Scott-After reading your e-mail recommending that you can hold on bad
headers I tripled the weight. Although I really don't care much that this
was held right now if virus did really come through my server I would like
to get this. Any idea why a Webshield Alert would fail BADHEADERS? (if that
Maybe you should e-mail them. This was the version # in the headers:
The last time we tried that was when we found a DoS attack that WebShield
was susceptible to -- but they didn't fix it for about a year.
-Scott
---
Declude JunkMail: The
In going thru the held mail I am finding some emails with this warning.
X-RBL-Warning: OSRELAY: Please stop using relays.osirusoft.com
This only shows up on a few emails but it causes the email to fail the
OSRELAY test - meaning more false positives. Other emails either do not
have the
In going thru the held mail I am finding some emails with this warning.
X-RBL-Warning: OSRELAY: Please stop using relays.osirusoft.com
This only shows up on a few emails but it causes the email to fail the
OSRELAY test - meaning more false positives. Other emails either do not
have the
Yes, this has been reported both on Imail list and this list at 08/24.
news.prodigy.com
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Chuck
I've seen it to.
Additionally http://relays.osirusoft.com isn't responding and emails are
being bounced.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick
Sent: Tuesday, August 26, 2003 8:14 PM
To: Declude. JunkMail (E-mail)
Subject:
FYI, looks like Joe Jared (of Osirusoft) is finally hanging it up.
Bill
- Original Message -
From: James Miller [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 4:07 PM
Subject: RE: [SAtalk] OSIRUSOFT -- should they be used any more?
Update OSIRUSOFT issue:
I
I have setup a filter to froward all email that seems to be from the sobig
virus to a specian mail box.
Global.CFG
SOBIGFILTER filter D:\IMail\Declude\SOBIG.txt x 0
0
sobig.txt
REMOTEIP 0 IS 206.111.17.194
REMOTEIP 0 IS 66.185.39.38
REMOTEIP 0 IS
I'm feeling dumb this evening, so I'll share my dumb question, sorry in
advance.
The appropriate action for us to take then is to
A) do nothing
B) modify our global.cfg to comment out the 6 or so relays.osirusoft.com
tests
C) Something completely different
Inquiring minds would like to know.
hi scott
does this mean we need to stop using all of the tests below ?
OSDUL ip4rrelays.osirusoft.com 127.0.0.3 5 0
OSFORM ip4rrelays.osirusoft.com 127.0.0.8 6 0
OSLIST ip4rrelays.osirusoft.com 127.0.0.7 5 0
OSPROXY ip4rrelays.osirusoft.com 127.0.0.9 7 0
There have been similar posts on NANOG indicating xxx.osirusoft.com are
returning all 127.0.0.2. Apparently they are under a massive DDOS attack
Rick Rountree
Sr Network Admin
Dundee.Net
At 08:38 PM 8/26/2003, you wrote:
FYI, looks like Joe Jared (of Osirusoft) is finally hanging it up.
I checked my logs and the REMOTEIP lines are catching the mail but the
subject lines with RE: are not catching the mail. the subject lines
without the RE: are catching the emails.
I have changed the IS in SUBJECT lines to CONTAINS and I get the same
results.
I want these emails because I have
Well...made it to their web site and this is what it says
Due to the severe drain of resources, relays.osirusoft.com will be down for
an undetermined period of time. Please ask all sites using data from
relays.osirusoft.com to stop until further notice.
So, I have commented out the tests until
Yes, because if you do not disable the Osirusoft tests, it will only cause
unnecessary mail processing delays, as your queries wait for a response and
eventually time-out (approx 10 seconds), since the rbl is no longer
responding to queries, or is returning bogus responses. In either case, not
a
I would go with option B and comment them out.
Bill
- Original Message -
From: Robert Grosshandler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 5:55 PM
Subject: RE: [Declude.JunkMail] OSRELAY question.
I'm feeling dumb this evening, so I'll share my dumb
Okay. another one bites the dust. scheeesch, pretty soon
there won't be many spam databases to choose from will there looks like
they are winning the battle but will they win the war
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL
The latest news in the Osirusoft saga:
http://slashdot.org/article.pl?sid=03/08/27/0214238mode=nestedtid=111tid=126
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send
Okay. another one bites the dust. scheeesch, pretty soon
there won't be many spam databases to choose from will there looks like
they are winning the battle but will they win the war
Actually, http://www.declude.com/junkmail/support/ip4r.htm shows that there
are plenty
I checked my logs and the REMOTEIP lines are catching the mail but the
subject lines with RE: are not catching the mail. the subject lines
without the RE: are catching the emails.
That is odd. Could there be spaces/tabs at the end of the lines that
aren't working?
If that doesn't explain it,
Actually, http://www.declude.com/junkmail/support/ip4r.htm shows that
there are plenty of spam databases left. :)
-Scott
You are correct - BUT - besides the default ones listed in the
*old* manual how can we know which to use that give the most
Hi Nick:
This is what we have in our filter file. We use IMail to do the testing and
then use a filter file to give them weight. Just in case it helps you this
is what we have:
We had all of what is listed in Declude site and wrote a program to evaluate
all the server logs for 5 months and
Anyone have any recommendations on what to replace:
#OSDUL ip4rrelays.osirusoft.com127.0.0.3
5 0
#OSFORM ip4rrelays.osirusoft.com127.0.0.8
5 0
#OSLIST ip4rrelays.osirusoft.com127.0.0.7
5 0
#OSRELAY
Hi,
Thanks for your interest in Alligate. We recommend that you first look over
the product documentation so that you will have a good understanding of
Alligate's capabilities and installation requirements.
The documentation can be downloaded at the following address:
The Confirmation Required message from this list
did not pass the SPAMHEADERS test of Declude..:-)))
Why is that Scott??
That's because Ipswitch still hasn't fixed the bug in IMail1.exe where it
won't add the Message-ID: header.
-Scott
---
Hi guys,
The Confirmation Required message from this list
did not pass the SPAMHEADERS test of Declude..:-)))
Why is that Scott??
Received: from declude.com [66.189.124.29] by mail.cwc.nl with ESMTP
(SMTPD32-7.13) id A85F9A01BA; Wed, 27 Aug 2003 15:55:43 +0200
From: [EMAIL PROTECTED]
To:
Well Scott you are correct again. I had a cut and paste error in the filter
file all of the lines ended with an extra space except the last two lines.
Kevin Bibee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Wednesday, August
wow! yes there are a lot... but that begs another important
question... which ones to use.. :( what is everyone else using ???
thanks
sheldon
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 5:41 AM
Subject:
FYI Andy, Netscape 7's mail program can't see your information
(winmail.dat problem).
Regarding the discussion, I included several of the FIVETEN tests a few
months back when I saw that Ipswitch was including them in their default
configuration file (figured this would help that source's
Scott:
The message below came over the Imail discussion board. Should I be removing
the lines:
OSDIPS ip4r relays.osirusoft.com 127.0.0.3 5 0
OSFORM ip4rrelays.osirusoft.com 127.0.0.8 5 0
OSLIST ip4rrelays.osirusoft.com 127.0.0.7 5 0
OSPROXY ip4r relays.osirusoft.com
I can't see your replacement suggestion
Best regards
Xavier
- Original Message -
From: Andy Schmidt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 5:51 PM
Subject: RE: [Declude.JunkMail] OSRELAY Replacement question.
Here is the replacements that I'm
And here's my newly edited file:
DSBLip4rlist.dsbl.org*50
MONKEYPROXIESip4rproxies.relays.monkeys.com *
50
ORDBip4rrelays.ordb.org*40
SPAMCOPip4rbl.spamcop.net
Let me also correct one thing. I mentioned SPEWS as an alternative to
Osirusoft, but that one also comes from their servers :) In otherwords,
don't use that either (as noted in Hank's recent message).
Matt
Andy Schmidt wrote:
Here is the replacements that I'm using (marked up red) with
Here is the replacements that I'm using (marked up red) with the results for
the last few hours:
Best Regards
Andy Schmidt
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith
Sent: Wednesday, August 27, 2003 09:44 AM
To: [EMAIL PROTECTED]
The message below came over the Imail discussion board. Should I be
removing the lines:
OSDIPS ip4r relays.osirusoft.com 127.0.0.3 5 0
OSFORM ip4rrelays.osirusoft.com 127.0.0.8 5 0
OSLIST ip4rrelays.osirusoft.com 127.0.0.7 5 0
OSPROXY ip4r relays.osirusoft.com 127.0.0.9 7
Im really surprised that there isn't a site out there that reviews and rates
those RBLs. All I have seen is listings.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Webmaster Oilfield
Directory
Sent: Wednesday, August 27, 2003 7:48 PM
To: [EMAIL
It's a shame because I was catching a great deal more spam, but I may have
to back off on the weight of this test. This looks like a log file that one
guy has e-mailed from a D-link router. Why don't companies have this stuff
compliant. sigh
Received: from DI-604 [65.41.30.4] by
The fact that SPEWS is gone is not a bad thing!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matthew Bramble
Sent: Wednesday, August 27, 2003 1:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] OSRELAY Replacement question.
Im really surprised that there isn't a site out there that reviews and rates
those RBLs. All I have seen is listings.
The problem is that it is very, very difficult to determine the key piece
of information: false positive ratios. Most of the information that people
have about the DNS-based
Please excuse me if this have been discussed before but I wanted to find
out what it would take for the Declude users to develop there own RBL of
some sort?
Thanks,
Todd Hunter
Progressive Systems
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This
Anyone have the command line to use SPEWS?
Thanks,
Todd
At 01:07 PM 8/27/2003 -0400, you wrote:
And here's my newly edited file:
DSBLip4rlist.dsbl.org*50
MONKEYPROXIESip4rproxies.relays.monkeys.com *
50
ORDBip4r
Please excuse me if this have been discussed before but I wanted to find
out what it would take for the Declude users to develop there own RBL of
some sort?
See http://www.declude.com/junkmail/support/ip4rinfo.htm for information on
how a DNS-based spam database is set up (FYI, RBL is a
Hi;
What I have found working the best was:
1: Add as many of the tests as you want with 0 weight.
2: Add a header for every test
3: Monitor your headers and adjust the weights accordingly.
4: After several months start taking out the tests that their weight has
stayed 0.
This is a lengthy
There's not even a date header in that message. What would an E-mail
client even do with that? 1969?
I probably switched from Scott's methodologies very early on, requiring
a message to fail BADHEADERS, SPAMHEADERS (combined score of 8) plus at
least one other test before it gets rejected
I've found that my scoring in Declude shouldn't be indicative of what
is most
commonly associated with spam only, but also what is most commonly
associated with other tests and false positives. This speaks to the
trouble with rating
the individual blacklists, scoring them in isolation from one
Hm - may be this list doesn't support HTML mail (or doesn't support
attachments), here is that screen shot again, this time as a BMP file.
The problem is that you are trying to send a 250K attachment, which is
clogging up our Internet connection. Perhaps you could convert it to a
small .jpg
Hm - may be this list doesn't support HTML mail (or doesn't support
attachments), here is that screen shot again, this time as a BMP file.
The replacements that I'm using are marked up red with the results for the
last few hours
Best Regards
Andy Schmidt
HM Systems Software, Inc.
600 East
Kami,
Could please elaborate on some of the tests here and how I might
use them in Declude config. You are rating them very high so I assume they
are giving you good results.
BHOLE-BRAZIL, BHOLE-BRAZIL etc...
Thanks,
Todd
At 09:25 AM 8/27/2003 -0400, you wrote:
Hi Nick:
This
The replacements that I'm using are marked up red with the results for the
last few hours.
Best Regards
Andy Schmidt
HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
Kami,
Just to clarify, I wanted to know about your tests labeled BHOLE-
Todd
At 02:09 PM 8/27/2003 -0500, you wrote:
Kami,
Could please elaborate on some of the tests here and how I might
use them in Declude config. You are rating them very high so I assume
they are
Hi Todd:
Attached is the IMail blacklist file. It has the detail of all the tests
that we run. As stated earlier we do our tests in IMail and then add the
header to be later evaluated by Declude as filter files.
If you want simply replace this file in the IMail directory (version 8 only)
and
Thanks Kami,
We are
still on IMail 7.15. IMail 8 is sitting on the shelf until I have
some time to deal with the upgrade. I assume to include one of
these test in Declude it would be in the form of
CHINABLACKHOLE ip4r
china.blackholes.us
127.0.0.25 0
Todd
At 03:51 PM 8/27/2003 -0400, you wrote:
Kami,
I assume based on your weights that you are Holding at 20?
Todd
At 03:51 PM 8/27/2003 -0400, you wrote:
Hi Todd:
Attached is the IMail blacklist file. It has the detail of all the tests
that we run. As stated earlier we do our tests in IMail and then add the
header to be
Hi Todd:
Yes we hold on 20.
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 5:17 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] OSRELAY question.
Kami,
I assume based
Until a few days ago, I was using SORBSALL, but on checking out their home
page, I found that it had grown quite a lot since I started using it.
Since JunkMail will only incur the lookup once, I suggest that if you're
using SORBS that you break it up into all the little tests to query the same
54 matches
Mail list logo
