[Declude.JunkMail] PERCENT test confusion
I'm trying to understand why my mail server is sending so many messages to the quarantine folders instead of just marking the headers. In fact, the vast majority of my SPAM is going to the spool/spam folder since updating all the declude rules. The only test I have set to HOLD is the PERCENT test and when I look at the messages being quarantined, none of them have a percent symbol in the To: line. Since there are so many messages failing this test, I am concerned that there is legitimate content I am missing, though I have yet to find one from the hundred thousand messages it caught just yesterday. Should I be concerned and does anyone have good insight about how the PERCENT test works? It seems too good to be true that such a simple test would catch so much SPAM. I'm running Imail 8.15 on 2003. Below is a copy of my declude test actions: # RBL IP4R TESTS OUTBOUND BLITZEDALL WARN CBL WARN DSBLWARN ORDBWARN MXRATE-ALLOWWARN MXRATE-BLOCKWARN MXRATE-SUSPICIOUS WARN SBL WARN SORBS-HTTP WARN SORBS-SOCKS WARN SORBS-MISC WARN SORBS-SMTP WARN SORBS-SPAM WARN SORBS-WEB WARN SORBS-BLOCK WARN SORBS-ZOMBIEWARN SORBS-DUHL WARN SPAMCOP WARN BONDEDSENDERWARN # ADDITIONAL RBL IP4R TESTS OUTBOUND #MTLDB WARN CSMA-SBLWARN INTERSILWARN SPAMBAG WARN FIVETENSRC WARN JAMMDNSBL WARN # RHBSL TESTS OUTBOUND DSN WARN NOABUSE WARN NOPOSTMASTERWARN MAILPOLICE-BULK WARN MAILPOLICE-PORN WARN MAILPOLICE-FRAUDWARN # OTHER TESTS OUTBOUND BADHEADERS WARN BASE64 WARN BCC WARN CMDSPACEWARN COMMENTSWARN DYNHELO WARN ENCODEDURL WARN HELOBOGUS WARN IPURL WARN MAILFROMWARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS WARN SPFFAIL WARN SPFPASS WARN SUBJECTSPACES WARN SUBJECTCHARSWARN #NONENGLISH WARN # FILTERS OUTBOUND #SUBJECTWARN #WORD WARN # 3RD PARTY OUTBOUND #SNIFFERWARN #SPAMCHKWARN #INV-URIBL WARN # TRIGGERS OUTBOUND WEIGHT10WARN WEIGHT14WARN WEIGHT20WARN --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PERCENT test confusion
Will, Just to make sure, your Imail is passing on mail to another server and therefore acting as a gateway that is why you are using OUTBOUND actions correct? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Wednesday, April 20, 2005 9:22 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] PERCENT test confusion I'm trying to understand why my mail server is sending so many messages to the quarantine folders instead of just marking the headers. In fact, the vast majority of my SPAM is going to the spool/spam folder since updating all the declude rules. The only test I have set to HOLD is the PERCENT test and when I look at the messages being quarantined, none of them have a percent symbol in the To: line. Since there are so many messages failing this test, I am concerned that there is legitimate content I am missing, though I have yet to find one from the hundred thousand messages it caught just yesterday. Should I be concerned and does anyone have good insight about how the PERCENT test works? It seems too good to be true that such a simple test would catch so much SPAM. I'm running Imail 8.15 on 2003. Below is a copy of my declude test actions: # RBL IP4R TESTS OUTBOUND BLITZEDALL WARN CBL WARN DSBLWARN ORDBWARN MXRATE-ALLOWWARN MXRATE-BLOCKWARN MXRATE-SUSPICIOUS WARN SBL WARN SORBS-HTTP WARN SORBS-SOCKS WARN SORBS-MISC WARN SORBS-SMTP WARN SORBS-SPAM WARN SORBS-WEB WARN SORBS-BLOCK WARN SORBS-ZOMBIEWARN SORBS-DUHL WARN SPAMCOP WARN BONDEDSENDERWARN # ADDITIONAL RBL IP4R TESTS OUTBOUND #MTLDB WARN CSMA-SBLWARN INTERSILWARN SPAMBAG WARN FIVETENSRC WARN JAMMDNSBL WARN # RHBSL TESTS OUTBOUND DSN WARN NOABUSE WARN NOPOSTMASTERWARN MAILPOLICE-BULK WARN MAILPOLICE-PORN WARN MAILPOLICE-FRAUDWARN # OTHER TESTS OUTBOUND BADHEADERS WARN BASE64 WARN BCC WARN CMDSPACEWARN COMMENTSWARN DYNHELO WARN ENCODEDURL WARN HELOBOGUS WARN IPURL WARN MAILFROMWARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS WARN SPFFAIL WARN SPFPASS WARN SUBJECTSPACES WARN SUBJECTCHARSWARN #NONENGLISH WARN # FILTERS OUTBOUND #SUBJECTWARN #WORD WARN # 3RD PARTY OUTBOUND #SNIFFERWARN #SPAMCHKWARN #INV-URIBL WARN # TRIGGERS OUTBOUND WEIGHT10WARN WEIGHT14WARN WEIGHT20WARN --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1072 (20050420) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PERCENT test confusion
Gah! No, I'm not scanning outbound... My mistake, I wasn't even looking at the $default$.junkmail config file. Now it all makes sense. :) Thanks for the kick. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Wednesday, April 20, 2005 8:29 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] PERCENT test confusion Will, Just to make sure, your Imail is passing on mail to another server and therefore acting as a gateway that is why you are using OUTBOUND actions correct? David B www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Wednesday, April 20, 2005 9:22 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] PERCENT test confusion I'm trying to understand why my mail server is sending so many messages to the quarantine folders instead of just marking the headers. In fact, the vast majority of my SPAM is going to the spool/spam folder since updating all the declude rules. The only test I have set to HOLD is the PERCENT test and when I look at the messages being quarantined, none of them have a percent symbol in the To: line. Since there are so many messages failing this test, I am concerned that there is legitimate content I am missing, though I have yet to find one from the hundred thousand messages it caught just yesterday. Should I be concerned and does anyone have good insight about how the PERCENT test works? It seems too good to be true that such a simple test would catch so much SPAM. I'm running Imail 8.15 on 2003. Below is a copy of my declude test actions: # RBL IP4R TESTS OUTBOUND BLITZEDALL WARN CBL WARN DSBLWARN ORDBWARN MXRATE-ALLOWWARN MXRATE-BLOCKWARN MXRATE-SUSPICIOUS WARN SBL WARN SORBS-HTTP WARN SORBS-SOCKS WARN SORBS-MISC WARN SORBS-SMTP WARN SORBS-SPAM WARN SORBS-WEB WARN SORBS-BLOCK WARN SORBS-ZOMBIEWARN SORBS-DUHL WARN SPAMCOP WARN BONDEDSENDERWARN # ADDITIONAL RBL IP4R TESTS OUTBOUND #MTLDB WARN CSMA-SBLWARN INTERSILWARN SPAMBAG WARN FIVETENSRC WARN JAMMDNSBL WARN # RHBSL TESTS OUTBOUND DSN WARN NOABUSE WARN NOPOSTMASTERWARN MAILPOLICE-BULK WARN MAILPOLICE-PORN WARN MAILPOLICE-FRAUDWARN # OTHER TESTS OUTBOUND BADHEADERS WARN BASE64 WARN BCC WARN CMDSPACEWARN COMMENTSWARN DYNHELO WARN ENCODEDURL WARN HELOBOGUS WARN IPURL WARN MAILFROMWARN PERCENT HOLD REVDNS WARN ROUTING WARN SPAMHEADERS WARN SPFFAIL WARN SPFPASS WARN SUBJECTSPACES WARN SUBJECTCHARSWARN #NONENGLISH WARN # FILTERS OUTBOUND #SUBJECTWARN #WORD WARN # 3RD PARTY OUTBOUND #SNIFFERWARN #SPAMCHKWARN #INV-URIBL WARN # TRIGGERS OUTBOUND WEIGHT10WARN WEIGHT14WARN WEIGHT20WARN --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. __ NOD32 1.1072 (20050420) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New Spam or Virus????!!
Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Spam or Virus????!!
Nothing yet. Are these standard zips or encrypted? We block encrypted. Darin. - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Declude. JunkMail Declude.JunkMail@declude.com Sent: Wednesday, April 20, 2005 8:05 PM Subject: [Declude.JunkMail] New Spam or Virus!! Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Spam or Virus????!!
Coming in though us too. Using FPROT, but appears now they've updated their defs so they are being caught now. They were non-encrypted ZIP's with different file names, single EXE in the zip. Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Thursday, April 21, 2005 2:09 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] New Spam or Virus!! Nothing yet. Are these standard zips or encrypted? We block encrypted. Darin. - Original Message - From: Chuck Schick [EMAIL PROTECTED] To: Declude. JunkMail Declude.JunkMail@declude.com Sent: Wednesday, April 20, 2005 8:05 PM Subject: [Declude.JunkMail] New Spam or Virus!! Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Spam or Virus????!!
I had something similar over the weekend. Standard zip file. If you are using F-Prot you may want to add VirusCode 8 to the config. This will stop them as Unknown Virus. Check your virus log and you may see some code 8 errors in it. Adding viruscode 8 will at least stop them. Ouside of email NAV was calling it Trojan.Tooso.H and F-Prot was calling it w32/mitglieder.c. I submitted my findings to Declude support earlier in the week and spoke with a someone yesterday. Sent the file to him and he said the AVG called it a Bagle of some sort. What is strange is outside of email, f-prot was detecting it. But without viruscode 8, nothing. Tyler -- Original Message -- From: Chuck Schick [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Wed, 20 Apr 2005 18:05:08 -0600 Starting to see messages that have a zip attachement with the format 5.zip or 7.zip - I do not know if it is spam or a virus. Anyone else seeing this? Virus scanner is not catching it so I do not know if it is a virus or not. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Earthlink and AOL to require passwords when sending...
Last night I had to start typing in a password to send from my free yahoo account. We'll see what this does. Tyler -- Original Message -- From: Darin Cox [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Tue, 19 Apr 2005 23:33:34 -0400 Thought this was interesting... ISPs are finally taking some responsibility for the amount of spam we all get. Both Earthlink and AOL are beginning to implement procedures that will require users to use a password when they send emails, in an effort to cut down on the use by spammers of zombie machines. AOL estimates that zombie machines are responsible for 90 per cent of the spam out there, so if the ISPs can keep it from going out, we might not get so much of it. More here http://hosted.ap.org/dynamic/stories/N/NEW_SPAM_BATTLEGROUND?SITE=FLTAMSECTION=HOMETEMPLATE=customwire.htm Darin. --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: WMI scripting DNS TXT problems
I'm trying to automate my dns zone creation and I am running into a problem with TXT records. I'm using WMI and when ever I create an SPF record (or any TXT record) it automatically adds a line break at the end of the record. Does anyone have any experience with this or have any idea what would cause this? The line below is the one I'm using to create the record. objRR.CreateInstanceFromTextRepresentation CONST_SERVER, strZoneName, strZoneName IN TXT v=spf1 mx ~all, objOutParam I've tried this every different way I can and I always get the same result. In the zone file, it looks like this @ TXT ( v=spf1 mx ~all ) Also, does anyone know if having this break at the end will cause problems with any SPF implementations? -Daniel --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.