invuribl to accommodate it.
One problem is that all numbered IP addresses will return 127.0.1.255. Which
shouldn't be scored.
The second problem that the invuribl bitmasking
I made this change immediately. Like Andrew I've always wondered why the
Hotmail header hasn't been targeted by someone.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Monday, December 06, 2010 2:31 PM
To:
-Pete
Can I use
header name='X-AOL-IP:' received='aol.com [' ordinal='0' /
for the AOL header:
X-AOL-IP: 213.55.79.58
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete
McNeil
Sent: Monday, December 06, 2010 2:31 PM
To:
My problem is the reverse, I get so much spam from hacked
aol/hotmail/gmail/yahoo accounts, that its getting to the point that these
services are spammers. I hope some more places blacklist them so that maybe
they'll clean up their act. Like that would happen...
Unfortunately a disproportionate
http://oss.netfarm.it/clamav/ is the port I use.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Andy
Schmidt
Sent: Thursday, August 12, 2010 5:21 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Server AV Scanner
Dave,
Most of my samples don't have a boundary just plain text.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, July 23, 2010 1:30
To second Matt's comment about this spammer's volume, I'm a pretty small
email fry, but I've seen 337 emails from this spammer today. Very prolific.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, July 23, 2010 1:30 PM
To:
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original
I put an alligate server in front of Declude. It kills about 95% of incoming
connections.
Declude Intercepter incorporates this
Sent via BlackBerry by ATT
-Original Message-
From: Michael Cummins mich...@i-magery.com
Date: Wed, 12 May 2010 09:25:57
To: declude.junkmail@declude.com
[mailto:supp...@declude.com] On Behalf Of Scott
Fisher
Sent: Wednesday, May 12, 2010 9:54 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Fine tuning Declude
I put an alligate server in front of Declude. It kills about 95% of incoming
connections.
Declude Intercepter incorporates
!--URI LIST 4--
add key=URIBL_List4 value=urired.spameatingmonkey.net /
add key=URIBL_Weight_List4 value=25 /
add key=Enable_Custom_Bitmask_Values_URIBL_List4 value=false /
!--URI LIST 5--
add key=URIBL_List5 value=fresh15.spameatingmonkey.net /
add
Check declude's diag.txt or diags.txt it will list all tests
I think it gets created when decludeproc service starts so you may need to
restart the service to get a current copy
Verbose logs also have tons of info
Sent via BlackBerry by ATT
-Original Message-
From: David Dodell
Of Scott
Fisher
Sent: Monday, April 26, 2010 11:53 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Enumerating and Weighting IP4R/RHSBL/DNSBL
tests
I like some of the ideas coming out of:
http://spameatingmonkey.com/lists.html
---
This E-mail came from
I like some of the ideas coming out of:
http://spameatingmonkey.com/lists.html
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Michael
Cummins
Sent: Monday, April 26, 2010 9:30 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail]
According to my notes:
RBL Tests Run 1st!
Declude base tests Run 2nd
External Tests Run 3rd
Fromfile and ipfiles run 4th
Filters Run last.
Invuribl has a built in skip process when you add the weight to the command
line:
D:\IMAIL\DECLUDE\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%
A second vote for Alligate.
My Alligate Overall rejection rate for Feb 2010: 95%
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Harry
Vanderzand
Sent: Wednesday, February 10, 2010 6:53 AM
To: declude.junkmail@declude.com
Subject: RE:
Can you please clarify or expand on 4.8.37 PostiniFix? The description
doesn't tell me what a posting fix is.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of David
Barker
Sent: Wednesday, November 04, 2009 11:12 AM
To: declude.vi...@declude.com;
I'm waiting for Imail 11.01 before I jump on the 11.x bandwagon.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Chuck
Schick
Sent: Tuesday, August 11, 2009 10:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Imail 11
Anyone
Cbl is a subset of zen.spamhaus.org so you could be double scoring that.
UCEPROTECT-2 and UCEPROTECT-1 overlap considerable. You are probably double
scoring there.
DNSBL and IADB are whitelists. They would have lower scores.
SORBS is shutting down. Might want to remove that
About 93-95% percent of the time it correctly identified the item as spam.
So 5-7% of the time it went off on good email. So watch your weighting.
Out of about 24,000 spam messages that made it to Declude it detected about
16,000 of them. That's pretty good for an IP list nowdays, since there
So if we are using our own custom filters, what kind of filter rules should
we be watching out for?
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Linda
Pagillo
Sent: Thursday, April 16, 2009 9:36 AM
To: declude.junkmail@declude.com
Cc:
Has Declude been tested with Imail 11?
If not, does Declude have an ETA?
I note the SMTP engine has been rewritten in .NET for improved plug-in
capatibility.
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL
60174-5410
630/462-2323 | Fax
wellsfargo.com.hostkarma.junkemailfilter.com. 2100 IN A 127.0.1.1
wellsfargo.com.hostkarma.junkemailfilter.com. 2100 IN A 127.0.2.3
Can Declude Junjmail handle/process the multiple return codes?
Scott Fisher | IT Director
FARM PROGRESS COMPANIES | 255 38th Avenue, Suite P | St. Charles, IL
60174-5410
630/462
BODY 10 CONTAINS V.DASK Information Technologies
Or
BODY 10 CONTAINS ittechrespo...@gmail.com
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Craig
Edmonds
Sent: Thursday, February 19, 2009 2:17 AM
To: declude.junkmail@declude.com
Subject:
I see on the Declude.com front page, IP Address Reputation Tools, New from
Declude Security Lab.
Are there any plans to include this in Declude Junkmail?
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type
filters.
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use
This is from memory, but I think this would work.
ALLRECIPS END NOTCONTAINS [EMAIL PROTECTED]
TESTSFAILED END NOTCONTAINS SPAMCANNIBAL
MAILFROM10 IS xyx.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
Here's a filter I use:
# attack Yahoo spammers
SKIPIFWEIGHT315
MAXWEIGHT 150
#
# exclude the big emails and those with good attachments
TESTSFAILED END CONTAINSMPPT-SIZE-L
TESTSFAILED END CONTAINSMPPT-SIZE-XL
TESTSFAILED END CONTAINS
Is there any way to make a PCRE work like a NOTCONTAINS.
I have this filter line:
MAILFROM END NOTCONTAINS @aim.
I also need to add @aol.com to that.
Obviously two notcontains won't work. Is there a way to work the NOT into a
PCRE expression?
Scott Fisher
Director
What ever happened to the new release that was scheduled for January?
David Barker
Thu, 24 Jan 2008 09:41:20 -0800
I hear you. Looking to do a release by the end of the month.
David B
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
I use a filter like the below. I'm a business so I have a bit
moreflexibility.
Basically if the bounce has a reference to one of my servers in the body, I
won't run the filter.
# Combo Test to punish those that come from a Postmaster and not bounces
from us?
SKIPIFWEIGHT365
# valid bounces
Does the PCRE support extended characters?
For instance would this detect all lower case characters?
SUBJECT END PCRE
([a-zàáâãäçåéèêëìíîïñòóôõöùúûüýÿ])
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL
:
==
X-RCPT-TO: [EMAIL PROTECTED]
Status:
X-UIDL: 392717547
X-IMail-ThreadID: c7bd02171491
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
This email message, including any
OK. I'm no regex expert, but I'll take a shot in the dark at the blank
subject. How about his:
SUBJECT 0 PCRE(^$)
Or this which could allow optional spaces or tabs
SUBJECT 0 PCRE(^[ \t]?$)
Maybe this will at least spark a discussion. And get some better regex
Here some thoughs:
AHBL has more result codes , generally low volume but they don't require
another DNS call:
AHBL-RELAYS ip4rdnsbl.ahbl.org 127.0.0.2
0 0
AHBL-PROXIESip4rdnsbl.ahbl.org 127.0.0.3 0 0
AHBL-SOURCESip4r
You can but I think the limit is three.
Don't forget ATT/SBC is in bed with Yahoo so their email can come through
Yahoo too.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith
Johnson
Sent: Friday, October 26, 2007 11:24 AM
To:
I'm trying to trap some emails to look at and wanted to use the copyfile
action, but I haven't caught any.
I'm worried I don't have the format correct:
TESTNAME COPYFILE d:\hold\
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to
:
http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
This email message, including any attachments, is for the sole use
I run my logs at high and they are 400 MB.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bonno
Bloksma
Sent: Tuesday, July 31, 2007 5:18 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] logsize
Hi,
Lately more spam is
-UNSPEC-HIGH IP4Rlist.dnswl.org 127.0.10.3
-10 0
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Saturday, July 28, 2007 11:57 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] whitelisting
Ewww. Look at all the return codes!
I'd be interested in seeing some rates. Does it hit enough to work?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Friday, July 27, 2007 6:42 PM
To: declude.junkmail@declude.com
Subject:
I'll give it a try. Here's what I will use/
DNSWL-FINANCIAL-NONEdnsbl %IP4R%.list.dnswl.org
127.0.2.0 0 0
DNSWL-FINANCIAL-LOW dnsbl %IP4R%.list.dnswl.org
127.0.2.1 0 0
DNSWL-FINANCIAL-MEDIUM dnsbl %IP4R%.list.dnswl.org
127.0.2.2
So how do we get it?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Tuesday, July 17, 2007 11:09 AM
To: declude.junkmail@declude.com; [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Interim 4.3.57 available
4.3.57
JM Fixed crash bug.
Also make sure there is the pcre3.dll in your imail folder.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Friday, July 06, 2007 10:18 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] PCRE tests
Todd,
Ensure you
:[\(\{]?2[0o]6[\)\}]?{\-\_\.\s}?888{\-\_\.\s}?2[0o]83)
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential
I'm detecting a new country code *F.
Can you enlighten me to what this is?
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Does any one have any PCRE code that will detect empty HTML like:
BODY
/BODY
Scott Fisher
Dir of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
Tel: 630-462-2323
This email message, including any attachments, is for the sole use of the
intended recipient(s
, Purina.com, state.ny.us
False positives on email companies: bluehornet.com, constantcontact.com
False positives on ISPs: aol.com, bellnet.ca, charter.net, Comcast.net,
earthlink.net, hotmail.com, sbcglobal.com, yahoo.com, tiscali.co.uk,
sina.com
Scott Fisher
Dir of IT
Farm Progress Companies
191 S
OK, now you have me thinking could I use PCRE to replace tons of body
searches for my 419/Lottery filter...
What is the maximum line length for a line in a filter?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Monday, June 18, 2007
They seem to have pretty good hit rates at
http://www.sdsc.edu/~jeff/spam/cbc.html especially the rhsbl
Looks like I need to look at the pbl.spamhaus.org again. Those numbers are
up pretty good too.
That's the beauty of Declude in my opinion, I can add these lists at a low
weight and see how
Any thoughts on an option to excluding your own address from the address book whitelisting.
It continually comes up here. It's definitely a spam leakage issue.
This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and
, the company cannot accept responsibility for any loss or damage arising
from the use of this email or attachments.
On 5/25/07, Scott Fisher [EMAIL PROTECTED] wrote:
Any thoughts on an option to excluding your own address from the address
book whitelisting.
It continually comes up
Here is my country filter. It's been recently updated to have Serbia (RS)
#Check for e-mail for sending country Used in Database
#Don't get much valid e-mail from these Countries so they get weighted more
# SKIPIFWEIGHT 5000 Never Skip!
STOPATFIRSTHIT
COUNTRY 0 IS US
COUNTRY
A little more of the headers would be helpful.
It's a zombie of some flavor.
71.250.241.101 = static-71-250-241-101.nwrknj.east.verizon.net.
You could use a filter with
HELO 10 IS IGIVE.COM
- Original Message -
From: Robert Grosshandler [EMAIL PROTECTED]
To:
I only score UCE L2 if there was no UCE L1 score.
Filter:
# Combine the UCEPROTECT Only Add LEVEL2 if LEVEL1 not hit
TESTSFAILED END CONTAINS UCEPROTECT-LEVEL1-LAST
TESTSFAILED 50 CONTAINS UCEPROTECT-LEVEL2-LAST
This way I'm not double scoring this test as many are in both,
- Original
I'm seeing hits in the attachments too.
Triggered ANYWHERE PCRE filter REGEX-KEYWORDS : vHXAH51eG1ujzM (valium)
It would be real nice to be able to search the body without the attachments
like this.
BODYONLY 25 PCRE
(?i:v.{0,[EMAIL PROTECTED],2}[\|li1í\!].{0,2}[\|i1í\!].{0,2}[vu].{0,2}m)
also:
Capital Firms
cycle analysis
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Wednesday, March 14, 2007 8:14 AM
Subject: Re: [Declude.JunkMail] PCRE FILTERING
fyi -
#CIALIS
ANYWHERE 3 PCRE
(?i:\bc.{0,2}[\|li1í\!].{0,[EMAIL
BlankAre there any end users who are using the VAMSOFT IMAGE SPAM AGENT tht
would like to comment on it's effectiveness / processor utilization?
- Original Message -
From: David Barker
To: declude.junkmail@declude.com
Sent: Wednesday, February 21, 2007 12:08 PM
Subject: RE:
This isn't a fix, but it would help mitigate the overload conditions.
You could also use Pete's weightgate with sniffer.
This will only run sniffer when the email falls into your specified
weight-range.
You should easily be able to skip 25% of the email going into sniffer.
With some
FiveTenSRCI assume you are refering to result code of 9.
That usually means that they use wide search criteria to list addresses.
Usually this means they block a /24.
I have seen a big uptick on this returns here from fivetem-misc:
http://www.five-ten-sg.com/blackhole.php:
misc - Miscellaneous
FiveTenSRCDarn enter key.
Here is the 5-10-misc (return code 9) results here:
In November 405 hits. In January almost 36,000 hits. So they are definitely
doing something different.
Lots of false positives though 1000.
I have seen many static spammers lately getting caught by this test. I fine
MessageI raised it to 30 points (subject tag at 100,hold at 200).
It's consistantly catching static spammers that aren't getting enough weight to
get held here.
Perhaps it would be good to combo with a iribl test.
- Original Message -
From: Sharyn Schmidt
To:
It would be nice to know.
- Original Message -
From: David Barker [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Monday, February 12, 2007 11:05 AM
Subject: RE: [Declude.JunkMail] [Declude.JunkMail] Imail 2006.2
We have not tested against IMail 2006.2
David Barker
Product Source E-commerce Network
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Thursday, January 04, 2007 2:37 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] [IANA Reserved] ?
Here are my december totals
Here are my december totals for the odd-balls (COUNTRY IS test)
Country Name CountOfMessageID DEL SPAM HELD SPAM Poss SPAM OK
APNIC Unlisted 97 97 0 0 0
ARIN Unlisted 1426 1395 12 1 18
Central/South America 89 89 0 0 0
European Union 1804 1674 8 1 121
IANA
], that answers one question!
Any idea how to incorporate the IANA Reserved thing into Declude?
Thanks,
Sam
SJ.Stanaitis - Network Administrator
Decorative Product Source E-commerce Network
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent
Sent: Sunday, December 17, 2006 2:25 PM
Subject: Re: [Declude.JunkMail] AVG
Hi scott
how does ClamAV/service compare to fpcmd in cpu usage ?
And, do you have a link to download and config
Thanls in advance
- Original Message -
From: Scott Fisher
To: declude.junkmail
AVG
ClamAV as a service
Mcafee may need to look at again.
- Original Message -
From: Serge
To: declude.junkmail@declude.com
Sent: Friday, December 15, 2006 7:33 PM
Subject: [Declude.JunkMail] AVG
For those on 4.2.X, are you still using Fprot and/or McAfee ..., or are
Messageexcept around review time...
- Original Message -
From: Chris Asaro
To: declude.junkmail@declude.com
Sent: Thursday, December 14, 2006 12:48 PM
Subject: RE: [Declude.JunkMail] Why are these being whitelisted?
Question Authority..
Chris
I tried 'blklst on' in the global.cfg and no file was created
-
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Carol Stream, IL 60188
630-462-2323
This email message, including any attachments, is for the sole use
\Spool ?
--
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Monday, December 11, 2006 3:15 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] blklst ON
I tried 'blklst
I loaded up Declude 4.3.23.
I've noticed these lines are new in the HIGH levellog file:
12/11/2006 10:08:39.624 q828301da0022.smd IP 72.32.59.13 not in whitelist (192.168.11.2). nm=
with a separate line for each whitelist IP.
I have 32 whitelisted IP's and to get 32 extra log lines
I'm not sure you can do it without a change in Declude.
I've requested a SKIPIFMINWEIGHT addition to filters, but no luck getting
that added.
I would think the code to add it would be extremely similiar to add since
the SKIPIFWEIGHT for a max weight already exists. Sounds like you just flip
SKIPIFWEIGHT 100 would skip for weight over 100
SKIPIFMINWEIGHT 0 would skip for weight under 0.
I also suggested adding paramaters to the global.cfg filter definitions for
filters and external programs:
HEADER-FILTER d:\header.txt x 0 0 100 200
Would only run the filter in the weight were
- Is there a way in declude (by analyzing logs, or ... ), to see cpu
usage by different tests ?
- Original Message -
From: Scott Fisher [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Saturday, December 09, 2006 4:03 PM
Subject: Re: [Declude.JunkMail] testfailed in filters
I'm
That would be work for me too!
- Original Message -
From: John T (Lists) [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Saturday, December 09, 2006 11:45 AM
Subject: RE: [Declude.JunkMail] testfailed in filters
SKIPIFWEIGHT 100 would skip for weight over 100
Here are the special codes:
#
# Special Codes
#
#*1 Multi-Regional
#*2 Europe
#*3 North America
#*4 Central/South America
#*5 Pacific Rim
#*A ARIN Unlisted (North America/South Africa)
#*B Public Data Network
#*E RIPE Unlisted (Europe, North Africa, Middle East)
#*I Private IP
#*L Loopback
#*M
to an ISP with 100,000 emails per
day.
I don't know if this would have an impact on saving my CPU or not, but it has
to help even if it is a little.
Please consider this.
-
Scott Fisher
Director of IT
Farm Progress Companies
191 S Gary Ave
Can we request a STOP function that woul dstop the filter and exit with the
current weight?
- Original Message -
From: David Barker
To: declude.junkmail@declude.com
Sent: Friday, November 17, 2006 9:05 AM
Subject: RE: [Declude.JunkMail] Filter 'END' statement in 4.3.14
Just because it's the way the Scott wanted it, doesn't mean there isn't room
for improvement.
Especially when he changed the functionality of it mid-stream.
I'd still like the STOP option.
- Original Message -
From: John T (Lists) [EMAIL PROTECTED]
To: declude.junkmail@declude.com
The END functionality was changed over a year ago. (I couldn't get to the
release notes to check when)
When I first started using end, it would end the filter and return the current
weight of the filter.
- Original Message -
From: John T (Lists)
To: declude.junkmail@declude.com
I don't use sbl-xbl or xbl, so I can't confirm this...
but there website refers to a 127.0.0.5 for a NJABL and the 127.0.0.4 for
CBL
No mention of blitzedall anymore.
http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20XBL
What do the different return codes in the XBL mean?
No sense virus scanning the 80% of the email you could be deleting.
Put AVAFTERJM ON in your virus.cfg.
Virus scanners are tough on the CPU.
- Original Message -
From: netsolution webmaster [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Tuesday, November 14, 2006 8:58 AM
y, but
many are still slipping through without failing any or very few tests. Is it
possible to block with the country chain? I noticed that they are coming
from out of the country. How is everyone dealing with these?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTE
This filter will work for targeting CMDSPACE with a gif attachment.
You might want to
SKIPIFWEIGHT 315
STOPATFIRSTHIT
BODY END NOTCONTAINS Content-Type: image/gif
TESTSFAILED END NOTCONTAINS CMDSPACE
BODY 100 CONTAINS img src=3Dcid:
BODY 100 CONTAINS src=3Dcid:
BODY 100 CONTAINS src=cid:
You really only need a couple of minutes of debug log to check
shut down declude.
rename the decmmdd.log
change to log level debug for 5 minutes.
start declude
run for a couple of minutes
shut down declude
change log level to normal
start declude
A couple of other ideas.
Virus scanner are CPU
MAILFROM 0 IS
I wouldn't do it though. Mailfrom the generally signifies delivery
failure notices and such.
For me mail from is 90% ham, 10% spam this month.
- Original Message -
From: Frederick Samarelli [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Thursday, October
than it is to manage spam blocking.
Scott Fisher posted his method for adding points to image spam, and if
implemented properly, this is very effective on a plain vanilla Declude
install and won't have a large false positive issue. So if you want an
opinion from someone that has been dealing
I combo thegraphics hit (jpg, gif or png)
with:
1. bad DNS - None or timeout
2. bad language (eastern European iso-8859-2)
or Cyrillic (koi8-r or iso-8859-5), etc
3. cmdspace
4. good DUL IP lists/tests
5. having forged your local
domain.
I still get 5-10 a day. It is a pain.
-
Sorbs-DUL and NJABL Dynablock look to be the best.
Although they miss lots.
5-10's has been discontinued.
- Original Message -
From:
Dave Marchette
To: declude.junkmail@declude.com
Sent: Wednesday, October 11, 2006 3:53
PM
Subject: RE: [Declude.JunkMail] picture
There is a lot of flexiblity in the invuribl scoring.
I consider the surbl.org to be a consolidation of separate uribl lists and
use the bitmask scoring option.
So if somebody is listed on more than one list, they'll get higher weights.
I can also score lists such as ws.surbl.org lower because
MAILFROM 1 CONTAINS STOCKNEWS
- Original Message -
From: Dave Beckstrom [EMAIL PROTECTED]
To: declude.junkmail@declude.com
Sent: Wednesday, October 04, 2006 10:42 PM
Subject: [Declude.JunkMail] Blocking these?
How are you guys blocking something like the spam below?
There is no URL
1 - 100 of 607 matches
Mail list logo