:)
Good idea... Actually great idea..
Thanks..
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Sunday, December 21, 2003 9:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs
Kami,
I'm
Scott,
I was wondering about the progress of a couple of things. First, has
the END functionality been fixed in a recent release, and second, has
the weight listed in the WARN action been updated to include the sum of
the Global.cfg and filter file weights?
Thanks,
Matt
---
[This E-mail
I don't recall seeing this posted here, but while doing a little
research on the NJABL blocklists, I came upon a page on their site
saying that they were integrating the now defunct EASYNET-DYNA:
http://njabl.org/dynablock.html
The following line should work for integrating this test:
I was wondering about the progress of a couple of things. First, has the
END functionality been fixed in a recent release...
http://www.declude.com/relnotes.htm shows that it was added to 1.77, which
is the latest beta.
It has, however, been taken care of in the latest interim release (at
Very cool Scott, my test scores now add up :) I'll have to try the END
functionality later on today though.
Any chance of exposing a %WEIGHT% and a %LINE% or %LINES% variable for
the WARN action? I can't say that I've tried these in the last month,
but I couldn't get anything like this to
I've made some huge leaps forward recently in terms of the processing
power required to run Declude with the custom filters that I have
installed. This was done by way of the SKIPIFWEIGHT functionality
introduced in the latest beta, but also by way of re-ordering my filters
in the Global.cfg
Any chance of exposing a %WEIGHT% and a %LINE% or %LINES% variable for the
WARN action? I can't say that I've tried these in the last month, but I
couldn't get anything like this to work when I did and it seemed like
something that makes sense to have.
That is a good question. Right now, the
I just re-confirmed,
THESE entries appear in the spf.log file:
67.80.42.251 [EMAIL PROTECTED] [andyshome]: UNKNOWN
...
But the IP address 67.80.42.251 does not appear AT ALL in the spf.none file!
Thanks for pointing this out -- there is a new interim at
http://www.declude.com/interim that
I'm setting up a Sender "Black list" Given the following
header, what would I put in my black list file?
Is it the reply to or the from I need to look at?
In this instance I would like to kill everything from
quill.com, so would I just use that?
Received: from om-quill.rgc3.net
FWIW, We're running Windows 2003 server with imail gateways on 4 inbound MX
servers for MS Exchange 2003
We process about 300,000 messages per day.
No problems here.
Actually, we've been talking about moving the OS back to Windows XP
workstation.
Since we only use iMail as a gateway relayer,
If any one is experiencing the overflow folder filling up and it is not
attributable to server load, please contact me.
The first thing to do is determine whether the issue is with Declude
JunkMail, Declude Virus, or both. If you are running both programs, you
should temporarily disable one.
I would use the following:
HEADERS 15 CONTAINS quill.com
This message was sent through a third-party bulk mailer, and the
MAILFROM address may change from server to server, but they are using a
Reply-To address that will get picked up with that line.
Matt
Doug Anderson
I'm setting up a Sender Black list Given the following header, what
would I put in my black list file?
The sender blacklist works on the return address (where bounce messages
would be sent, as seen in the X-Declude-Sender: header), which may be
different from the From: address in the headers.
At 10:34 AM 12/22/2003, John Tolmachoff \(Lists\) wrote:
If any one is experiencing the overflow folder filling up and it is not
attributable to server load, please contact me. I am having this problem and
am narrowing it down.
John,
Do you run Sniffer? If so, are you running the wide beta
Just another follow-up. This might be dangerous to blacklist anything
from quill.com since they are an ecommerce site and you may very well be
blocking receipts and other order related information. It would then be
safer to go after the MAILFROM, though this won't work if they change
the
On Mon, 22 Dec 2003 09:34:30 -0600
Doug Anderson said something about [Declude.JunkMail] Stupid question:
I'm setting up a Sender Black list Given the following header, what
would I put in my black list file?
Is it the reply to or the from I need to look at?
In this instance I would like to
I get that same problem at different times of the day.
Like now.
I have lots of power and my dns server is working perfectly.
I monitor the system using Remote Task Manager.
The Declude process looks like it take 10 - 60 seconds per email.
It is almost like it is in a wait state looking for
To clarify, this is not a Declude problem.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)
Sent: Monday, December 22, 2003 7:34 AM
To: [EMAIL
Sniffer is not involved.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Russ Uhte (Lists)
Sent: Monday, December 22, 2003 7:52 AM
To: [EMAIL PROTECTED]; [EMAIL
I loaded DNS on the mail server to eliminate it as the problem.
But is it still reoccurring? If so, have you tried clearing the cache and it
starts working again?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus
The Declude process looks like it take 10 - 60 seconds per email.
It is almost like it is in a wait state looking for something.
There is about a 99% chance this *is* a DNS issue.
If you are positive that your DNS server is working well (answering cached
queries very quickly, with no
For all those answering back
Quill was just an example. I check into a sender before bl'ing them and
attempt list removal if they have it.
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 9:52 AM
Subject: Re:
I am 100% sure it is not DNS.
I have Sniffer and Spamchk as external test but I have commented them out
and still a problem.
The problem goes way after a while then comes back.
These are my external DNS test.
BLITZEDALL ip4r opm.blitzed.org * 3 0
CBL ip4r cbl.abuseat.org 127.0.0.2 10 0
Hm,
The lines are below, please note...
A) [EMAIL PROTECTED] shows the same SPF text line - and says FAIL
(which is correct)
B) yet, any HM-Software.com domains (using the same SPF text line) claim
UNKNOWN because the DNS server did not respond!?
C) I'm including an NSLOOKUP executed at the
Hi Scott:
Disregard! I found the DNS problem. It has nothing to do with the
information that you are logging, though - it's the include hmsoftware.de
that's failing on that machine.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original
Fredrick, please answer my question.
You said you are using the MS DNS service on the server to help with the
problem.
Does it still reoccur, and if so, have you tried clearing the MS DNS service
cache and does that allow mail to flow until it reoccurs?
John Tolmachoff
Engineer/Consultant/Owner
John,
I have not tried to clear the MS DNS Cache.
But the problem goes away after a while.
It is fine at the moment but it will come back soon.
Fred
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 11:43 AM
When it starts to happen again, immediately clear the MS DNS Cache and watch
the overflow directory to see if it starts to clear.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On
I have not tried to clear the MS DNS Cache.
But the problem goes away after a while.
It is fine at the moment but it will come back soon.
When it comes back, I would recommend checking the DNS server. First,
check to see the IP of the DNS server Declude JunkMail will be using (the
first one
Scott,
I have a feeling that one of the recent changes created a bug in the way
that scores are added in combination from the Global.cfg and the custom
filter file when combined. Here's an example:
X-MailPure: ==
X-MailPure:
Where can I find the version of the declude products? I want to be sure
I am at the current versions.
Thanks
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to
Fred, it means you are experiencing the exact same problem I am.
I am investigating. For now, I have a script to stop and start the MS DNS
service every half hour to clear the cache.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL
It just happened again.
I cleared the Cache and the backup cleared.
What does the mean.
That means that your DNS server is dying. It sounds like this may be a
common problem with Microsoft DNS, where it starts choking if it has too
much in its cache. Switching to the latest version of BIND
Where can I find the version of the declude products? I want to be sure
I am at the current versions.
You can find the latest version at
http://www.declude.com/junkmail/manual.htm or
http://www.declude.com/virus/manual.htm . Note that the same Declude.exe
file is shared by both programs, so
It just happened again.
I cleared the Cache and the backup cleared.
What does the mean.
That means that your DNS server is dying. It sounds like this may be a
common problem with Microsoft DNS, where it starts choking if it has too
much in its cache. Switching to the latest version
Not sure what you are suggesting.
Latest version of Bind?
Is there a newer version of MS DNS or are you suggesting a different
product.
Fred
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 2:02 PM
Subject: Re:
Is this all being found on Windows 2003? I'm a couple of months away
from adding a new server and this would definitely resolve any questions
that I might have about Windows 2003 being an option. I know why John
needs to play with the latest and greatest, but I have no such
inclination or
Scott, maybe you can shed some light on this. Here is a snippet of Andy
Schmidt's spf.log from a message I sent him:
=
204.189.39.254 [EMAIL PROTECTED] [psmail02.pointshare.com]: PASS
=
We just sent out some customer announcements and here is the From line out
of the declude log from
No, this is on W2K.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Monday, December 22, 2003 11:20 AM
To: [EMAIL PROTECTED]
Subject: Re:
Matt,
I thought you might be interested in the attached data which analyzes the
GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from
11/15 through yesterday.
If you're looking for effectiveness you should set the entries in
descending order of probability. I use a variation
That means that your DNS server is dying. It sounds like this may be a
common problem with Microsoft DNS, where it starts choking if it has too
much in its cache. Switching to the latest version of BIND may be the best
option.
Not sure what you are suggesting.
Latest version of Bind?
I am adding filter files in slowly to my Declude setup. I now have added
filter tests that are scanning the body of emails. I have noticed a
significant increase in CPU spikes. I want to skip these body tests if the
weight is high. From the filter files that others have been kind enough to
I am adding filter files in slowly to my Declude setup. I now have added
filter tests that are scanning the body of emails. I have noticed a
significant increase in CPU spikes.
That will happen if you have a lot of BODY filters. For example, if you
have 1,000 BODY filters, Declude JunkMail
George,
That's good data to have. I would have to assume that something tagged
as gibberish in the main test would be random, and that's fairly well
indicated by the somewhat tight range of the two character strings.
Unless you are using a logging feature that I'm not aware of, you are
only
Hey guys, this sounds like same problem that I have been experiencing,
however it has been a bunch of spam with c.c. 's to non-existant mail
addresses on my server (dictionary attack style) ..My DNS is working fine.
I spent the weekend returning mail from the old spool to a new spool that I
had
I just loaded a copy of Metaip DNS software.
http://www.metainfo.com/
Removed the MS DNS.
Will keep you informed.
- Original Message -
From: Charles Frolick [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 3:19 PM
Subject: RE: [Declude.JunkMail] Overflow
Matt, if you set your JunkMail logging to HIGH, you will see every line item
that Declude matches on in the FILTER files
Bill
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, December 22, 2003 12:17 PM
Subject: Re: [Declude.JunkMail]
I've been rethinking my strategy for dealing with dictionary attacks on
my server. While the nobody alias has proved to be problematic, so does
not having a nobody alias due to the possibility of being dictionary
attacked.
I'm thinking of setting up all the nobody aliases to redirect E-mail
Ick...but thanks for letting me know. Maybe this is better to have in
debug. I could see some filters hitting even more than GIBBERISH does
on Base64 stuff.
Matt
Bill Landry wrote:
Matt, if you set your JunkMail logging to HIGH, you will see every line item
that Declude matches on in the
Hi Matt,
Is anyone getting dictionary attacked for long periods of time on a
domain with a nobody alias or something that is gatewayed?
Thanks,
Yes. I get hammered everyday..; I got rid of the nobody alias, filter
the log files for the ip's that connected - and add them to my Imail
Access
Scott:
Thank you. Another question - which filtering tests use the most amount of
CPU?
Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Monday, December 22, 2003 1:02 PM
To:
Thank you. Another question - which filtering tests use the most amount of
CPU?
The combination of BODY CONTAINS or HEADERS CONTAINS (such as BODY 5
CONTAINS ThatDrugThatBeginsWithTheLetterV) are the only ones that will
normally cause high CPU usage. Others can, by would require many more
Matt,
I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill
pointed out, all hits are reflected.
I've started to use SKIPIFWEIGHT. The result of course is that filters are
bypassed and the statistics are skewed.
For example on Friday 12/19, 15291 emails were processed by
Responding to a couple of posts.
Hey guys, this sounds like same problem that I have been experiencing,
however it has been a bunch of spam with c.c. 's to non-existant mail
addresses on my server (dictionary attack style) ..My DNS is working fine.
The specific problem I am reviewing and
I just brought my new Gateway server online today. Single 2.8GHz Xeon, 36Gb
15k Scsi, 1Gb ram. I have watched the que all day and it has just increased
up to 8,700. I adjusted the Maximum Processes to 75, helped some, then I
adjusted it to 100 and BAM and the que started decreasing steadily.
Just curious...
- How many drives? [IMail, Declude, mailboxes, spool - all they all on a
single drive?]
- Have you run a test without Declude running?
- Any virus scanners?
- OS?
- DNS server? Same machine or separate?
Regards,
Kami
-Original Message-
From: [EMAIL PROTECTED]
- How many drives? [IMail, Declude, mailboxes, spool - all they all on a
single drive?]
Single 36GB,15K SCSI
4 Partitions C: OS D: IMail/Declude E: IMail Spool F: Declude Logs
NO MAILBOXES Gateway Server only
- Have you run a test without
My quandary now is to decide whether to use the new control functions
of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to
collect a full set of evaluation data by letting everything run. It's
truly a catch-22 situation.
I came into this thread late, so my comments may not
Title: Comments test
Scott:
Just an observation.. It seems like the Comments test is not being triggered as often as I see it used..
I thought you stated a while back that the comments test now picks up any attempt to break words.. E.g.
=
HTMLHEAD
BODY
One last question..
You stated your spool backup.. What is your daily volume?
Kami
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kris McElroy
Sent: Monday, December 22, 2003 6:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Maximum
Just an observation.. It seems like the Comments test is not being
triggered as often as I see it used..
FAQ. :)
I thought you stated a while back that the comments test now picks up any
attempt to break words.. E.g.
No -- it just isn't possible.
The COMMENTS test detects anti-filter
Matt,
I do only use filters that work. There are a number of situations however
that I believe make it impossible to effectively use only off the shelf
filters. There are also valid reasons to perform my own analysis of filter
effectiveness:
First, everyone's spam mix is different, just as
I understand all that stuff, George, but I disagree completely that you
can't apply global, updated rules to some aspects of the problem. As
such a global filter repository can make a huge dent in virtually
everyone's workload. Do we really all need to create our own filters to
remove p.en1s
George,
I think that logic can get you 95% of the way there with something as
convoluted as this, that is run only about 1/3 of the time, and
considering that you are only battling for about 2% of the processing
power required by this filter alone, which shouldn't be too terribly
much.
Nick,
I think I might have been asking the question the other way around,
though I'm not positive it was taken the wrong way.
The theory here is that domains which accept every E-mail address in the
HELO won't be dictionary attacked past a few attempts because the
attacker's software will
John Tolmachoff (Lists) wrote:
This is a cache only setup, no domains. Cost is a concern at this time,
unless I can prove that would be the answer. However, as I said earlier, the
problem was first experienced using BIND DNS servers. I need to follow up on
this.
Keith had a problem after a
R. Scott Perry wrote:
The problem is that it is nearly impossible to determine which are
valid HTML tags and which are not -- that would require a database of
known good HTML tags, which would need to be constantly updated.
This was the first filter that I tried writing actually :) I got a
Using %SENDER%, it is giving inserting [Unknown Var]. If I use %MAILFROM%,
it is also inserting [Unknown Var}.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of R. Scott Perry
68 matches
Mail list logo