A centralized filter repository would turn analysis of filter results into
an academic exercise to satisfy curiosity, rather than the general
necessity it is today.
I am getting there. I know how it will be done, just need the time to set up
the site. It will be accessible by HTTP and FTP. I
I, for one, will definitely pass on a central repository
George, the way I am going to be setting it up will make it easy to view
what ever filters some one wants to share, and then you pick and choose
which ones you want to use. You can then get those files via ftp.
I am also going to set up a
Matt,
Here are two analyses. The 11-15 to 11-30 covers the period from when I
implemented your filters until I began using SKIPIFWEIGHT and MAXWEIGHT
which obviously has some effect on the stats. The 11-15 to 12-21 expands
the prior set to include the additional filters.
There's also the
Matt,
I have no desire to get into an argument or flaming contest with you.
We agree that standard filters have a valuable place in this environment
and we both use standard filters.
We agree that neither of us have the desire to spend countless hours
tweaking filters and that automated solutions
Using %SENDER%, it is giving inserting [Unknown Var]. If I use %MAILFROM%,
it is also inserting [Unknown Var}.
Sorry, it should be actually %MAILFROM% -- there is no %SENDER% variable.
Are you sure you are using %MAILFROM%? The only time you should see
[Unknown Var] is if Declude is expanding
Title: Update- Declude NOT being seen
Hi;
With Scott's help I finally think the reason Declude is not being seen in our case, in rare occasions, is understood.
It just happened that we found a trend that matched exactly our update cycle for the filters.
In our system we have an
Scott,
I know this has been discussed at least in pieces in the past, but I was
hoping that maybe you could put it all together for me (and maybe also
add the order to the manual when the new functionality finds its way
into a full release).
Could you give me an idea about the order of
Could you give me an idea about the order of processing for the following,
or indicate which ones might be run according to where they lie in the
Global.cfg?
This will of course make a difference in performance, and I would like to
provide good guidance myself as I comment up my filters for
How can I tell what version I am running now?
Thanks
-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Monday, December 22, 2003 2:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Declude JunkMail and Declude Virus
Versions?
Where can I find the
Can we get a link to Kami's filters? Thanks.Neal MathewsNetwork Systems EngineerThe Carriage House Co.'s, Inc.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: "Matt Robertson" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 12/22/2003 06:13PMSubject: RE: [Declude.JunkMail] GIBBERISH
How can I tell what version I am running now?
If you type \IMail\Declude -diag from a command prompt, it will display
the version you are running.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude
Matt,
On Dec 11th, Scott replied to John Tolmachoff:
---
A while back, I had asked about the comparison in performance of a fromfile
and a filter using MAILFROM ENDSWITH.
But wouldn't Declude stop processing a fromfile as soon as a match is found,
where in a filter
Hi;
The filters are available for anyone who wishes to use
it.. the challenge is to keep this link out of the hands of search
engines. Imagine the keywords that our our company will be associated
with.
If you want to use the filters simply visit the ftp
site:
ftp://ftp.OUR
DOMAIN/IMail
Scott,
Am I coorect to assume ANYWHERE CONTAINS is the most expensive filter to run?
[In lieu of having separate SUBJECT CONTAINS and BODY CONTAINS I have been using
ANYWHERE CONTAINS.]
-Nick Hayer
-- Original Message --
From: R. Scott Perry [EMAIL
Thanks, Kami!Neal Mathews Network Systems Engineer The Carriage House Co.'s, Inc.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: "Kami Razvan" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 12/23/2003 09:16AMSubject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END
I seriously don't think they would bother with the code needed to detect
the difference between accepting everything in the dictionary and
bouncing some or all addresses. A spammer using dictionary attacks may
not be harvesting addresses, they may just be spamming a dictionary of
addresses. The
Am I coorect to assume ANYWHERE CONTAINS is the most expensive filter to run?
Correct.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
If anyone knows a good and fast way to publish a spamtrap address please let me know
(off-list)
Thanks
Markus
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just
These attacks can go on for hours and hours and hours. If you've seen
this stuff in your logs, you would see strings like
[EMAIL PROTECTED] 26^8 for instance equals ~210,000,000,000
addresses. If they've got a database of names, that could probably be
brought down to around 100,000
George,
Thanks again for the stats. These do verify that spammers are
obfuscating the Yahoo redirection code and those lines need to stay in
the filter as a result. At least I wasn't wasting my time when I came
up with that stuff :)
I didn't get too much else out of the results though.
Since old programmers never die, they just flip their
bits...and Unix people...I won't go there...
I have a suggestion for our declude creators out
there.
Underfilters you can use CONTAINS, STARTSWITH, ENDSWITH
or IS on any of the pieces of an email. I wouldn't mind
seeing a MATCHES
Since old programmers never die, they just flip their
bits...and Unix people...I won't go there...
I have a suggestion for our declude creators out
there.
Underfilters you can use CONTAINS, STARTSWITH, ENDSWITH
or IS on any of the pieces of an email. I wouldn't mind
seeing a MATCHES
I just wanted to provide a quick update regarding this issue, at least as
it
applies to me in my situation. I worked with Scott a bit and was able to
determine that Declude was in fact placing all of it headers in messages
we
receive, however, it appears that our Exchange server does not
John..
Have you setup an account with Outlook Express download the messages with
OE?
I am just curious if you see different headers with OE than with Outlook. I
know the messages that we receive under Outlook do not show all headers.
The same message received by OE has a lot more detailed
- Original Message -
From: Matthew Bramble [EMAIL PROTECTED]
These attacks can go on for hours and hours and hours. If you've seen
this stuff in your logs, you would see strings like
[EMAIL PROTECTED] 26^8 for instance equals ~210,000,000,000
addresses. If they've got a database
- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
John..
Have you setup an account with Outlook Express download the messages
with
OE?
I use Outlook Express 6 and IMAP against this particular Exchange server and
the headers are missing.
I am just curious if you see
- Original Message -
From: Gufler Markus [EMAIL PROTECTED]
If anyone knows a good and fast way to publish a spamtrap address please
let me know (off-list)
Posting messages to almost any public mailing list will get that e-mail
address listed in many spam databases. Also, subscribing
I am using Outlook 2002 SP2. In the 2 tests I sent to 2 different E2K
servers, (of which both I have accounts on for testing and retrieve via POP3
directly) and both messages I have the entire headers. However, I have seen
messages that Exchange stripped the extra lines out. Like I said, to date,
Title: Update- Declude NOT being seen
Or
just use automation that does not require the SMTP process to be
restarted.
We
have seen emails with no Declue headers but verry rarly. We never stop and
restart the SMTP unless there is a problem or update. As a matter of fact since
7.15 I have
Title: Update- Declude NOT being seen
Kevin:
If you update the Kill.lst (the SMTP kill list) you have to stop and
start SMTP before it is used.
At least that is why IPSwitch told me.
Kami
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin
BilbeeSent: Tuesday, December
FYI...
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 8:23 AM
Subject: NJABL changes for contributors
It's recently come to my attention that some contributing sites may be
running content filtering software (i.e. SpamAsssassin) on
Are you sure you are using %MAILFROM%? The only time you should see
[Unknown Var] is if Declude is expanding variables (as is the case
here),
and the variable is one that Declude doesn't recognize (such as
%SENDER%). But if Declude recognizes the variable (as has been the case
with
Title: Update- Declude NOT being seen
That
is correct. That is why we do not use the kill. W euse our gateway servers and
our firewall to block at this time.
Kevin
Bilbee
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Kami
RazvanSent:
From the Global.cfg file:
BLANKSUBJECT1 filter D:\Imail\Declude\filters\BlankSubject.txt
x 0 0
BLANKSUBJECT2 filter D:\Imail\Declude\filters\BlankSubject.txt
x 0 0
From the .junkmail file:
BLANKSUBJECT1 SUBJECT ADDED BY SPAM REVIEW: PLEASE USE A
Is there any chance that you still have a file with %SENDER% in it
(which
would cause the [Unknown Var])?
HANDING HEAD IN SHAME
I updated the $default$.junkmail. I then have a batch file to update the
various other .junkmail files. I forgot to run the batch file.
John Tolmachoff
Scott,
I don't know if you want to list this on your listing of ip4r db's but the
admin of the rope.net says they aren't valid anymore.
snip
NOTE: If your email is being blocked due to rbl.rope.net or
rbl.apluslock.com, complain to the administrators of the sites blocking you,
not us. Those
I have been running these tests for a while (as well as other that were
producing little or not results), and they have been producing good results
for me. However, my philosophy is different from some others on this list
in that I like to test lots of IP4R and RHSBL databases and apply
I don't know if you want to list this on your listing of ip4r db's but the
admin of the rope.net says they aren't valid anymore.
Thanks for pointing this out. We've updated the list of spam databases at
http://www.declude.com/junkmail/support/ip4r.htm .
snip
NOTE: If your email is being
Bill,
Thanks for this additl list. I too agree to run lots of tests scored
low
sooo here are two more:
PSBLip4rpsbl.surriel.com* 1
0
DNSBL-T1ip4rt1.dnsbl.net.au * 2
0
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 11:40 AM
Subject: Re: [Declude.JunkMail] Additional IP4R RHSBL tests
Bill,
Thanks for this additl list. I too agree to run lots of tests scored
low
sooo here are two
Scott, just and FYI. Like Andy, I am still see a few UNKNOWN entries in the
spf.log file, rather than just PASS FAIL entries. I am running Declude
v1.77i8. Here are a few samples from today:
64.94.104.161[EMAIL PROTECTED]
[sm1.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all
211.243.120.160
I just wanted to provide a list of some of the test sites that do not
appear on Scott's site yet.
FYI, we list *all* known spam databases at
http://www.declude.com/junkmail/support/ip4r.htm .
However, since most spam databases are run by individuals and small
organizations, and often know
Also, since all DNS based tests get spanned simultaneously (rather than
consecutively), there is no performance nor latency hit (unless one of the
test sites is not responding - Scott, are you still planning to add a
configurable time-out setting for the DNS based tests?).
Yes, that is still
64.94.104.161[EMAIL PROTECTED]
[sm1.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all
This one should return an UNKNOWN -- the PTR for 64.94.104.161 doesn't
contain email.cooking.com, so it defaults to the ?all, returning an
UNKNOWN response.
211.243.120.160 [EMAIL PROTECTED] [cn.ca]: UNKNOWN:
Hello,
I just purchased the sniffer product and everything seems to be working (I
think)... I am a little confused on how the weights are assigned. I searched
the archives and the following listing:
SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode -5 0
Greetings All!
I've been involved in a discussion with Dave Doherty regarding Bonded
Sender and he invited me to the Declude list. I hope that I can help
address any questions that you may have. If I don't have the answers,
I will find someone here who does and we'll help out in any way we
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
This, too, ends up going with the default ?all, producing the UNKNOWN
response.
The spf.log file is used when a domain has an SPF string; the spf.none is
used when there is no SPF string for the domain.
Ah, okay, this
Welcome to the list. Cyan! I have been using the bondedsender IP4R database
with good success. However, I was just looking at you senderbase site today
and was wondering how I might be able to us it with Declude JunkMail.
Thoughts?
Regards,
Bill
- Original Message -
From: Cyan
- Original Message -
From: Adam Hobach [EMAIL PROTECTED]
I just purchased the sniffer product and everything seems to be working (I
think)... I am a little confused on how the weights are assigned. I
searched
the archives and the following listing:
Adam, good purchase decision! You
For those who have asked, here's a link to the ColdFusion-based updater that takes
advantage of Kami Razvan's filter repository, along with a copy of my global.cfg.
http://mysecretbase.com/deliver.cfm?FN=2247B5E2198F464BA033DD5312D09F69
The app displays its progress onscreen via cfflush, which
Filter actions have so many nice basic functions, IGNORE, WARN,
DELETE, HOLD etc.
Looking at new filters today and observing logs, it just seems
one of these actions naturally should be WHITELIST.
Does this make sense?
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
---
[This E-mail was
Hi Bill:
For what it's worth, MY problem was clearly due to a rogue DNS zone. I am
using multiple includes - one of them to a zone that really has no use, but
it came handy to 'document' the SPF records. Unfortunately, I had not
verified the proper configuration of that zone and there had been
Thanks for the info... I have updated the global config with the individual
codes and weights.
My next question is, does Message Sniffer use alot of processor time? My
server is pegged at 100%. It normally operated around 30-50% processor
usage. Is this normal? The sniffer log file was 8.7MB
Filter actions have so many nice basic functions, IGNORE, WARN,
DELETE, HOLD etc.
Looking at new filters today and observing logs, it just seems
one of these actions naturally should be WHITELIST.
Does this make sense?
We are planning on adding a WHITELIST action. :)
Welcome to the list. Cyan! I have been using the bondedsender IP4R
database with good success.
Awesome!
However, I was just looking at you senderbase site today
and was wondering how I might be able to us it with Declude JunkMail.
Thoughts?
The person who could best answer this question
- Original Message -
From: Adam Hobach [EMAIL PROTECTED]
Thanks for the info... I have updated the global config with the
individual
codes and weights.
My next question is, does Message Sniffer use alot of processor time? My
server is pegged at 100%. It normally operated around
Reply to: R. Scott Perry
Re: [Declude.JunkMail] Filter Actions - WHITELIST? on Tuesday 4:04:36 PM
Thanks! This will relieve the limit on the Global file as well... If
these filters could be processed first, it might give back a lot of
processor if all other actions were performed
Bill,
This is my line for using BONDEDSENDER with Declude. It is in the Global.cfg
file:
BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0
We have been pleased with it so far. I think we have been using it since
last spring sometime.
Sheldon
Sheldon Koehler, Owner/Partner
- Original Message -
From: Sheldon Koehler [EMAIL PROTECTED]
Bill,
This is my line for using BONDEDSENDER with Declude. It is in the
Global.cfg
file:
BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0
We have been pleased with it so far. I think we have been using it
Yep, been using BondedSender here for a long time, as well. I was asking
about how we might use SenderBase: www.senderbase.com
OK. I missed that part... I will wait for Cyan's reply then too...
Sheldon
Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com
Ten Forward
Is there some way to stop Declude from doing outgoing mail scanning? I have Pro and
don't need this functionality. Its really kicking my mail server's butt.
--
---
Matt Robertson, [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
- Original Message -
From: Matt Robertson [EMAIL PROTECTED]
Is there some way to stop Declude from doing outgoing mail scanning? I
have Pro and don't need this functionality. Its really kicking my mail
server's butt.
Sure, don't list any tests actions (or comment them out) in your
Is there some way to stop Declude from doing outgoing mail scanning? I
have Pro and don't need this functionality. Its really kicking my mail
server's butt.
Not directly. But if you are using lots of filters, you may want to
consider something like WHITELIST IP 192.0.2.0/24 and use
Hi,
I've added the entry
v=spf1 -all
to a zone file for iii.slcl.org (wild card domain). When I run the SPF
tester at
http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21
I get the following results. What am I doing wrong? The part that is
really confusing me is that I see
Yep, I'm trying to stop Declude from performing the tests at all on system-generated
outgoing mail, so I can indeed determine the originating IP. I had already commented
out the tests long ago (thanks for trying to help, Bill).
Wasn't aware of prewhitelist. This should really save my bacon.
I've added the entry
v=spf1 -all
to a zone file for iii.slcl.org (wild card domain). When I run the SPF
tester at
http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21
I get the following results. What am I doing wrong? The part that is
really confusing me is that I see
- Original Message -
From: Burzin Sumariwalla [EMAIL PROTECTED]
I've added the entry
v=spf1 -all
to a zone file for iii.slcl.org (wild card domain). When I run the SPF
tester at
http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21
I get the following results. What
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, December 23, 2003 3:45 PM
Subject: Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS
I've added the entry
v=spf1 -all
to a zone file for iii.slcl.org (wild card domain). When I run
Fixed! Thanks for another lesson Scott.
Burzin
At 05:45 PM 12/23/2003, you wrote:
I've added the entry
v=spf1 -all
to a zone file for iii.slcl.org (wild card domain). When I run the SPF
tester at
http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21
I get the following results.
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
Also, I am noticing more often situations where Declude headers are
missing
from delivered messages, and from several different senders. So I still
believe this is a Declude issue and not a corrupted or malformed mail
issue.
All,
I have seen, twice in the past week for two different users at a
single client, messages locked (_~) in the spool that do not appear
anywhere in the Declude log--and, of course, do not go out. Both
messages had 20n50 recipients and were 1K in size. No other users
reported
- Original Message -
From: Sanford Whiteman [EMAIL PROTECTED]
All,
I have seen, twice in the past week for two different users at a
single client, messages locked (_~) in the spool that do not appear
anywhere in the Declude log--and, of course, do not go out. Both
I have seen, twice in the past week for two different users at a
single client, messages locked (_~) in the spool that do not appear
anywhere in the Declude log--and, of course, do not go out.
Actually, they should go out -- IMail is designed to deliver the locked
E-mails after
Sandy, could this be elated to one of the issue IPSwitch resolved
with the 8.05 patch:
I really don't think so, since it's a matter of the file being locked
by Declude, rather than usurped, and IMail is not processing the
file...it'd be especially unexpected to have the issues you guys
Actually, they should go out -- IMail is designed to deliver the
locked E-mails after 1-2 hours (unless perhaps this behavior changed
for v8).
Nope, doesn't happen (queued at 8:00 a.m., still locked at 8:00 p.m.).
Actually, there was an issue with Declude Virus in v1.70 where an
Does the SKIPIFWEIGHT or MAXWEIGHT show up in the log if it is triggered?
Doing a search I don't see it.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to
- Original Message -
From: Danny Klopfer [EMAIL PROTECTED]
Does the SKIPIFWEIGHT or MAXWEIGHT show up in the log if it is triggered?
Doing a search I don't see it.
I don't know if they get recorded in the logs at log level low or mid, but
the do get recorder at log level high.
Bill
Great, SpamCop is listing WebTV.net mail server IP falsely. Looking at the
samples, they look legit to me.
Has anyone actually seen spam come from a WebTV.net server?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus
i get the near the same errors
12/24/2003 00:46:17 Q281302b000d850e9 Unknown Var: %X-RBL-Warning: %TES
12/24/2003 00:46:17 Q281302b000d850e9 Unknown Var: %: %WARNING%
i will email private my debug log
Sincerely,
William J. Baumbach II [EMAIL PROTECTED]
9975 Pennsylvania Ave. Manassas, Va.
79 matches
Mail list logo
