RE: [Declude.JunkMail] Junkmail Tests and Configs
:) Good idea... Actually great idea.. Thanks.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Sunday, December 21, 2003 9:54 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs Kami, I'm using a trick to show %ALLRECIPS% only when a message is held. I added an extra weight test as the hold weight and added the WARN action as follows: - Global.cfg - HIGH-RECIPSweightxx100 - $Default$.junkmail HIGH-RECIPSWARN X-MailPure: RECIPIENTS: %ALLRECIPS% This way they never see this in E-mail that passes through, and in the event of a false positive, I can deliver the E-mail correctly. Matt Kami Razvan wrote: Scott .. Just wondering.. Don't you need to have the %ALLRECIPS% in the header before this works? I know we deactivated it because it was defeating the purpose of BCC.. Since anyone looking at the header could see all the people being BCC'd. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, December 21, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Junkmail Tests and Configs I've tried using the BCC tests, and i sent some email my from an outside webmail server. The tests don't even show up as failing. I'm using one that will trigger when there are 3, 5 and 10 BCCs and I've sent an email with 5 bcc's, and the tests don't show up as failing at all. Is there something I'm missing since I did put the line in exactly as you show it. Are you running v1.75 or later? Are these really Bcc:'s, where the E-mail address of the recipient does not appear in the headers when IMail receives the E-mail? Are the Bcc: addresses addresses on your server (it is impossible to detect Bcc:'s on other servers)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Wondering about a few features in development.
Scott, I was wondering about the progress of a couple of things. First, has the END functionality been fixed in a recent release, and second, has the weight listed in the WARN action been updated to include the sum of the Global.cfg and filter file weights? Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] EASYNET-DYNA replacement, NJABL-DYNABLOCK
I don't recall seeing this posted here, but while doing a little research on the NJABL blocklists, I came upon a page on their site saying that they were integrating the now defunct EASYNET-DYNA: http://njabl.org/dynablock.html The following line should work for integrating this test: NJABL-DYNABLOCKip4rdynablock.njabl.org 127.0.0.340 This was a very important test on my system, and the loss was definitely being felt. Also note, this is a different test than the existing NJABL-DUL test. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wondering about a few features in development.
I was wondering about the progress of a couple of things. First, has the END functionality been fixed in a recent release... http://www.declude.com/relnotes.htm shows that it was added to 1.77, which is the latest beta. It has, however, been taken care of in the latest interim release (at http://www.declude.com/interim ). ... and second, has the weight listed in the WARN action been updated to include the sum of the Global.cfg and filter file weights? The latest interim release takes care of that as well. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wondering about a few features in development.
Very cool Scott, my test scores now add up :) I'll have to try the END functionality later on today though. Any chance of exposing a %WEIGHT% and a %LINE% or %LINES% variable for the WARN action? I can't say that I've tried these in the last month, but I couldn't get anything like this to work when I did and it seemed like something that makes sense to have. Thanks, Matt R. Scott Perry wrote: I was wondering about the progress of a couple of things. First, has the END functionality been fixed in a recent release... http://www.declude.com/relnotes.htm shows that it was added to 1.77, which is the latest beta. It has, however, been taken care of in the latest interim release (at http://www.declude.com/interim ). ... and second, has the weight listed in the WARN action been updated to include the sum of the Global.cfg and filter file weights? The latest interim release takes care of that as well. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality.
I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg file so that the easiest to process custom filters are run first in the hopes of avoiding the need to run more costly ones. This new version of GIBBERISH makes use of functionality introduced in the 1.77 beta, however the most recent interim release, 1.77i7, should be used in order to guarantee proper operation (initial versions would always end processing, and effectively disabled the filters). The END functionality removes the need to have ANTI filters since the filter can be stopped before it gets to the main filter matches, and it also presents another opportunity to save on the processing power required to run such things. This also makes use of the MAXWEIGHT functionality to limit the max score as well as end processing once a single hit has been scored. Note that the filter will only log (at the LOW setting) and show WARN actions when the filter is tripped and an END was not hit...which is great! No more looking at non-scoring custom filters due to counterbalances :D Please read through the file and follow these instructions if you already have GIBBERISH installed: 1) Comment out the ANTI-GIBBERISH custom filter in your Global.cfg 2) Change the score of the GIBBERISH filter to 0 in your Global.cfg. 3) Change the scoring of the filter to match your system (it is scored by default for base 10 systems). This can be done by changing the MAXWEIGHT and Main Filter lines to reflect the multiple of 10 that your system is based on. 4) Change the SKIPIFWEIGHT score to reflect your delete weight, or whatever weight you would like for the filter to be skipped if the system has already reached it before processing the filter. The file can be downloaded from the following location: http://www.mailpure.com/software/decludefilters/gibberish/Gibberish_v2-0-1.zip Please report any issues with the new filter format. As soon as bugs stop being reported, I will move to convert the other dual file filters into single file alternatives which make use of the END functionality. Until the functionality goes into a full release, I'm going to continue to primarily provide the old style filters on my site. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Wondering about a few features in development.
Any chance of exposing a %WEIGHT% and a %LINE% or %LINES% variable for the WARN action? I can't say that I've tried these in the last month, but I couldn't get anything like this to work when I did and it seemed like something that makes sense to have. That is a good question. Right now, the way the code works, the variables in the warnings aren't expanded until after all the tests are run, so it wouldn't be possible to retrieve the information on the weight or the lines that failed. However, we could probably change that. This has been added to the suggestion database. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF still broken with v1.77i7?
I just re-confirmed, THESE entries appear in the spf.log file: 67.80.42.251 [EMAIL PROTECTED] [andyshome]: UNKNOWN ... But the IP address 67.80.42.251 does not appear AT ALL in the spf.none file! Thanks for pointing this out -- there is a new interim at http://www.declude.com/interim that will log extra information in this situation (which will still appear in the spf.log file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Stupid question
I'm setting up a Sender "Black list" Given the following header, what would I put in my black list file? Is it the reply to or the from I need to look at? In this instance I would like to kill everything from quill.com, so would I just use that? Received: from om-quill.rgc3.net [66.35.244.68] by mail.ameripride.org with ESMTP (SMTPD32-8.04) id A88E1B4014A; Wed, 10 Dec 2003 09:15:26 -0600Received: by om-quill.rgc3.net (PowerMTA(TM) v2.0r5) id hqss6804faso; Wed, 10 Dec 2003 07:14:44 -0800 (envelope-from [EMAIL PROTECTED])MIME-Version: 1.0Content-Type: text/html;charset="ISO-8859-1"Content-Transfer-Encoding: quoted-printableDate: Wed, 10 Dec 2003 07:14:44 -0800From: "Quill.com" [EMAIL PROTECTED]Reply-To: "Quill.com" [EMAIL PROTECTED]Subject: Quill Values Your OpinionX-cid: quil.954.1To: [EMAIL PROTECTED]Message-Id: [EMAIL PROTECTED]X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e].X-Declude-Sender: [EMAIL PROTECTED] [66.35.244.68]X-Declude-Spoolname: D388e01b4014a4491.SMDX-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, SPAMHEADERS [3]X-Note: This E-mail was sent from (timeout) ([66.35.244.68]).X-RCPT-TO: [EMAIL PROTECTED]Status: UX-UIDL: 367773216
RE: [Declude.JunkMail] Windows Server 2003
FWIW, We're running Windows 2003 server with imail gateways on 4 inbound MX servers for MS Exchange 2003 We process about 300,000 messages per day. No problems here. Actually, we've been talking about moving the OS back to Windows XP workstation. Since we only use iMail as a gateway relayer, there's no need to run IIS. There's no issue with more than 10 concurrent sessions so why waste the Server license when we can just use a workstation license? Mark Smith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, December 19, 2003 8:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 Here is a couple of quick stats from the responses: Of those using Windows Server 2003 at the time; 0-5K messages per day 4 5K-10K messages per day 2 10K-20K messages per day 2 20K-30K messages per day 1 30K-50K messages per day 0 50K-75K messages per day 1 75K-100K messages per day 0 100K or more per day 1 Now, how can you see a pattern with those amounts of respondes with problems on W2K3 compared to W2K? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Omar K. Sent: Friday, December 19, 2003 5:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 Statistically, a random 10% sample is sufficient on a lot of things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Saturday, December 20, 2003 2:50 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 Hey John they do samples in surveys of less that of your sample as compared to the number of Imail servers. If you consider the number of people that watch TV and the small sample of people that NEILSON users to rate a shows popularity. I bet you have a better sampling than they do. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff (Lists) Sent: Friday, December 19, 2003 4:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 No. I am saying that only 176 responses to the survey does not give a reliable survey result when there are clearly at least 10 times that many out there, if not way more. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Todd Holt Sent: Friday, December 19, 2003 4:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 John, Are you saying that small servers are not reliable?? :)) Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, December 19, 2003 3:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 Unfortunately, there were only 176 responses, mostly from small to mid size setups. Therefore, the results were not reliable. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Omar K. Sent: Friday, December 19, 2003 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Windows Server 2003 Yeah, whatever happened to that, I poured my heart out there :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DLAnalyzer Support Sent: Friday, December 19, 2003 11:52 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Windows Server 2003 John, I remember you did a survey awhile back on problems with Imail/etc. Were the results of that ever posted? Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com John Tolmachoff (Lists) writes: For the majority, W2K3 is the way to go if you are able to. Ipswitch does support running Imail on W2K3. There are some possible issues. 1. Running MS DSN service on W2K3 WITH Imail Anti-Spam DNS tests is a problem. 2. Some issues have been reported on the Imail list
Re: [Declude.JunkMail] Overflow
If any one is experiencing the overflow folder filling up and it is not attributable to server load, please contact me. The first thing to do is determine whether the issue is with Declude JunkMail, Declude Virus, or both. If you are running both programs, you should temporarily disable one. If it fixes the problem, that is the one at fault. If not, try disabling the other to see if that fixes the problem. If so, that one is at fault. For Declude Virus, the main problem would be if the AV program never ends (in which case Declude Virus will automatically stop it after about a minute). In this case, reinstalling the virus scanner and using the default settings from the manual should fix the problem. For Declude JunkMail, the main problem would be a DNS server failure, which can cause the Declude processes to stay in memory a long time waiting for timeouts. Another possibility would be an external test that does not end, which could cause the same problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stupid question
I would use the following: HEADERS 15 CONTAINS quill.com This message was sent through a third-party bulk mailer, and the MAILFROM address may change from server to server, but they are using a Reply-To address that will get picked up with that line. Matt Doug Anderson wrote: I'm setting up a Sender Black list Given the following header, what would I put in my black list file? Is it the reply to or the from I need to look at? In this instance I would like to kill everything from quill.com, so would I just use that? Received: from om-quill.rgc3.net [66.35.244.68] by mail.ameripride.org with ESMTP (SMTPD32-8.04) id A88E1B4014A; Wed, 10 Dec 2003 09:15:26 -0600 Received: by om-quill.rgc3.net (PowerMTA(TM) v2.0r5) id hqss6804faso; Wed, 10 Dec 2003 07:14:44 -0800 (envelope-from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Wed, 10 Dec 2003 07:14:44 -0800 From: Quill.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Reply-To: Quill.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Quill Values Your Opinion X-cid: quil.954.1 To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [66.35.244.68] X-Declude-Spoolname: D388e01b4014a4491.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com http://www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, SPAMHEADERS [3] X-Note: This E-mail was sent from (timeout) ([66.35.244.68]). X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: U X-UIDL: 367773216 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stupid question
I'm setting up a Sender Black list Given the following header, what would I put in my black list file? The sender blacklist works on the return address (where bounce messages would be sent, as seen in the X-Declude-Sender: header), which may be different from the From: address in the headers. Note that the return address is not visible in the headers unless you use the XSENDER ON option (you can later find out what the return address was by checking the IMail SMTP log files for the MAIL FROM: line). Is it the reply to or the from I need to look at? In this instance I would like to kill everything from quill.com, so would I just use that? No, because: X-Declude-Sender: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] [66.35.244.68] You certainly can add @quill.com to the sender blacklist, but you will also need to add [EMAIL PROTECTED] (or perhaps .rsc01.com, if you check out http://www.rsc01.com/ first). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
At 10:34 AM 12/22/2003, John Tolmachoff \(Lists\) wrote: If any one is experiencing the overflow folder filling up and it is not attributable to server load, please contact me. I am having this problem and am narrowing it down. John, Do you run Sniffer? If so, are you running the wide beta release? If so, make sure you're using the latest version. We saw this with all versions except the latest which I believe is 2-2b6. Which has been running as smooth as silk!! -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stupid question
Just another follow-up. This might be dangerous to blacklist anything from quill.com since they are an ecommerce site and you may very well be blocking receipts and other order related information. It would then be safer to go after the MAILFROM, though this won't work if they change the third-party bulk mailer. MAILFROM 15 CONTAINS quill.rsc01.com I generally unsubscribe customers from such lists when they report it as spam since they seem legit and they are probably only being sent E-mail because they have done business with the site. Matt Doug Anderson wrote: I'm setting up a Sender Black list Given the following header, what would I put in my black list file? Is it the reply to or the from I need to look at? In this instance I would like to kill everything from quill.com, so would I just use that? Received: from om-quill.rgc3.net [66.35.244.68] by mail.ameripride.org with ESMTP (SMTPD32-8.04) id A88E1B4014A; Wed, 10 Dec 2003 09:15:26 -0600 Received: by om-quill.rgc3.net (PowerMTA(TM) v2.0r5) id hqss6804faso; Wed, 10 Dec 2003 07:14:44 -0800 (envelope-from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Wed, 10 Dec 2003 07:14:44 -0800 From: Quill.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Reply-To: Quill.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Quill Values Your Opinion X-cid: quil.954.1 To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [66.35.244.68] X-Declude-Spoolname: D388e01b4014a4491.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com http://www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, SPAMHEADERS [3] X-Note: This E-mail was sent from (timeout) ([66.35.244.68]). X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: U X-UIDL: 367773216 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stupid question
On Mon, 22 Dec 2003 09:34:30 -0600 Doug Anderson said something about [Declude.JunkMail] Stupid question: I'm setting up a Sender Black list Given the following header, what would I put in my black list file? Is it the reply to or the from I need to look at? In this instance I would like to kill everything from quill.com, so would I just use that? Received: from om-quill.rgc3.net [66.35.244.68] by mail.ameripride.org with ESMTP (SMTPD32-8.04) id A88E1B4014A; Wed, 10 Dec 2003 09:15:26 -0600 Received: by om-quill.rgc3.net (PowerMTA(TM) v2.0r5) id hqss6804faso; Wed, 10 Dec 2003 07:14:44 -0800 (envelope-from [EMAIL PROTECTED]) Except Quill.com is sending through an opt-in remailer (http://www.rsc01.com/). You can start by just putting om-quill.rgc3.net in there if you may want to allow other companies that use the rsc01 remailer to send you mail. If you don't want any mail from the remailer at all put .rsc01.com in your blacklist -- you may have to add others if they use multiples (rsc02, 03, 04) and you see them coming in. G -- Gerald V. Livingston II Configure your Email to send TEXT ONLY -- See the following page: http://expita.com/nomime.html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
I get that same problem at different times of the day. Like now. I have lots of power and my dns server is working perfectly. I monitor the system using Remote Task Manager. The Declude process looks like it take 10 - 60 seconds per email. It is almost like it is in a wait state looking for something. I loaded DNS on the mail server to eliminate it as the problem. Fred - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 10:34 AM Subject: [Declude.JunkMail] Overflow If any one is experiencing the overflow folder filling up and it is not attributable to server load, please contact me. I am having this problem and am narrowing it down. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
To clarify, this is not a Declude problem. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Monday, December 22, 2003 7:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Overflow If any one is experiencing the overflow folder filling up and it is not attributable to server load, please contact me. I am having this problem and am narrowing it down. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
Sniffer is not involved. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Russ Uhte (Lists) Sent: Monday, December 22, 2003 7:52 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow At 10:34 AM 12/22/2003, John Tolmachoff \(Lists\) wrote: If any one is experiencing the overflow folder filling up and it is not attributable to server load, please contact me. I am having this problem and am narrowing it down. John, Do you run Sniffer? If so, are you running the wide beta release? If so, make sure you're using the latest version. We saw this with all versions except the latest which I believe is 2-2b6. Which has been running as smooth as silk!! -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
I loaded DNS on the mail server to eliminate it as the problem. But is it still reoccurring? If so, have you tried clearing the cache and it starts working again? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
The Declude process looks like it take 10 - 60 seconds per email. It is almost like it is in a wait state looking for something. There is about a 99% chance this *is* a DNS issue. If you are positive that your DNS server is working well (answering cached queries very quickly, with no noticeable delay), the next thing to do is make sure that you are not running dead DNS-based spam tests (such as MONKEYS*, OS*, EASYNET*). Depending on how well those tests died, they may timeout, causing the behavior you are experiencing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stupid question
For all those answering back Quill was just an example. I check into a sender before bl'ing them and attempt list removal if they have it. - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 9:52 AM Subject: Re: [Declude.JunkMail] Stupid question Just another follow-up. This might be dangerous to blacklist anything from quill.com since they are an ecommerce site and you may very well be blocking receipts and other order related information. It would then be safer to go after the MAILFROM, though this won't work if they change the third-party bulk mailer. MAILFROM 15 CONTAINS quill.rsc01.com I generally unsubscribe customers from such lists when they report it as spam since they seem legit and they are probably only being sent E-mail because they have done business with the site. Matt Doug Anderson wrote: I'm setting up a Sender Black list Given the following header, what would I put in my black list file? Is it the reply to or the from I need to look at? In this instance I would like to kill everything from quill.com, so would I just use that? Received: from om-quill.rgc3.net [66.35.244.68] by mail.ameripride.org with ESMTP (SMTPD32-8.04) id A88E1B4014A; Wed, 10 Dec 2003 09:15:26 -0600 Received: by om-quill.rgc3.net (PowerMTA(TM) v2.0r5) id hqss6804faso; Wed, 10 Dec 2003 07:14:44 -0800 (envelope-from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Wed, 10 Dec 2003 07:14:44 -0800 From: Quill.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Reply-To: Quill.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: Quill Values Your Opinion X-cid: quil.954.1 To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [66.35.244.68] X-Declude-Spoolname: D388e01b4014a4491.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com http://www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, SPAMHEADERS [3] X-Note: This E-mail was sent from (timeout) ([66.35.244.68]). X-RCPT-TO: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Status: U X-UIDL: 367773216 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
I am 100% sure it is not DNS. I have Sniffer and Spamchk as external test but I have commented them out and still a problem. The problem goes way after a while then comes back. These are my external DNS test. BLITZEDALL ip4r opm.blitzed.org * 3 0 CBL ip4r cbl.abuseat.org 127.0.0.2 10 0 EASYNET-DNSBL ip4r sbl.spamhaus.org 127.0.0.2 16 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 5 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 10 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 10 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 7 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 7 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 7 0 FIVETEN-SPAMSUP ip4r blackholes.five-ten-sg.com 127.0.0.7 5 0 FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 10 0 FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 10 0 SECURITYSAGE rhsbl blackhole.securitysage.com * 2 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2100 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2100 ORDB ip4r relays.ordb.org * 5 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 17 0 SBBL ip4r sbbl.they.com * 3 0 NJABL ip4r dnsbl.njabl.org 127.0.0.2 8 0 DSBL ip4r list.dsbl.org * 6 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 11:00 AM Subject: Re: [Declude.JunkMail] Overflow The Declude process looks like it take 10 - 60 seconds per email. It is almost like it is in a wait state looking for something. There is about a 99% chance this *is* a DNS issue. If you are positive that your DNS server is working well (answering cached queries very quickly, with no noticeable delay), the next thing to do is make sure that you are not running dead DNS-based spam tests (such as MONKEYS*, OS*, EASYNET*). Depending on how well those tests died, they may timeout, causing the behavior you are experiencing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF still broken with v1.77i7?
Hm, The lines are below, please note... A) [EMAIL PROTECTED] shows the same SPF text line - and says FAIL (which is correct) B) yet, any HM-Software.com domains (using the same SPF text line) claim UNKNOWN because the DNS server did not respond!? C) I'm including an NSLOOKUP executed at the Imail/Declude machine against that DNS server: NSLOOKUP D:\nslookup Default Server: maywood-is-0002.webhost.hm-software.com Address: 63.107.174.65 set type=txt hm-software.com. hm-software.com text = Fax: +1 (201) 934-9206; Phone: +1 (201) 934-3411, Ext. 20 hm-software.com text = Owner: HM Systems Software, Inc.; Upper Saddle River; NJ 07458-1846; U .S.A. hm-software.com text = v=spf1 mx include:webhost.hm-software.com include:hmsoftware.de -all webhost.hm-software.com. webhost.hm-software.com text = v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all mail.webhost.hm-software.com. mail.webhost.hm-software.comtext = v=spf1 a -all smtp.webhost.hm-software.com. smtp.webhost.hm-software.comtext = v=spf1 a a:maywood-is-0003.webhost.hm-software.com -all set type=a maywood-is-0003.webhost.hm-software.com. Name:maywood-is-0003.webhost.hm-software.com Addresses: 63.107.174.32, 65.119.204.32 YOUR SPF.LOG FILE - 63.107.174.164 [EMAIL PROTECTED] [SALESM1]: UNKNOWN: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all Sorry, the DNS server (63.107.174.65) did not respond with an answer (rcode=2). 67.104.140.226 [EMAIL PROTECTED] [ZPNC0017]: FAIL: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all 67.104.140.226 [EMAIL PROTECTED] [ZPNC0017]: FAIL: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all 67.104.140.226 [EMAIL PROTECTED] [ZPNC0017]: FAIL: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all 212.13.198.241 [EMAIL PROTECTED] [heifong.phase.org]: PASS: v=spf1 +a:heifong.phase.org -all 63.107.174.147 [EMAIL PROTECTED] [andyshome]: UNKNOWN: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all Sorry, the DNS server (63.107.174.65) did not respond with an answer (rcode=2). 63.107.174.147 [EMAIL PROTECTED] [andyshome]: UNKNOWN: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all Sorry, the DNS server (63.107.174.65) did not respond with an answer (rcode=2). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, December 22, 2003 10:09 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF still broken with v1.77i7? I just re-confirmed, THESE entries appear in the spf.log file: 67.80.42.251 [EMAIL PROTECTED] [andyshome]: UNKNOWN ... But the IP address 67.80.42.251 does not appear AT ALL in the spf.none file! Thanks for pointing this out -- there is a new interim at http://www.declude.com/interim that will log extra information in this situation (which will still appear in the spf.log file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPF still broken with v1.77i7?
Hi Scott: Disregard! I found the DNS problem. It has nothing to do with the information that you are logging, though - it's the include hmsoftware.de that's failing on that machine. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Monday, December 22, 2003 11:32 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF still broken with v1.77i7? Hm, The lines are below, please note... A) [EMAIL PROTECTED] shows the same SPF text line - and says FAIL (which is correct) B) yet, any HM-Software.com domains (using the same SPF text line) claim UNKNOWN because the DNS server did not respond!? C) I'm including an NSLOOKUP executed at the Imail/Declude machine against that DNS server: NSLOOKUP D:\nslookup Default Server: maywood-is-0002.webhost.hm-software.com Address: 63.107.174.65 set type=txt hm-software.com. hm-software.com text = Fax: +1 (201) 934-9206; Phone: +1 (201) 934-3411, Ext. 20 hm-software.com text = Owner: HM Systems Software, Inc.; Upper Saddle River; NJ 07458-1846; U .S.A. hm-software.com text = v=spf1 mx include:webhost.hm-software.com include:hmsoftware.de -all webhost.hm-software.com. webhost.hm-software.com text = v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all mail.webhost.hm-software.com. mail.webhost.hm-software.comtext = v=spf1 a -all smtp.webhost.hm-software.com. smtp.webhost.hm-software.comtext = v=spf1 a a:maywood-is-0003.webhost.hm-software.com -all set type=a maywood-is-0003.webhost.hm-software.com. Name:maywood-is-0003.webhost.hm-software.com Addresses: 63.107.174.32, 65.119.204.32 YOUR SPF.LOG FILE - 63.107.174.164 [EMAIL PROTECTED] [SALESM1]: UNKNOWN: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all Sorry, the DNS server (63.107.174.65) did not respond with an answer (rcode=2). 67.104.140.226 [EMAIL PROTECTED] [ZPNC0017]: FAIL: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all 67.104.140.226 [EMAIL PROTECTED] [ZPNC0017]: FAIL: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all 67.104.140.226 [EMAIL PROTECTED] [ZPNC0017]: FAIL: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all 212.13.198.241 [EMAIL PROTECTED] [heifong.phase.org]: PASS: v=spf1 +a:heifong.phase.org -all 63.107.174.147 [EMAIL PROTECTED] [andyshome]: UNKNOWN: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all Sorry, the DNS server (63.107.174.65) did not respond with an answer (rcode=2). 63.107.174.147 [EMAIL PROTECTED] [andyshome]: UNKNOWN: v=spf1 ip4:63.107.174.0/25 ip4:65.119.204.0/24 -all Sorry, the DNS server (63.107.174.65) did not respond with an answer (rcode=2). Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, December 22, 2003 10:09 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SPF still broken with v1.77i7? I just re-confirmed, THESE entries appear in the spf.log file: 67.80.42.251 [EMAIL PROTECTED] [andyshome]: UNKNOWN ... But the IP address 67.80.42.251 does not appear AT ALL in the spf.none file! Thanks for pointing this out -- there is a new interim at http://www.declude.com/interim that will log extra information in this situation (which will still appear in the spf.log file). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
Fredrick, please answer my question. You said you are using the MS DNS service on the server to help with the problem. Does it still reoccur, and if so, have you tried clearing the MS DNS service cache and does that allow mail to flow until it reoccurs? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Monday, December 22, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow I am 100% sure it is not DNS. I have Sniffer and Spamchk as external test but I have commented them out and still a problem. The problem goes way after a while then comes back. These are my external DNS test. BLITZEDALL ip4r opm.blitzed.org * 3 0 CBL ip4r cbl.abuseat.org 127.0.0.2 10 0 EASYNET-DNSBL ip4r sbl.spamhaus.org 127.0.0.2 16 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 5 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 10 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 10 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 7 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 7 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 7 0 FIVETEN-SPAMSUP ip4r blackholes.five-ten-sg.com 127.0.0.7 5 0 FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 10 0 FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 10 0 SECURITYSAGE rhsbl blackhole.securitysage.com * 2 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2100 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2100 ORDB ip4r relays.ordb.org * 5 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 17 0 SBBL ip4r sbbl.they.com * 3 0 NJABL ip4r dnsbl.njabl.org 127.0.0.2 8 0 DSBL ip4r list.dsbl.org * 6 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 11:00 AM Subject: Re: [Declude.JunkMail] Overflow The Declude process looks like it take 10 - 60 seconds per email. It is almost like it is in a wait state looking for something. There is about a 99% chance this *is* a DNS issue. If you are positive that your DNS server is working well (answering cached queries very quickly, with no noticeable delay), the next thing to do is make sure that you are not running dead DNS-based spam tests (such as MONKEYS*, OS*, EASYNET*). Depending on how well those tests died, they may timeout, causing the behavior you are experiencing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
John, I have not tried to clear the MS DNS Cache. But the problem goes away after a while. It is fine at the moment but it will come back soon. Fred - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 11:43 AM Subject: RE: [Declude.JunkMail] Overflow Fredrick, please answer my question. You said you are using the MS DNS service on the server to help with the problem. Does it still reoccur, and if so, have you tried clearing the MS DNS service cache and does that allow mail to flow until it reoccurs? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Monday, December 22, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow I am 100% sure it is not DNS. I have Sniffer and Spamchk as external test but I have commented them out and still a problem. The problem goes way after a while then comes back. These are my external DNS test. BLITZEDALL ip4r opm.blitzed.org * 3 0 CBL ip4r cbl.abuseat.org 127.0.0.2 10 0 EASYNET-DNSBL ip4r sbl.spamhaus.org 127.0.0.2 16 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 5 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 10 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 10 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 7 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 7 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 7 0 FIVETEN-SPAMSUP ip4r blackholes.five-ten-sg.com 127.0.0.7 5 0 FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 10 0 FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 10 0 SECURITYSAGE rhsbl blackhole.securitysage.com * 2 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.2100 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2100 ORDB ip4r relays.ordb.org * 5 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 17 0 SBBL ip4r sbbl.they.com * 3 0 NJABL ip4r dnsbl.njabl.org 127.0.0.2 8 0 DSBL ip4r list.dsbl.org * 6 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 11:00 AM Subject: Re: [Declude.JunkMail] Overflow The Declude process looks like it take 10 - 60 seconds per email. It is almost like it is in a wait state looking for something. There is about a 99% chance this *is* a DNS issue. If you are positive that your DNS server is working well (answering cached queries very quickly, with no noticeable delay), the next thing to do is make sure that you are not running dead DNS-based spam tests (such as MONKEYS*, OS*, EASYNET*). Depending on how well those tests died, they may timeout, causing the behavior you are experiencing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
When it starts to happen again, immediately clear the MS DNS Cache and watch the overflow directory to see if it starts to clear. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Monday, December 22, 2003 9:03 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow John, I have not tried to clear the MS DNS Cache. But the problem goes away after a while. It is fine at the moment but it will come back soon. Fred - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 11:43 AM Subject: RE: [Declude.JunkMail] Overflow Fredrick, please answer my question. You said you are using the MS DNS service on the server to help with the problem. Does it still reoccur, and if so, have you tried clearing the MS DNS service cache and does that allow mail to flow until it reoccurs? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Monday, December 22, 2003 8:36 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow I am 100% sure it is not DNS. I have Sniffer and Spamchk as external test but I have commented them out and still a problem. The problem goes way after a while then comes back. These are my external DNS test. BLITZEDALL ip4r opm.blitzed.org * 3 0 CBL ip4r cbl.abuseat.org 127.0.0.2 10 0 EASYNET-DNSBL ip4r sbl.spamhaus.org 127.0.0.2 16 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 5 0 SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 10 0 SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 10 0 SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 7 0 SORBS-SMTP ip4rdnsbl.sorbs.net 127.0.0.5 7 0 SORBS-WEB ip4rdnsbl.sorbs.net 127.0.0.7 7 0 FIVETEN-SPAMSUP ip4r blackholes.five-ten-sg.com 127.0.0.7 5 0 FIVETEN-MISC ip4r blackholes.five-ten-sg.com 127.0.0.9 10 0 FIVETEN-FREE ip4r blackholes.five-ten-sg.com 127.0.0.12 10 0 SECURITYSAGE rhsbl blackhole.securitysage.com * 2 0 MAILPOLICE-BULK rhsbl bulk.rhs.mailpolice.com 127.0.0.210 0 MAILPOLICE-PORN rhsbl porn.rhs.mailpolice.com 127.0.0.2100 ORDB ip4r relays.ordb.org * 5 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 17 0 SBBL ip4r sbbl.they.com * 3 0 NJABL ip4r dnsbl.njabl.org 127.0.0.2 8 0 DSBL ip4r list.dsbl.org * 6 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 11:00 AM Subject: Re: [Declude.JunkMail] Overflow The Declude process looks like it take 10 - 60 seconds per email. It is almost like it is in a wait state looking for something. There is about a 99% chance this *is* a DNS issue. If you are positive that your DNS server is working well (answering cached queries very quickly, with no noticeable delay), the next thing to do is make sure that you are not running dead DNS-based spam tests (such as MONKEYS*, OS*, EASYNET*). Depending on how well those tests died, they may timeout, causing the behavior you are experiencing. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
Re: [Declude.JunkMail] Overflow
I have not tried to clear the MS DNS Cache. But the problem goes away after a while. It is fine at the moment but it will come back soon. When it comes back, I would recommend checking the DNS server. First, check to see the IP of the DNS server Declude JunkMail will be using (the first one listed in the IMail SMTP settings). Then, go to a command prompt, and type: nslookup server 192.0.2.53 [replacing that IP with the IP of the DNS server that Declude JunkMail will be using] 2.0.0.127.bl.spamcop.net 2.0.0.127.bl.spamcop.net 2.0.0.127.bl.spamcop.net 2.0.0.127.bl.spamcop.net What you are looking for is to see how quickly [1] you get the initial response (which could be delayed due to a problem with the DNS servers at spamcop.net), and [2] once you get the first response, how quickly cached responses come back. Once you get the first response back, subsequent (cached) responses should come back very quickly (you should not be able to detect any delay). If you can detect a delay, there is a problem with the DNS server or your connection to it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Score not being added correctly, very serious...
Scott, I have a feeling that one of the recent changes created a bug in the way that scores are added in combination from the Global.cfg and the custom filter file when combined. Here's an example: X-MailPure: == X-MailPure: IPNOTINMX: Failed, IP is not listed in MX or A records (weight 0). X-MailPure: NOLEGITCONTENT: Failed, no legitimate content detected (weight 0). X-MailPure: HELOBOGUS: Failed, bogus connecting server name (weight 4). X-MailPure: DYNAMIC: Message failed DYNAMIC test (line 342, weight -3). X-MailPure: == X-MailPure: Spam Score: 1 X-MailPure: Scan Time: 13:19:42 on 12/22/2003 X-MailPure: Spool File: D35b701a9017c3a95.SMD X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: 66-109-42-67.ip.reallyfastnet.com [66.109.42.67] The DYNAMIC filter is scored as 3 points for a hit in Global.cfg DYNAMICfilter C:\IMail\Declude\Filters\Dynamic.txtx30 And within the filter file, it should have hit the following lines: REVDNS-3ENDSWITH.reallyfastnet.com REVDNS0CONTAINS-42- REVDNS0CONTAINS-109- The total score should have been 0 points, but it scored a -3 instead. The order of the individual lines in the filter are as they appear above. Naturally this is a serious issue as it affects all counterbalanced filters and I need to change my settings pretty quick otherwise I'm going to be letting a bunch of spam through. Thanks, Matt -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude JunkMail and Declude Virus Versions?
Where can I find the version of the declude products? I want to be sure I am at the current versions. Thanks --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
Fred, it means you are experiencing the exact same problem I am. I am investigating. For now, I have a script to stop and start the MS DNS service every half hour to clear the cache. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Monday, December 22, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow OK. It just happened again. I cleared the Cache and the backup cleared. What does the mean. Fred - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 12:23 PM Subject: Re: [Declude.JunkMail] Overflow I have not tried to clear the MS DNS Cache. But the problem goes away after a while. It is fine at the moment but it will come back soon. When it comes back, I would recommend checking the DNS server. First, check to see the IP of the DNS server Declude JunkMail will be using (the first one listed in the IMail SMTP settings). Then, go to a command prompt, and type: nslookup server 192.0.2.53 [replacing that IP with the IP of the DNS server that Declude JunkMail will be using] 2.0.0.127.bl.spamcop.net 2.0.0.127.bl.spamcop.net 2.0.0.127.bl.spamcop.net 2.0.0.127.bl.spamcop.net What you are looking for is to see how quickly [1] you get the initial response (which could be delayed due to a problem with the DNS servers at spamcop.net), and [2] once you get the first response, how quickly cached responses come back. Once you get the first response back, subsequent (cached) responses should come back very quickly (you should not be able to detect any delay). If you can detect a delay, there is a problem with the DNS server or your connection to it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
It just happened again. I cleared the Cache and the backup cleared. What does the mean. That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail and Declude Virus Versions?
Where can I find the version of the declude products? I want to be sure I am at the current versions. You can find the latest version at http://www.declude.com/junkmail/manual.htm or http://www.declude.com/virus/manual.htm . Note that the same Declude.exe file is shared by both programs, so upgrading from either URL will update both programs. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
It just happened again. I cleared the Cache and the backup cleared. What does the mean. That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. Scott, I am not sure on that, as when I first was experiencing this problem, the DNS servers used were BIND and not MS DNS. However, that is going to be test against those servers as well. I am looking into reports of malicious DNS loops during the past week or so on another list. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
Not sure what you are suggesting. Latest version of Bind? Is there a newer version of MS DNS or are you suggesting a different product. Fred - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 2:02 PM Subject: Re: [Declude.JunkMail] Overflow It just happened again. I cleared the Cache and the backup cleared. What does the mean. That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
Is this all being found on Windows 2003? I'm a couple of months away from adding a new server and this would definitely resolve any questions that I might have about Windows 2003 being an option. I know why John needs to play with the latest and greatest, but I have no such inclination or need. Matt R. Scott Perry wrote: It just happened again. I cleared the Cache and the backup cleared. What does the mean. That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SFP Anomaly
Scott, maybe you can shed some light on this. Here is a snippet of Andy Schmidt's spf.log from a message I sent him: = 204.189.39.254 [EMAIL PROTECTED] [psmail02.pointshare.com]: PASS = We just sent out some customer announcements and here is the From line out of the declude log from one of these messages: = From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 204.189.39.254 ID: 21ADCADC5A = And a corresponding line from our spf.log: = 204.189.39.254 [EMAIL PROTECTED] [psmail02.pointshare.com]: FAIL: v=spf1 ip4:206.114.136.0/23 ip4:206.114.143.240/28 a:psmail02.pointshare.com ptr mx/24 -all = Here is the only DNS line from my global.cfg file: = DNS206.114.137.8 = From the DNS at 206.114.137.8: = dig txt pointshare.com ; DiG 9.2.3 txt pointshare.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11815 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;pointshare.com.IN TXT ;; ANSWER SECTION: pointshare.com. 172800 IN TXT v=spf1 ip4:206.114.136.0/23 ip4:206.114.143.240/28 a:psmail02.pointshare.com ptr mx/24 -all ;; AUTHORITY SECTION: pointshare.com. 172800 IN NS ns2.pointshare.com. pointshare.com. 172800 IN NS ns1.pointshare.com. ;; ADDITIONAL SECTION: ns1.pointshare.com. 172800 IN A 204.189.38.1 ns2.pointshare.com. 172800 IN A 204.189.38.2 ;; Query time: 31 msec ;; SERVER: 206.114.137.8#53(206.114.137.8) ;; WHEN: Mon Dec 22 10:47:28 2003 ;; MSG SIZE rcvd: 204 = NSLookUp from the IMail Server: = L:\nslookup Default Server: ns1.pointshare.net Address: 206.114.137.30 server 206.114.137.8 Default Server: [206.114.137.8] Address: 206.114.137.8 set type=txt pointshare.com Server: [206.114.137.8] Address: 206.114.137.8 pointshare.com text = v=spf1 ip4:206.114.136.0/23 ip4:206.114.143.240/28 a:psmail02.pointshare.com ptr mx/24 -all pointshare.com nameserver = ns1.pointshare.com pointshare.com nameserver = ns2.pointshare.com ns1.pointshare.com internet address = 204.189.38.1 ns2.pointshare.com internet address = 204.189.38.2 = Any ideas why these messages might be failing SPF? Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
No, this is on W2K. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 11:20 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow Is this all being found on Windows 2003? I'm a couple of months away from adding a new server and this would definitely resolve any questions that I might have about Windows 2003 being an option. I know why John needs to play with the latest and greatest, but I have no such inclination or need. Matt R. Scott Perry wrote: It just happened again. I cleared the Cache and the backup cleared. What does the mean. That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality.
Matt, I thought you might be interested in the attached data which analyzes the GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from 11/15 through yesterday. If you're looking for effectiveness you should set the entries in descending order of probability. I use a variation which looks at date of most recent hit as well as hit count, although that's more important with filters that are being modified on a continual rather that a fairly static filter such as these two. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg file so that the easiest to process custom filters are run first in the hopes of avoiding the need to run more costly ones. This new version of GIBBERISH makes use of functionality introduced in the 1.77 beta, however the most recent interim release, 1.77i7, should be used in order to guarantee proper operation (initial versions would always end processing, and effectively disabled the filters). The END functionality removes the need to have ANTI filters since the filter can be stopped before it gets to the main filter matches, and it also presents another opportunity to save on the processing power required to run such things. This also makes use of the MAXWEIGHT functionality to limit the max score as well as end processing once a single hit has been scored. Note that the filter will only log (at the LOW setting) and show WARN actions when the filter is tripped and an END was not hit...which is great! No more looking at non-scoring custom filters due to counterbalances :D Please read through the file and follow these instructions if you already have GIBBERISH installed: 1) Comment out the ANTI-GIBBERISH custom filter in your Global.cfg 2) Change the score of the GIBBERISH filter to 0 in your Global.cfg. 3) Change the scoring of the filter to match your system (it is scored by default for base 10 systems). This can be done by changing the MAXWEIGHT and Main Filter lines to reflect the multiple of 10 that your system is based on. 4) Change the SKIPIFWEIGHT score to reflect your delete weight, or whatever weight you would like for the filter to be skipped if the system has already reached it before processing the filter. The file can be downloaded from the following location: http://www.mailpure.com/software/decludefilters/gibberish/Gibberish_v2-0-1.z ip Please report any issues with the new filter format. As soon as bugs stop being reported, I will move to convert the other dual file filters into single file alternatives which make use of the END functionality. Until the functionality goes into a full release, I'm going to continue to primarily provide the old style filters on my site. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. gibberishdata.zip Description: Zip compressed data
Re: [Declude.JunkMail] Overflow
That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. Not sure what you are suggesting. Latest version of Bind? Correct. Is there a newer version of MS DNS or are you suggesting a different product. I don't know -- I've never actually used MS DNS. But it sounds like there is a serious problem with MS DNS that a number of our customers have been seeing lately, where it slows down tremendously, that requires either a clearing of the cache or reboot to fix. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filtering question.
I am adding filter files in slowly to my Declude setup. I now have added filter tests that are scanning the body of emails. I have noticed a significant increase in CPU spikes. I want to skip these body tests if the weight is high. From the filter files that others have been kind enough to share with me I notice the following at the start of the filter file: SKIPIFWEIGHT 25 MAXWEIGHT25 My question is what version of Declude do I have to be running for these commands to work. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering question.
I am adding filter files in slowly to my Declude setup. I now have added filter tests that are scanning the body of emails. I have noticed a significant increase in CPU spikes. That will happen if you have a lot of BODY filters. For example, if you have 1,000 BODY filters, Declude JunkMail will have to search through the body of the E-mail 1,000 times. That works out to millions of comparisons, which is time consuming (there are more efficient algorithms, which we will likely be looking into soon, now that there are a significant number of people using many BODY filters). I want to skip these body tests if the weight is high. From the filter files that others have been kind enough to share with me I notice the following at the start of the filter file: SKIPIFWEIGHT 25 MAXWEIGHT25 My question is what version of Declude do I have to be running for these commands to work. These require v1.77 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well as what would be a faster search (BODY searches are slower than other things and will go lower in general, though a BODY search for base64 goes at the top because it is fairly common). Because of this and along with the above mentioned issue, the hit stats therefore aren't a perfect indication of what would save the most processing power, but it definitely helps if you just make some assumptions. I hadn't gathered any stats myself on the Auto-generated Codes that I added in about a month or so ago, and it's nice to see that they're getting hit since I was really just brainstorming about what types of things might be seen. I might remove some entries though if they aren't showing being hit since they are BODY searches and expensive. I'll probably still leave that list of Auto-generated Codes in alphabetical order though for management purposes. This shouldn't make a big difference considering that the most common one only gets hit about 1-3% of the time (don't know how common the filter fails a later line which ends up getting logged instead). If Declude did log every line that hits in a filter, you would see things like GIBBERISH hitting some attachments thousands of times per message, and I don't think that's worth the trouble. Data like this will make a much bigger impact on performance if you run it against filters where hits can only occur once in a file due to unique data or exact matching. Kami has a bunch of those. Thanks, Matt George Kulman wrote: Matt, I thought you might be interested in the attached data which analyzes the GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from 11/15 through yesterday. If you're looking for effectiveness you should set the entries in descending order of probability. I use a variation which looks at date of most recent hit as well as hit count, although that's more important with filters that are being modified on a continual rather that a fairly static filter such as these two. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg file so that the easiest to process custom filters are run first in the hopes of avoiding the need to run more costly ones. This new version of GIBBERISH makes use of functionality introduced in the 1.77 beta, however the most recent interim release, 1.77i7, should be used in order to guarantee proper operation (initial versions would always end processing, and effectively disabled the filters). The END functionality removes the need to have ANTI filters since the filter can be stopped before it gets to the main filter matches, and it also presents another opportunity to save on the processing power required to run such things. This also makes use of the MAXWEIGHT functionality to limit the max score as well as end processing once a single hit has been scored. Note that the filter will only log (at the LOW setting) and show WARN actions when the filter is tripped and an END was not hit...which is great! No more looking at non-scoring custom filters due to counterbalances :D Please read through the file and follow these instructions if you already have GIBBERISH installed: 1) Comment out the ANTI-GIBBERISH custom filter in your Global.cfg 2) Change the score of the GIBBERISH filter to 0 in your Global.cfg. 3) Change the scoring of the filter to match your system (it is scored by default for base 10 systems). This can be done by changing the MAXWEIGHT and Main Filter lines to reflect the multiple of 10 that your system is based on. 4) Change the SKIPIFWEIGHT score to reflect your delete weight, or whatever weight you would like for the filter to be skipped if the system has
RE: [Declude.JunkMail] Overflow
Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail scanned by Citizens Internet Services with Declude Virus.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
I just loaded a copy of Metaip DNS software. http://www.metainfo.com/ Removed the MS DNS. Will keep you informed. - Original Message - From: Charles Frolick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 3:19 PM Subject: RE: [Declude.JunkMail] Overflow You might try another DNS server software. I use SimpleDNS Plus (http://www.jhsoft.com/), and run all my customer domains (350), 250K+ messages per day with Declude and Imail using it, and 2000 dial customers, with no issues. I have never heard MS DNS to be stable under high load conditions. It used to do strange things with more than 20 domains under very low load back in NT4, and I heard it had a memory leak under 2k with an earlier service pack. Thanks, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Monday, December 22, 2003 1:30 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow That means that your DNS server is dying. It sounds like this may be a common problem with Microsoft DNS, where it starts choking if it has too much in its cache. Switching to the latest version of BIND may be the best option. Not sure what you are suggesting. Latest version of Bind? Correct. Is there a newer version of MS DNS or are you suggesting a different product. I don't know -- I've never actually used MS DNS. But it sounds like there is a serious problem with MS DNS that a number of our customers have been seeing lately, where it slows down tremendously, that requires either a clearing of the cache or reboot to fix. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, if you set your JunkMail logging to HIGH, you will see every line item that Declude matches on in the FILTER files Bill - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 12:17 PM Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
I've been rethinking my strategy for dealing with dictionary attacks on my server. While the nobody alias has proved to be problematic, so does not having a nobody alias due to the possibility of being dictionary attacked. I'm thinking of setting up all the nobody aliases to redirect E-mail to an account which deletes the message with an IMail rule. This way, a dictionary attack will find that all the E-mail gets accepted and hopefully stops attacking, while at the same time I'm not sending this E-mail to someone's real account. Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed? Thanks, Matt Fritz Squib wrote: Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.
Ick...but thanks for letting me know. Maybe this is better to have in debug. I could see some filters hitting even more than GIBBERISH does on Base64 stuff. Matt Bill Landry wrote: Matt, if you set your JunkMail logging to HIGH, you will see every line item that Declude matches on in the FILTER files Bill - Original Message - From: Matthew Bramble [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, December 22, 2003 12:17 PM Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
Hi Matt, Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed? Thanks, Yes. I get hammered everyday..; I got rid of the nobody alias, filter the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's... -Nick Hayer Matt Fritz Squib wrote: Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question.
Scott: Thank you. Another question - which filtering tests use the most amount of CPU? Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, December 22, 2003 1:02 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Filtering question. I am adding filter files in slowly to my Declude setup. I now have added filter tests that are scanning the body of emails. I have noticed a significant increase in CPU spikes. That will happen if you have a lot of BODY filters. For example, if you have 1,000 BODY filters, Declude JunkMail will have to search through the body of the E-mail 1,000 times. That works out to millions of comparisons, which is time consuming (there are more efficient algorithms, which we will likely be looking into soon, now that there are a significant number of people using many BODY filters). I want to skip these body tests if the weight is high. From the filter files that others have been kind enough to share with me I notice the following at the start of the filter file: SKIPIFWEIGHT 25 MAXWEIGHT25 My question is what version of Declude do I have to be running for these commands to work. These require v1.77 or later. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question.
Thank you. Another question - which filtering tests use the most amount of CPU? The combination of BODY CONTAINS or HEADERS CONTAINS (such as BODY 5 CONTAINS ThatDrugThatBeginsWithTheLetterV) are the only ones that will normally cause high CPU usage. Others can, by would require many more entries (for example, it may take 50,000 SUBJECT CONTAINS filter lines to use the same CPU usage as 1,000 BODY CONTAINS filter lines). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill pointed out, all hits are reflected. I've started to use SKIPIFWEIGHT. The result of course is that filters are bypassed and the statistics are skewed. For example on Friday 12/19, 15291 emails were processed by Declude on my system. Only 4604 were processed by the GIBBERISH filter. Of these 1328 had a total of 3854 hits. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. If I collect all of the data, then I gain no benefit, since all of the processing takes place. If I take advantage of the analysis data, I reduce my processing workload but effectively destroy the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well as what would be a faster search (BODY searches are slower than other things and will go lower in general, though a BODY search for base64 goes at the top because it is fairly common). Because of this and along with the above mentioned issue, the hit stats therefore aren't a perfect indication of what would save the most processing power, but it definitely helps if you just make some assumptions. I hadn't gathered any stats myself on the Auto-generated Codes that I added in about a month or so ago, and it's nice to see that they're getting hit since I was really just brainstorming about what types of things might be seen. I might remove some entries though if they aren't showing being hit since they are BODY searches and expensive. I'll probably still leave that list of Auto-generated Codes in alphabetical order though for management purposes. This shouldn't make a big difference considering that the most common one only gets hit about 1-3% of the time (don't know how common the filter fails a later line which ends up getting logged instead). If Declude did log every line that hits in a filter, you would see things like GIBBERISH hitting some attachments thousands of times per message, and I don't think that's worth the trouble. Data like this will make a much bigger impact on performance if you run it against filters where hits can only occur once in a file due to unique data or exact matching. Kami has a bunch of those. Thanks, Matt George Kulman wrote: Matt, I thought you might be interested in the attached data which analyzes the GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from 11/15 through yesterday. If you're looking for effectiveness you should set the entries in descending order of probability. I use a variation which looks at date of most recent hit as well as hit count, although that's more important with filters that are being modified on a continual rather that a fairly static filter such as these two. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:52 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. I've made some huge leaps forward recently in terms of the processing power required to run Declude with the custom filters that I have installed. This was done by way of the SKIPIFWEIGHT functionality introduced in the latest beta, but also by way of re-ordering my filters in the Global.cfg file so that the easiest to process custom filters are run first in the hopes of avoiding the need to run more costly ones. This new version of GIBBERISH makes use of functionality introduced in the 1.77 beta, however the most recent interim release, 1.77i7, should be used in order to guarantee proper
RE: [Declude.JunkMail] Overflow
Responding to a couple of posts. Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. The specific problem I am reviewing and working on has to do with DNS based tests that Declude does on messages for JunkMail. The above would not be included in this, as Declude is not concerned with mail box lookup or delivery. You might try another DNS server software. I use SimpleDNS Plus (http://www.jhsoft.com/), and run all my customer domains (350), 250K+ messages per day with Declude and Imail using it, and 2000 dial customers, with no issues. This is a cache only setup, no domains. Cost is a concern at this time, unless I can prove that would be the answer. However, as I said earlier, the problem was first experienced using BIND DNS servers. I need to follow up on this. I have never heard MS DNS to be stable under high load conditions. It used to do strange things with more than 20 domains under very low load back in NT4, and I heard it had a memory leak under 2k with an earlier service pack. Again, this is cache only. I did hear about some issues, but those were in relation to AD and were fixed in SP3. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Maximum Processes
I just brought my new Gateway server online today. Single 2.8GHz Xeon, 36Gb 15k Scsi, 1Gb ram. I have watched the que all day and it has just increased up to 8,700. I adjusted the Maximum Processes to 75, helped some, then I adjusted it to 100 and BAM and the que started decreasing steadily. Within 15 to 20 minutes it decreased to 7627, and the processor is not maxing out it is holding ground. I have been having issues with my previous mail gateway that mail would pile up and take anywhere from 4 to 6 hours to get to my inbox. Does this make sense to anyone, running at 100 Maximum Processes is this ok or is there any thing that I should worry about? Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net I am always doing that which I can not do, in order that I may learn how to do it. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Maximum Processes
Just curious... - How many drives? [IMail, Declude, mailboxes, spool - all they all on a single drive?] - Have you run a test without Declude running? - Any virus scanners? - OS? - DNS server? Same machine or separate? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris McElroy Sent: Monday, December 22, 2003 5:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Maximum Processes I just brought my new Gateway server online today. Single 2.8GHz Xeon, 36Gb 15k Scsi, 1Gb ram. I have watched the que all day and it has just increased up to 8,700. I adjusted the Maximum Processes to 75, helped some, then I adjusted it to 100 and BAM and the que started decreasing steadily. Within 15 to 20 minutes it decreased to 7627, and the processor is not maxing out it is holding ground. I have been having issues with my previous mail gateway that mail would pile up and take anywhere from 4 to 6 hours to get to my inbox. Does this make sense to anyone, running at 100 Maximum Processes is this ok or is there any thing that I should worry about? Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net I am always doing that which I can not do, in order that I may learn how to do it. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Maximum Processes
- How many drives? [IMail, Declude, mailboxes, spool - all they all on a single drive?] Single 36GB,15K SCSI 4 Partitions C: OS D: IMail/Declude E: IMail Spool F: Declude Logs NO MAILBOXES Gateway Server only - Have you run a test without Declude running? No - Any virus scanners? Fprot - OS? Windows 2000 Server - DNS server? Same machine or separate? Same machine supplies recursion for the gateway server only Windows DNS Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net I am always doing that which I can not do, in order that I may learn how to do it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Monday, December 22, 2003 4:59 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Maximum Processes Just curious... - How many drives? [IMail, Declude, mailboxes, spool - all they all on a single drive?] - Have you run a test without Declude running? - Any virus scanners? - OS? - DNS server? Same machine or separate? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris McElroy Sent: Monday, December 22, 2003 5:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Maximum Processes I just brought my new Gateway server online today. Single 2.8GHz Xeon, 36Gb 15k Scsi, 1Gb ram. I have watched the que all day and it has just increased up to 8,700. I adjusted the Maximum Processes to 75, helped some, then I adjusted it to 100 and BAM and the que started decreasing steadily. Within 15 to 20 minutes it decreased to 7627, and the processor is not maxing out it is holding ground. I have been having issues with my previous mail gateway that mail would pile up and take anywhere from 4 to 6 hours to get to my inbox. Does this make sense to anyone, running at 100 Maximum Processes is this ok or is there any thing that I should worry about? Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net I am always doing that which I can not do, in order that I may learn how to do it. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. I came into this thread late, so my comments may not be strictly on point, but it seems to me the solution to this is to only use filters that work. Duh, right? In other words let the community validate and update Filter X and you simply plug in what you please. That means a centralized filter storage, update and distribution site. We actually aren't so far off that mark now. Look at Kami Razvan's ftp site and you'll find a treasure trove of filters there. A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today. I implemented most of Kami's stuff last week (supplementing most of the filters already installed that came from Matt Bramble and the result is a massive surge in my attach-to-kill ratio (on the kill side). There are so many I had to aggressively reorganize my global.cfg, but the results have been splendid, with the most processor-intensive filters not kicking in unless needed. I wrote a ColdFusion routine that downloads my selected filters, alters them to suit my skip and max weights, and uploads them to my mail server (the filters are regularly updated). Anyone who wants a copy let me know. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comments test
Title: Comments test Scott: Just an observation.. It seems like the Comments test is not being triggered as often as I see it used.. I thought you stated a while back that the comments test now picks up any attempt to break words.. E.g. = HTMLHEAD BODY pBan/handicraftsmenned C/swatheD! Gov/pervadeernment d/bateon't wan/someplacet m/enunciablee t/contraceptiono s/piersonell i/listt. Se/contrarye N/compromiseow */p a href="" href="http://www.53x.net/cd/">http://www.53x.net/cd/ img border=0 src="" href="http://www.53x.net/cd/ads.jpg">http://www.53x.net/cd/ads.jpg/a = Should the comment test pick this up? COMMENTS comments weight x 5 0 Regards, Kami
RE: [Declude.JunkMail] Maximum Processes
One last question.. You stated your spool backup.. What is your daily volume? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris McElroy Sent: Monday, December 22, 2003 6:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Maximum Processes - How many drives? [IMail, Declude, mailboxes, spool - all they all on a single drive?] Single 36GB,15K SCSI 4 Partitions C: OS D: IMail/Declude E: IMail Spool F: Declude Logs NO MAILBOXES Gateway Server only - Have you run a test without Declude running? No - Any virus scanners? Fprot - OS? Windows 2000 Server - DNS server? Same machine or separate? Same machine supplies recursion for the gateway server only Windows DNS Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net I am always doing that which I can not do, in order that I may learn how to do it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Monday, December 22, 2003 4:59 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Maximum Processes Just curious... - How many drives? [IMail, Declude, mailboxes, spool - all they all on a single drive?] - Have you run a test without Declude running? - Any virus scanners? - OS? - DNS server? Same machine or separate? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris McElroy Sent: Monday, December 22, 2003 5:48 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Maximum Processes I just brought my new Gateway server online today. Single 2.8GHz Xeon, 36Gb 15k Scsi, 1Gb ram. I have watched the que all day and it has just increased up to 8,700. I adjusted the Maximum Processes to 75, helped some, then I adjusted it to 100 and BAM and the que started decreasing steadily. Within 15 to 20 minutes it decreased to 7627, and the processor is not maxing out it is holding ground. I have been having issues with my previous mail gateway that mail would pile up and take anywhere from 4 to 6 hours to get to my inbox. Does this make sense to anyone, running at 100 Maximum Processes is this ok or is there any thing that I should worry about? Thanks, Kris McElroy [EMAIL PROTECTED] Chief Technology Officer Duracom, INC. www.duracom.net I am always doing that which I can not do, in order that I may learn how to do it. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments test
Just an observation.. It seems like the Comments test is not being triggered as often as I see it used.. FAQ. :) I thought you stated a while back that the comments test now picks up any attempt to break words.. E.g. No -- it just isn't possible. The COMMENTS test detects anti-filter comments (which consist of any HTML comments !-- comment --, which also break up words (to help ensure that legitimate comments, as silly as they may be in E-mail, to cause the test to fail). However, shortly after the COMMENTS test was added, spammers realized there was no need to use HTML comments to do the same thing. So what they are doing is making up HTML tags, and using text such as spablahmmer (which shows up as spammer in a mail client). The problem is that it is nearly impossible to determine which are valid HTML tags and which are not -- that would require a database of known good HTML tags, which would need to be constantly updated. What we *did* do, though, it set up Declude JunkMail so that filters will work with these (so a Declude JunkMail filter will see spammer in the above example). While that doesn't let Declude JunkMail detect the spamming technique, it does negate any benefit that the spammer would see from using it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, I do only use filters that work. There are a number of situations however that I believe make it impossible to effectively use only off the shelf filters. There are also valid reasons to perform my own analysis of filter effectiveness: First, everyone's spam mix is different, just as their e-mail mix is different. That's the first thing that Scott and others try to make clear to a newbie who's looking for a canned solution. Second, not everyone class the same things as spam. I have clients who use dating services and others who don't want that type of e-mail. What kind of complaints would you get if you implemented Ipswitch's URL list as is. I know that I'd have an FP rate that would hurt my effectiveness. I also provide secondary MX services for a number of clients and see a lot of spam attempting to back-door their mail servers. Third, I use many BODY and HEADER filters which range from a few lines to a few thousand lines. These consume a tremendous amount of processing overhead as Scott has pointed out, but I have found them to be the most effective at killing spam. They can be a pain to maintain without a database, ease of updating and dupe checking, automated filter file generation and analysis of effectiveness. Regarding analysis and sequencing of these filters and the use of SKIPIFWEIGHT and END in particular; if I can get 80% of the hits in the first 20% of the entries and eliminate the rest of the unneeded processing, I'd be pretty stupid not to. I was just bemoaning that I'd be giving up some data collection that's been a big help. Thanks to changes that Scott has made lately, at least at a LOGLEVEL HIGH, the ability to effectively use individual log lines for data collection have simplified and enhanced that process. Fourth, I like and use many single function filters, particularly Matt Bramble's and I thank him again for the time he has put into them and his generosity for sharing them freely. Every one of my clients has different needs and defines spam differently and the definitions, filters and actions have to reflect this. I, for one, will definitely pass on a central repository George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Monday, December 22, 2003 6:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. I came into this thread late, so my comments may not be strictly on point, but it seems to me the solution to this is to only use filters that work. Duh, right? In other words let the community validate and update Filter X and you simply plug in what you please. That means a centralized filter storage, update and distribution site. We actually aren't so far off that mark now. Look at Kami Razvan's ftp site and you'll find a treasure trove of filters there. A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today. I implemented most of Kami's stuff last week (supplementing most of the filters already installed that came from Matt Bramble and the result is a massive surge in my attach-to-kill ratio (on the kill side). There are so many I had to aggressively reorganize my global.cfg, but the results have been splendid, with the most processor-intensive filters not kicking in unless needed. I wrote a ColdFusion routine that downloads my selected filters, alters them to suit my skip and max weights, and uploads them to my mail server (the filters are regularly updated). Anyone who wants a copy let me know. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
I understand all that stuff, George, but I disagree completely that you can't apply global, updated rules to some aspects of the problem. As such a global filter repository can make a huge dent in virtually everyone's workload. Do we really all need to create our own filters to remove p.en1s pi11z from our inbox? Is having the ability to more quickly react to new spam bad? Think of this as a virus definitiion list, except given Declude's modularity individuals can decide which virii they will allow themselves to be infected with. Nothing in this world is going to be perfect, and certainly you can write your own filters until you're blue in the face. I've been tinkering constantly with Declude for something like two years, and I expect to continue. But I also expect to automate as much of this -- or any other job -- as possible. I have more profitable and less aggravating things to do than this. I'm sure you do too. The community can benefit from some standardization and shared effort. Some here have already gone miles toward this goal, as many on this list know. I'm saying a Next Step should be taken, and anyone who wants to ignore the initiative is welcome to do so. --Matt-- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.
George, I think that logic can get you 95% of the way there with something as convoluted as this, that is run only about 1/3 of the time, and considering that you are only battling for about 2% of the processing power required by this filter alone, which shouldn't be too terribly much. Removing the comment blocks would probably have a bigger effect :) Changing to the new version of the filter should definitely help, though this isn't by far my most weighty filter. Here's something that I've very curious about though...the Y!DIRECTED filter contains a bunch of BODY searches for obfuscated strings, something that is almost totally redundant with the OBFUSCATION filter. I would be very curious to see how often those lines are hit because they could be dumped for a measurable performance increase. Any chance you want to take a crack at that? I wouldn't be surprised to see them never hit. Matt George Kulman wrote: Matt, I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill pointed out, all hits are reflected. I've started to use SKIPIFWEIGHT. The result of course is that filters are bypassed and the statistics are skewed. For example on Friday 12/19, 15291 emails were processed by Declude on my system. Only 4604 were processed by the GIBBERISH filter. Of these 1328 had a total of 3854 hits. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. If I collect all of the data, then I gain no benefit, since all of the processing takes place. If I take advantage of the analysis data, I reduce my processing workload but effectively destroy the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well as what would be a faster search (BODY searches are slower than other things and will go lower in general, though a BODY search for base64 goes at the top because it is fairly common). Because of this and along with the above mentioned issue, the hit stats therefore aren't a perfect indication of what would save the most processing power, but it definitely helps if you just make some assumptions. I hadn't gathered any stats myself on the Auto-generated Codes that I added in about a month or so ago, and it's nice to see that they're getting hit since I was really just brainstorming about what types of things might be seen. I might remove some entries though if they aren't showing being hit since they are BODY searches and expensive. I'll probably still leave that list of Auto-generated Codes in alphabetical order though for management purposes. This shouldn't make a big difference considering that the most common one only gets hit about 1-3% of the time (don't know how common the filter fails a later line which ends up getting logged instead). If Declude did log every line that hits in a filter, you would see things like GIBBERISH hitting some attachments thousands of times per message, and I don't think that's worth the trouble. Data like this will make a much bigger impact on performance if you run it against filters where hits can only occur once in a file due to unique data or exact matching. Kami has a bunch of those. Thanks, Matt George Kulman wrote: Matt, I thought you might be interested in the attached data which analyzes the GIBBERISH and ANTI-GIBBERISH filters by number of hits on my system from 11/15 through yesterday. If you're looking for effectiveness you should set the entries in descending order of probability. I use a variation which looks at date of most recent hit as well as hit count, although that's more important with filters that are being modified on a continual rather that a fairly static filter such as
Re: [Declude.JunkMail] Overflow
Nick, I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way. The theory here is that domains which accept every E-mail address in the HELO won't be dictionary attacked past a few attempts because the attacker's software will quickly determine that the attack isn't exposing any addresses due to a catch all situation. So maybe adding the nobody alias back in, and redirecting that E-mail to an account that deletes each E-mail automatically will resolve the issue of dictionary attacks? I see this stuff in my logs on occasion, but it never happens for a prolonged period of time. I'm thinking this is because 90% of my domains had nobody aliases. Unless someone only wants to DOS my server, dictionary attacking a domain with a nobody alias is a waste of their processing power just like it is a waste of mine. Matt Nick Hayer wrote: Hi Matt, Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed? Thanks, Yes. I get hammered everyday..; I got rid of the nobody alias, filter the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's... -Nick Hayer Matt Fritz Squib wrote: Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
John Tolmachoff (Lists) wrote: This is a cache only setup, no domains. Cost is a concern at this time, unless I can prove that would be the answer. However, as I said earlier, the problem was first experienced using BIND DNS servers. I need to follow up on this. Keith had a problem after a Microsoft hotfix a few months back. There are tweaks in the registry which can be done to expand the number of possible connections that a server can make (internal or external). Someone posted a link from another mail server with instructions on tweaking the settings for high volumes. Maybe Keith also came up with something as a result of his issues. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments test
R. Scott Perry wrote: The problem is that it is nearly impossible to determine which are valid HTML tags and which are not -- that would require a database of known good HTML tags, which would need to be constantly updated. This was the first filter that I tried writing actually :) I got a list of valid HTML tags and subtracted them from a list of two letter codes that I had, i.e. aa, ab, ac, etc. The problem is that you can define your own tags with XML and call them anything you want (and that might not be all of it). It was of course a fairly hefty filter as well. That led me to the idea of just going after two letter character combinations which were not in the dictionary. Maybe I can revisit that filter now by limiting the characters used to just the 15 most common letters (just 225 combination that cover probably 80% of dictionary words), and counterbalancing with some stuff that detects XML (which I hadn't thought of back then). This would work on both gibberish as well as dictionary randomization. The problem that has been appearing with more frequency as of late though is randomization with punctuation, mostly periods, but other characters as well. Periods of course are problematic because of too many legit uses in domain names and other things which can appear in E-mail. This stuff is all very processor intensive, so I've been avoiding it until I have a better handle on my other filters. Generally I can delete a piece of spam or pass an E-mail with a peak of about 10%-15% of my processor, however a non-spam 32K text message without attachments can drive both processors at an average of 80% for up to 5 seconds. I expect that the END functionality will help a great deal in those situations, but I'm also looking elsewhere to save. Just by reordering my filters, I think I saved about half of the processing power required on average after previously cutting things down with SKIPIFWEIGHT. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYTO
Using %SENDER%, it is giving inserting [Unknown Var]. If I use %MAILFROM%, it is also inserting [Unknown Var}. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Sunday, December 21, 2003 5:21 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] COPYTO Is it possible to use a variable in the copy to command? Yes, it is. Example: TEST1 COPYTO %SENDER% That would work. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
