RE: [Declude.JunkMail] OT - Server Watching.
I actually reached for an older linux distro called sentinix. Comes kind of out of the box with Snort/ACD and Nagios/Nagios Admin. A little dated but as it sits behind a very secure firewall it is extremely effective and fairly painless and has a cost of $0. Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerod M. Bennett Sent: Monday, January 23, 2006 1:25 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT - Server Watching. Hey, I know this is off topic, but I respect the knowledge and opinions of the people on this list. What software / services do you guys use to watch your servers for up/down status? -Jerry --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work
Id turn on verbose logging in imail and declude. In the Declude log file something did not go quite right at 17:14:34:513. It looks like Imail is functioning ok but declude miss handled the email\attachment in question. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Monday, January 23, 2006 4:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work OK it finally happened. I got another leftover D*.SM$ file in the proc\work directory while I was running the logs on debug. Any thoughts? I think the following is the important part from various log files. I can post the whole thing if this is not enough. DECLUDE.LOG . . . 01/23/2006 17:14:34.497 q552537e400a4261c.smd Msg failed WEIGHT10 (Weight of 65 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 17:14:34.497 q552537e400a4261c.smd Turning spam into an attachment 01/23/2006 17:14:34.513 q552537e400a4261c.smd Wrote 2025 bytes of attachment header 01/23/2006 17:14:34.513 q552537e400a4261c.smd Wrote 3142 (3142)bytes of attachment header 01/23/2006 17:14:34.513 q552537e400a4261c.smd Set process priority back to 38273056. 01/23/2006 17:14:34.513 q552537e400a4261c.smd Couldn't move/copy ATTACH data file [183] . . . 01/23/2006 17:14:34.935 q552537e400a4261c.smd MoveFile in AlterMessage - datafile = [D:\spool\proc\work\D552537e400a4261c.smd] TempFile = [D:\spool\proc\work\D552537e400a4261c.sm$] 01/23/2006 17:19:40.456 q552537e400a4261c.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D552537e400a4261c.smd] [D:\spool\proc\work\D552537e400a4261c.sm$] 01/23/2006 17:19:40.456 q552537e400a4261c.smd Data File [D:\spool\proc\work\D552537e400a4261c.smd] deleted. 01/23/2006 17:19:40.456 q552537e400a4261c.smd Recipient File [D:\spool\proc\work\q552537e400a4261c.smd] deleted. VIRUS.LOG . . . 01/23/2006 17:19:40.456 q552537e400a4261c.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D552537e400a4261c.smd] [D:\spool\proc\work\D552537e400a4261c.sm$] IMAIL.LOG 01:23 17:13 SMTPD(552537e400a4261c) [192.168.69.4] connect 85.182.54.161 port 1447 01:23 17:13 SMTPD(552537e400a4261c) [85.182.54.161] HELO e182054161.adsl.alicedsl.de 01:23 17:13 SMTPD(552537e400a4261c) [85.182.54.161] MAIL FROM: [EMAIL PROTECTED] 01:23 17:13 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] RCPT TO: [EMAIL PROTECTED] 01:23 17:14 SMTPD(552537e400a4261c) [85.182.54.161] D:\spool\D552537e400a4261c.SMD 3142 Goran Jovanovic Omega Network Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Saturday, January 21, 2006 2:10 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Left over D*.SM$ files in proc\work How often is this happening? Are you using Hijack? Put both the Junkmail and Virus logs into Debug until a couple of these occur, then extract from the log files ALL lines pertaining to the files in question into one file in exact time sequence along with the log lines from Imail SMTP. John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Saturday, January 21, 2006 10:45 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Left over D*.SM$ files in proc\work Hi, I have noticed that I am getting left over D*.SM$ files in the proc\work directory. I am getting 2 to 4 of these per day on a volume of 15-20K messages a day. Windows Server 2003 IMail 8.15 HF2 Declude 3.0.5.23 Sniffer, invURUBL, F-Prot, McAfee No on access Virus Scanner When I check the logs I find In the DECLUDE Log 01/21/2006 06:56:32.233 q1ffa301900405c91.smd Couldn't move/copy ATTACH data file [183] 01/21/2006 07:01:37.778 q1ffa301900405c91.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D1ffa301900405c91.smd] [D:\spool\proc\work\D1ffa301900405c91.sm$] And in the Virus log 01/21/2006 07:01:37.778 q1ffa301900405c91.smd Couldn't rename SMD to SM$ [183]. Priority back to 32. Error String: [Cannot create a file when that file already exists.] [D:\spool\proc\work\D1ffa301900405c91.smd] [D:\spool\proc\work\D1ffa301900405c91.sm$] Other times I will only find this message in the DECLUDE.LOG file. 01/15/2006 19:21:39.160 qe70539e800a6f12a.smd Couldn't move/copy ATTACH data file [32] Anyone have any ideas about this? Thanks Goran
Re: AW: [Declude.JunkMail] Spool Directory Backed Up
Guhl, Markus (LDS) wrote: hi, are those files backing up regular incomming mails or are they *.fwd and *.gse files? what happens when you put a mail (d*.smd and q*.smd) into spool by hand (something like a false positiv)? which version of imail do you use? I've tried manipulating by hand. Moving data out. If I go to the spool function in Webmail it does appear that hitting send will shove through the message, but other than that, everything seems to just sit on the queue. I can't quite say for sure, but I'm fairly certain this happened after the upgrade of Declude. One curious thing is if I go to into the IMail administrator program and try through there to manually send a message, I get a window showing Declude.exe is trying to push the program. This is a big problem, and I'm just not sure where to turn. I've moved all the queue files out of the queue and putting a few in, but the files just seem to sit there and do nothing. It's quite frustrating, as everything was working fine until the Declude upgrade. -- A. Clausen --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned.ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were scanned. Can you help me understand why the final message doesnt' show the X-RBL headers? I get about three of these per day, each has the same style, but the IP and From addresses are different. Below are the log snips and message headers. === Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44. 01/23/2006 15:45:52 Q6aae0151a967 Using [incoming] CFG file C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL (Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SORBS-DUHL (Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000100e].). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK 01/23/2006 15:45:52 Q6aae0151a967 Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID: 01/23/2006 15:45:52 Q6aae0151a967 Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC="" SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN 01/23/2006 15:45:52 Q6aae0151a967 Last action = ""> Sys0123.log 01:23 15:45 SMTPD(6aae0151a967) [216.101.5.133] connect 68.41.152.175 port 4251 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] HELO localhost 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Mail From: [EMAIL PROTECTED] 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] Rcpt To: [EMAIL PROTECTED] 01:23 15:45 SMTPD(6aae0151a967) [68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723 01:23 15:45 SMTPD(6aae0151a967) performing antispam checks 01:23 15:45 SMTP-(6aae0151a967) processing C:\IMail\spool\Q6aae0151a967.SMD 01:23 15:45 SMTP-(6aae0151a967) ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361 01:23 15:45 SMTP-(6aae0151a967) finished C:\IMail\spool\Q6aae0151a967.SMD status=1 Email Headers: Received: from localhost [68.41.152.175] by mail.agid.com (SMTPD-8.21) id AAAE0130; Mon, 23 Jan 2006 15:45:50 -0800 Date: Mon, 23 Jan 2006 18:45:52 +0100 Return-path: [EMAIL PROTECTED] From: Adler[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Viagra Professional as low as $3.84 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0003_01C618B6.107D4F00 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a particular
spam message getting to my mailbox each day. The declude log file
shows the scanning and scoring. However, the message that lands in the
mailbox shows no sign of being scanned.ie there are no X-RBL headers
in the message that gets to the mailbox. All of my other mail,
whether spam or not spam, still shows X-rbl headers to verify they were
scanned.
Can you help me understand why the
final message doesnt' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and message
headers.
===
Dec0123.log
01/23/2006 15:45:52 Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52 Q6aae0151a967
Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMBAG (175.152.41.68.blacklist.spambag.org.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of
30.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52 Q6aae0151a967 L1
Message OK
01/23/2006 15:45:52 Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52 Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 68.41.152.175 ID:
01/23/2006 15:45:52 Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52 Q6aae0151a967
Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Mail From: [EMAIL PROTECTED]
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Rcpt To: [EMAIL PROTECTED]
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723
01:23 15:45 SMTPD(6aae0151a967)
performing antispam checks
01:23 15:45 SMTP-(6aae0151a967)
processing C:\IMail\spool\Q6aae0151a967.SMD
01:23 15:45 SMTP-(6aae0151a967)
ldeliver mail.agid.com corby-main (1) [EMAIL PROTECTED] 5361
01:23 15:45 SMTP-(6aae0151a967)
finished C:\IMail\spool\Q6aae0151a967.SMD status=1
Email Headers:
Received: from localhost [68.41.152.175]
by mail.agid.com
(SMTPD-8.21) id AAAE0130; Mon, 23 Jan
2006 15:45:50 -0800
Date: Mon, 23 Jan 2006 18:45:52 +0100
Return-path: [EMAIL PROTECTED]
From: "Adler"[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Viagra Professional as low as
$3.84
Message-ID:
[EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_0003_01C618B6.107D4F00"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express
6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2900.2180
[Declude.JunkMail] Hyperthreading research
For those that are interested in the effect of multi-CPU's and hyperthreading has with an IMail/Declude setup, here's some additional research. I previously tested my dual Xeon setup with both hyperthreading enabled and disabled, and found that the utilization jumped an astonishing ~100% when I disabled hyperthreading. I figured that there was a decent chance that this could be unique to my server. Upon testing Nick's own server with an almost identical configuration I again found a jump of ~100% in utilization when hyperthreading was disabled. FYI, I'm sure that the stats are correct and not an issue with the stats gathering mechanism because my server was being pummeled and was bogged down appropriately when it was at high CPU. The attached graphs show the effect of having hyperthreading both on and off on two different servers. I assume from these confirmed results that with only two CPU's recognized by the system instead of 4 CPU's when hyperthreading is enabled, the system gets bogged down in managing the threads/processes, and this is what causes it to lose significant performance. This also strongly suggests that as utilization rises due to adding more E-mail volume, the efficiency may fall. I have noted that my system when recovering from a backup in E-mail does not seem to catch up very quickly even when pegged at 100%. Judging by the performance at 50% or lower utilization, I would have expected a redlined server to handle more. On both my system and Nick's systems we run at least 3 external tests and two virus scanners as well as many Declude filters, and I suspect that it is the command line stuff that contributes to this negative effect. Both of us are running on a SuperMicro platform, so that can't be ruled out as a culprit, and we are also both running Declude 2.0.x. I am willing to test another system on a different platform that is running Declude 3.x just to confirm whether or not this caries over to the modified processes. So the rule of thumb here, if this research is accurate, is that hyperthreading is a huge benefit to Declude, and it should follow that having as many physical and virtual CPU's as possible is much more important than maxing out the CPU speed. Quite literally, a single hyperthreaded 3GHz CPU is as good as two 3GHz CPU's with no hyperthreading. Matt
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Andrew probably nailed this. In at least some versions of Declude, the
headers that it inserts could land in the body of the message due to
bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably
searching for headers and doesn't recognize the header that was
inserted into what became the body due to bad folding. An upgrade may
or may not fix the issue, though there was talk about this issue
several months ago in relation to 3.x and I believe some work was done
to take care of some of it.
Matt
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I don't actually delete mail at
any score. I use the header information in my email client to sort the
incoming messages. Other than this particular bugger, it's worked
well for me.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Nick
Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned.ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why the
final message doesnt' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52 Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52 Q6aae0151a967
Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52 Q6aae0151a967
Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52 Q6aae0151a967
L1 Message OK
01/23/2006 15:45:52 Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52 Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
IP: 68.41.152.175 ID:
01/23/2006 15:45:52 Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52
Q6aae0151a967 Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Mail From: [EMAIL PROTECTED]
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Rcpt To: [EMAIL PROTECTED]
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723
01:23
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Current version does not fix this "folding" problem. Declude is testing a newer version that may fix the problem, but no joy yet. Mattwrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 4:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.Matt
RE: [Declude.JunkMail] Earthlink/prodigy
And since ATT now owns SBC, aren't we getting back to Ma Bell? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, January 24, 2006 3:56 PM To: JunkMail Declude Subject: [Declude.JunkMail] Earthlink/prodigy Is there a relationship here. I am getting legit email from this combo and would like to know. It looks to me like prodigy is now owned by SBC. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Nick, FYI, by gatewaying through MS SMTP/ORF, that actually normalizes
the headers before it gets to Declude and therefor this behavior is not
seen. You will however see some of the original headers left in the
body on some messages, but not the ones from Declude.
Matt
Nick Hayer wrote:
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I haven't. I'm on 2.16
Other than this particular
bugger, it's worked well for me.
it is odd to me that a particular email from a particular spammer would
not be tagged on a daily basis. Maybe Declude support can offer some
insight. Other than debug like I mentioned I have no idea - I'd be
ask'n Matt or Andy if it happened to me!
-Nick
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick
Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned.ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why
the
final message doesnt' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52
Q6aae0151a967
CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25
. Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52
Q6aae0151a967
Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52
Q6aae0151a967
Msg failed SPAMHEADERS (This E-mail has headers consistent with spam
[4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52
Q6aae0151a967
Msg failed WEIGHT10-29A (Weight of 44 reaches or exceeds the limit of
10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT30A (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMYELLOW (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMRED (Weight of 44 reaches or exceeds
the limit of 30.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CATCHALLMAILS (). Action="">
01/23/2006 15:45:52
Q6aae0151a967
L1 Message OK
01/23/2006 15:45:52
Q6aae0151a967
Subject: Viagra Professional as low as $3.84
01/23/2006 15:45:52
Q6aae0151a967
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]
IP: 68.41.152.175 ID:
01/23/2006 15:45:52
Q6aae0151a967
Tests failed [weight=44]: CBL=IGNORE FIVETEN-SRC=""
SORBS-DUHL=IGNORE SPAMBAG=IGNORE SPAMHEADERS=WARN MS-SNAKEOIL=IGNORE
WEIGHT10-29A=IGNORE WEIGHT10-29B=IGNORE WEIGHT30A=IGNORE
SPAMYELLOW=WARN SPAMRED=WARN CATCHALLMAILS=WARN
01/23/2006 15:45:52
Q6aae0151a967 Last action = "">
Sys0123.log
01:23 15:45 SMTPD(6aae0151a967)
[216.101.5.133] connect 68.41.152.175 port 4251
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] HELO localhost
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Mail From: [EMAIL PROTECTED]
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] Rcpt To: [EMAIL PROTECTED]
01:23 15:45 SMTPD(6aae0151a967)
[68.41.152.175] C:\IMail\spool\D6aae0151a967.SMD 4723
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Well I'm somewhat more confused as I don't really know
what "bad folding" means. However, I don't see any of the X-headers in the
message body.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
MattSent: Tuesday, January 24, 2006 2:34 PMTo:
Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged
spam getting to mailbox
Andrew probably nailed this. In at least some versions of
Declude, the headers that it inserts could land in the body of the message due
to bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably searching
for headers and doesn't recognize the header that was inserted into what
became the body due to bad folding. An upgrade may or may not fix the
issue, though there was talk about this issue several months ago in relation
to 3.x and I believe some work was done to take care of some of
it.MattAgid, Corby wrote:
Actually, I'm still running 2.0.5. I
suppose that I should probably upgrade, eh?
I don't actually delete mail at any score.
I use the header information in my email client to sort the incoming
messages. Other than this particular bugger, it's worked
well for me.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick HayerSent: Tuesday, January 24, 2006
1:46 PMTo: Declude.JunkMail@declude.comSubject:
Re: [Declude.JunkMail] Logged spam getting to
mailboxOdd - just because its always the same email.
What number do you delete on? Although the logs will balloon in size
running the Declude in DEBUG may shed some light. I presume this is
Declude 3x ver?-NickAgid, Corby wrote:
Hello,
I'm having trouble with a particular spam
message getting to my mailbox each day. The declude log file
shows the scanning and scoring. However, the message that lands in
the mailbox shows no sign of being scanned.ie there are no X-RBL
headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why the final
message doesnt' show the X-RBL headers? I get about three of
these per day, each has the same style, but the IP and From addresses
are different.
Below are the log snips and message
headers.
=== Dec0123.log 01/23/2006 15:45:52 Q6aae0151a967 CBL:6 FIVETEN-SRC:4
SORBS-DUHL:4 SPAMBAG:2 SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight
= 44.
01/23/2006 15:45:52 Q6aae0151a967 Using
[incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail. 01/23/2006 15:45:52 Q6aae0151a967 Msg failed CBL
("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed FIVETEN-SRC (175.152.41.68.blackholes.five-ten-sg.com.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMBAG (175.152.41.68.blacklist.spambag.org.).
Action=""> 01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [4000100e].). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed MS-SNAKEOIL (Message failed MS-SNAKEOIL: 52.).
Action=""> 01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed WEIGHT10-29B (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed WEIGHT30A (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMYELLOW (Weight of 44 reaches or exceeds the limit of 10.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed SPAMRED (Weight of 44 reaches or exceeds the limit of 30.).
Action="">
01/23/2006 15:45:52 Q6aae0151a967 Msg
failed CATCHALLMAILS (). Action=""> 01/23/2006 15:45:52 Q6aae0151a967 L1 Message OK
01/23/2006 15:45:52 Q6aae0151a967
Subject: Viagra Professional as low as $3.84 01/23/2006 15:45:52 Q6aae0151a967 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP:
68.41.152.175 ID: 01/23/2006 15:45:52
Q6aae0151a967 Tests failed
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox
Corby,
I also received a bunch of these, and one copy that I came up with in a
hold box showed that the headers were in fact broken. My MS SMTP
gateway shows the From, Bcc, and locally inserted MS SMTP headers at
the very bottom
of this message. That's how MS SMTP deals with it, but Declude might
deal with it differently, or it might even have broken your older
version of Declude. You should at least upgrade to 2.0.6.16 which is
available from their site. Upgrading to 3.x would be something that
you should plan more carefully though as it is a major change.
I suspect that you are looking at the rendered view of the E-mail, and
since this is a multipart message with both text and HTML segments, it
is not rendering the broken headers in the normal view, but they might
be there if you were to look at the original text source. If the
headers are in the body and your rule in your client is looking for
headers where they belong, that would explain why your filter isn't
working.
Matt
Agid, Corby wrote:
Well I'm somewhat more
confused as I don't really know what "bad folding" means. However, I
don't see any of the X-headers in the message body.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, January 24, 2006 2:34 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Andrew probably nailed this. In at least some versions of Declude, the
headers that it inserts could land in the body of the message due to
bad folding techniques that the spammer uses (sometimes also legitimate
mailers will produce this flaw). Your client rule is probably
searching for headers and doesn't recognize the header that was
inserted into what became the body due to bad folding. An upgrade may
or may not fix the issue, though there was talk about this issue
several months ago in relation to 3.x and I believe some work was done
to take care of some of it.
Matt
Agid, Corby wrote:
Actually, I'm still running
2.0.5. I suppose that I should probably upgrade, eh?
I don't actually delete mail at
any score. I use the header information in my email client to sort the
incoming messages. Other than this particular bugger, it's worked
well for me.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Nick Hayer
Sent: Tuesday, January 24, 2006 1:46 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Logged spam getting to
mailbox
Odd - just because its always the same email. What number do you delete
on? Although the logs will balloon in size running the Declude in DEBUG
may shed some light. I presume this is Declude 3x ver?
-Nick
Agid, Corby wrote:
Hello,
I'm having trouble with a
particular spam message getting to my mailbox each day. The declude
log file shows the scanning and scoring. However, the message that
lands in the mailbox shows no sign of being scanned.ie there are no
X-RBL headers in the message that gets to the mailbox. All of my
other mail, whether spam or not spam, still shows X-rbl headers to
verify they were scanned.
Can you help me understand why
the final message doesnt' show the X-RBL headers? I get about three
of these per day, each has the same style, but the IP and From
addresses are different.
Below are the log snips and
message headers.
===
Dec0123.log
01/23/2006 15:45:52
Q6aae0151a967 CBL:6 FIVETEN-SRC:4 SORBS-DUHL:4 SPAMBAG:2
SPAMHEADERS:3 MS-SNAKEOIL:25 . Total weight = 44.
01/23/2006 15:45:52
Q6aae0151a967 Using [incoming] CFG file
C:\IMail\Declude\mail.agid.com\$default$.junkmail.
01/23/2006 15:45:52
Q6aae0151a967 Msg failed CBL ("Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed FIVETEN-SRC
(175.152.41.68.blackholes.five-ten-sg.com.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SORBS-DUHL ("Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?68.41.152.175"). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMBAG
(175.152.41.68.blacklist.spambag.org.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [4000100e].). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed MS-SNAKEOIL (Message failed MS-SNAKEOIL:
52.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29A (Weight of 44 reaches or
exceeds the limit of 10.). Action="">
01/23/2006 15:45:52
Q6aae0151a967 Msg failed WEIGHT10-29B (Weight of 44 reaches or
Re: [Declude.JunkMail] Earthlink/prodigy
I think you've got it backwards, SBC acquired ATT but is keeping the ATT name. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, January 24, 2006 4:23 PM Subject: RE: [Declude.JunkMail] Earthlink/prodigy And since ATT now owns SBC, aren't we getting back to Ma Bell? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, January 24, 2006 3:56 PM To: JunkMail Declude Subject: [Declude.JunkMail] Earthlink/prodigy Is there a relationship here. I am getting legit email from this combo and would like to know. It looks to me like prodigy is now owned by SBC. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Corby, I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system. I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude. For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x. Matt Agid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 4:59 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change. I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working. Matt Agid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 2:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Tuesday, January 24, 2006 1:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Odd - just because its always the same email. What number do you delete on? Although the logs will balloon in size running the Declude in DEBUG may shed some light. I presume this is Declude 3x ver? -Nick Agid, Corby wrote: Hello, I'm having trouble with a particular spam message getting to my mailbox each day. The declude log file shows the scanning and scoring. However, the message that lands in the mailbox shows no sign of being scanned.ie there are no X-RBL headers in the message that gets to the mailbox. All of my other mail, whether spam or not spam, still shows X-rbl headers to verify they were
RE: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Ok, thanks very much. I'll see if they'll get me the latest 2.x version to see if that works. Can you clarify somethingare you saying that you're receiving mail from the same spammer that's causing my problem, but your system is handling it correctly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Tuesday, January 24, 2006 5:37 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby,I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system.I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude.For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x.MattAgid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 4:59 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxCorby,I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change.I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working.MattAgid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of MattSent: Tuesday, January 24, 2006 2:34 PMTo: Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] Logged spam getting to mailboxAndrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it.MattAgid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's worked well for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick HayerSent: Tuesday, January 24, 2006 1:46 PMTo:
RE: [Declude.JunkMail] Earthlink/prodigy
Does it make a difference who is supplying the bed and who is supplying the bedding? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, January 24, 2006 5:29 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Earthlink/prodigy I think you've got it backwards, SBC acquired ATT but is keeping the ATT name. Bill - Original Message - From: John T (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, January 24, 2006 4:23 PM Subject: RE: [Declude.JunkMail] Earthlink/prodigy And since ATT now owns SBC, aren't we getting back to Ma Bell? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Tuesday, January 24, 2006 3:56 PM To: JunkMail Declude Subject: [Declude.JunkMail] Earthlink/prodigy Is there a relationship here. I am getting legit email from this combo and would like to know. It looks to me like prodigy is now owned by SBC. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Logged spam getting to mailbox
Title: Logged spam getting to mailbox Corby, Because of MS SMTP handling the E-mail before it reaches my IMail/Declude system, Declude always inserts it's headers in the proper block, however MS SMTP can cause some of the pre-Declude headers (original) to appear in either the top of the body or the bottom of the body. Matt Agid, Corby wrote: Ok, thanks very much. I'll see if they'll get me the latest 2.x version to see if that works. Can you clarify somethingare you saying that you're receiving mail from the same spammer that's causing my problem, but your system is handling it correctly? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 5:37 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I assumed that you weren't using an MS gateway, I was just letting you know that what happened to these headers was going to be different on my system. I have tons of spam on my system generated by this spamware and it's all showing the same behavior so I suspect that there is an issue with what you are receiving as well. It could just be a single CR without an LF which can look normal in a text viewer, but can throw programs like Declude and MS SMTP off. This should explain the initial cause of the issue. The handling of the malformed headers may vary in different versions of Declude. For a 2.0.6.16 download, it appears that you will have to ask Declude directly for this or do the bigger upgrade to 3.x. Matt Agid, Corby wrote: Hi Matt, I'm not using any MS gateway on this. The mail comes into Imail/declude and uses Imail as the email server. I opened the message with notepad and didn't locate any misplaced headers. I would like to try updating to 2.0.6 as you suggest, but I'm not finding any 2.x downloads on the site. Can you tell me where to find them? I logged in and found the 3.x downloads. Thanks for all of your help. This is sure a head scratcher for me. Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 4:59 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Corby, I also received a bunch of these, and one copy that I came up with in a hold box showed that the headers were in fact broken. My MS SMTP gateway shows the From, Bcc, and locally inserted MS SMTP headers at the very bottom of this message. That's how MS SMTP deals with it, but Declude might deal with it differently, or it might even have broken your older version of Declude. You should at least upgrade to 2.0.6.16 which is available from their site. Upgrading to 3.x would be something that you should plan more carefully though as it is a major change. I suspect that you are looking at the rendered view of the E-mail, and since this is a multipart message with both text and HTML segments, it is not rendering the broken headers in the normal view, but they might be there if you were to look at the original text source. If the headers are in the body and your rule in your client is looking for headers where they belong, that would explain why your filter isn't working. Matt Agid, Corby wrote: Well I'm somewhat more confused as I don't really know what "bad folding" means. However, I don't see any of the X-headers in the message body. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Tuesday, January 24, 2006 2:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Logged spam getting to mailbox Andrew probably nailed this. In at least some versions of Declude, the headers that it inserts could land in the body of the message due to bad folding techniques that the spammer uses (sometimes also legitimate mailers will produce this flaw). Your client rule is probably searching for headers and doesn't recognize the header that was inserted into what became the body due to bad folding. An upgrade may or may not fix the issue, though there was talk about this issue several months ago in relation to 3.x and I believe some work was done to take care of some of it. Matt Agid, Corby wrote: Actually, I'm still running 2.0.5. I suppose that I should probably upgrade, eh? I don't actually delete mail at any score. I use the header information in my email client to sort the incoming messages. Other than this particular bugger, it's
[Declude.JunkMail] Incomplete headers - theory
I have been having problems with incomplete or broken headers in lots of spam messages. Sometimes I will see the missing headers in the body of the message, sometimes not. See below for example. The subject when the message arrived in the inbox was: Subject: EXPLICIT: Nice online dating booty call service.. Kind of caught my eye because I have a porn filter for EXPLICIT: in the subject. So the porn filter wasn't triggered. PORNLIST filter d:\IMail\Declude\pornlist.txt x 5 0 with a routeto in the default file. The log told me that Q file exceeds 512 bytes in size. Ipswitch's knowledge base tells me that this was triggered because of the auto-deny hack attempts was checked in smtp. It didn't deny it however, since the message was delivered. None of the rules in either Outlook or imail web interface were triggered because the header is incomplete. I turned off the auto-deny and haven't seen any more messages yet. My question is, has anyone noticed anything like this, and is this feature broken or is their another factor involved. Declude 3.0.5.23 Imail 8.21 Karen M. Mitchell Senior NewMedia Systems Administrator AccuWeather, Inc. 385 Science Park Road State College, PA 16803 Get the best weather on the web - http://www.accuweather.com Imail header via web interface Received: from 247.red-217-216-60.user.auna.net [217.216.60.247] by ntms1.accuweather.com (SMTPD-8.21) id A811033C; Tue, 24 Jan 2006 19:36:33 -0500 Received: from airy d's (implement.catapultrascal.com [150.150.225.86]) by 217.216.60.247 (6.8.6/8.9.9) with ESMTP id FMZT153754637 for [EMAIL PROTECTED]; Tue, 24 Jan 2006 22:30:33 -0200 Status: R X-UIDL: 1033884398 X-IMail-ThreadID: c80f03434a54 Complete message from Outlook Express. Received: from 247.red-217-216-60.user.auna.net [217.216.60.247] by ntms1.accuweather.com (SMTPD-8.21) id A811033C; Tue, 24 Jan 2006 19:36:33 -0500 Received: from airy d's (implement.catapultrascal.com [150.150.225.86]) by 217.216.60.247 (6.8.6/8.9.9) with ESMTP id FMZT153754637 for [EMAIL PROTECTED]; Tue, 24 Jan 2006 22:30:33 -0200 Message-ID: [EMAIL PROTECTED] Reply-To: Erna Moran [EMAIL PROTECTED] From: Erna Moran [EMAIL PROTECTED] Location: cleave iv chloroplatinate Delivery-Notification: No To: removed [EMAIL PROTECTED] Subject: EXPLICIT: Nice online dating booty call service. Date: Tue, 24 Jan 2006 17:30:33 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--693861316335815 693861316335815 Content-Type: text/html; charset=iso-3436-3 Content-Transfer-Encoding: quoted-printable X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 1033884398 X-IMail-ThreadID: c80f03434a54 It as the same experieneeCan swim under water.Imagine the lok on your khi= ldren or grandjhildrens faxes when they open the mail box to find a someth= ing with their name on it. The air. This way. =0A table trtda =0Ahref=3Dhttp://silverdates.com/7654/index.html?1886040get y= our booty call on right nowbrimg =0Asrc=3Dhttp://harddate.com/7654/2383= .jpg border=3D0br=0Apnr=0A/a=0Alvq=0A=0A I Great to have another to= py o your book let alone an autographed one. You leave enough information = on their publid site to find out what presahool the child attends. I T ent= ertain people with your writing.p=0Aa href=3D=0Ahttp://dategnome.com/?q= Message-Id: [EMAIL PROTECTED] Subject: SPAM: X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [a004010f]. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: HELOBOGUS: Domain 247.red-217-216-60.user.auna.net has no MX or A records [0301]. X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [a004010f]. X-RBL-Warning: WEIGHT10: Weight of 21 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [217.216.60.247] X-Declude-Spoolname: Dc80f03434a54.smd X-Declude-Note: Scanned by Declude 3.0.5.23 (http://www.declude.com/x-note.htm) for spam. X-Declude-Scan: Score [21] at 19:36:39 on 24 Jan 2006 X-Declude-Tests: BADHEADERS, CMDSPACE, HELOBOGUS, ROUTING, WEIGHT10, WEIGHT13 I wish to stop getting these, thanks! - fp=0A/a =0Atable bgcolor=3Dw= hite /td/tr/table=0Atrtd=0A table width=3D100% /td /tr/table=0Atrtd=0A table cellspacing=3D1 width=3D100= % /td/tr /table=0Atr=0Atd/td/tr/table=0A 693861316335815-- --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
