any news on this matter?
The issues with SWITCHRECIP in 1.77i12 are still being investigated.
Dito - any news with respect to the log entries in medium mode?
I'm not aware of any issues here?
-Scott
---
Declude JunkMail: The advanced anti-spam
Ok I admit I'm pretty weak in the area of tweaking declude but why was this
whitelisted? I have three whitelist lines in my global.cfg ... they are
WHITELIST HABEAS
and 2 WHITELIST[EMAIL PROTECTED] lines ...
Date: Mon, 12 Jan 2004 04:44:57 +0400
X-Mailer: PIPEX NetMail 2.2.0-pre13
Ok I admit I'm pretty weak in the area of tweaking declude but why was this
whitelisted? I have three whitelist lines in my global.cfg ... they are
WHITELIST HABEAS
and 2 WHITELIST[EMAIL PROTECTED] lines ...
What does the Declude JunkMail log file say?
Is one of those two WHITELIST
Sorry for being vague.
You have been discussing slightly changing the new log behavior, by adding
some information to improve parsing by log analyzers, possible making the
abbreivated log an option feature for Mid mode, etc.
No sweat - just wanted to make sure I didn't have to download a new
Well I'm not sure how I missed this ... but here's the *rest* of the header
info:
Received: from pd95378af.dip.t-dialin.net [217.83.120.175] by netride.net
(SMTPD32-8.05) id A80D5E2F0140; Mon, 12 Jan 2004 06:50:21 -0600
Received: from 0.139.81.238 by 217.83.120.175; Sun, 11 Jan 2004
21:40:57
You have been discussing slightly changing the new log behavior, by adding
some information to improve parsing by log analyzers, possible making the
abbreivated log an option feature for Mid mode, etc.
That has been done (for 1.77i12). The Msg Failed lines now only appear
in LOGLEVEL HIGH; at
Well I'm not sure how I missed this ... but here's the *rest* of the header
info:
...
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
Now what do I do?
Have you reported it yet?
The Habeas headers are a legal
Sorry - according to my records I was running 1.77i12 when I reported this
behavior. And I was running LogLevel MID. The concern was, that the new,
condensed format would break log analyzers and, some authors suggested that
your one line summmary should start with a special string constant so
Do most people use WHITELIST HABEAS? I'm thinking of turning this off since
the large majority of spammers have already demonstrated their willingness
to ignore the legality of their activities.
Larry Craddock
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
Cool ... I'll report it right now.
- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, January 12, 2004 8:04 AM
Subject: Re: [Declude.JunkMail] Whitelisted?
Well I'm not sure how I missed this ... but here's the *rest* of the
header
info:
Sorry - according to my records I was running 1.77i12 when I reported this
behavior. And I was running LogLevel MID. The concern was, that the new,
condensed format would break log analyzers and, some authors suggested that
your one line summmary should start with a special string constant so
Do most people use WHITELIST HABEAS? I'm thinking of turning this off since
the large majority of spammers have already demonstrated their willingness
to ignore the legality of their activities.
That's kind of like asking if you should move your store to another town,
since the store next to
At 09:23 AM 1/12/2004, R. Scott Perry wrote:
The *ONLY* changes that were made were [1] To move the Msg failed
logging from LOGLEVEL LOW to LOGLEVEL HIGH, and [2] To add a one-line
summary to LOGLEVEL LOW. No other changes were made. LOGLEVEL MID is not
involved (except that it will also get
Scott:
My config file reads (and always had):
LOGFILE D:\imail\spool\dec.log
LOGLEVELMID
LOG_OK NONE
That lead me to assume that I was running LogLevel MID.
On January 7, I reported a problem with the log files after upgrading to
version i12. See the enclosed log
But Scott, do you leave your front door unlocked if there is a bugler
actively on the lose?
Could you move this from whitelisting to weighting in order to help
protect from such things for non-Pro users? That might make a lot of
sense. This is just some header code, and that's all it takes.
It's unsafe to whitelist in general unless you have control over what is
sending, or a good relationship with the sender. Habeas is totally not
that. This should be a weighted test instead of something that gets
whitelisted. Maybe Scott could move this to the same type functionality
used in
I think I heard mention at one time for there to be a line added to the
LOGLEVEL LOW for the total weight of the message. As anymore thought gone
into this?
Yes, the one-line summary is going to start with Tests failed
[weight=WEIGHT]: .
the one-line summary is going to start with Tests failed
[weight=WEIGHT]:
Thanks. That's what I was hoping/waiting for. If I interpret correctly,
this is NOT yet available. (That's fine, just wanted to make sure that I was
not behind.)
---
[This E-mail was scanned for viruses by Declude
At 06:04 AM 1/12/2004, R. Scott Perry wrote:
The Habeas headers are a legal means of whitelisting E-mail. In this
case, a spam illegally used the Habeas headers -- something that the
people that are behind Habeas have been waiting years for. Now is the
true test of Habeas -- if they go after
I've turned it off temporarily due to the storm of HABEAS-certified spam
this weekend. Hopefully, we will something from Habeas about what caused the
problem and what they are doing about it.
-Dave Doherty
Skywaves, Inc.
- Original Message -
From: Larry Craddock [EMAIL PROTECTED]
To:
Good point and I do agree with one minor counter point ... we have little to
no feedback about how *the police are handling the situation.* I reported
the incident to Habeas and here's a snippet from their response:
[Please know that at Habeas we take the use of our trademark in spam very
I'm trying to get this set up on a couple of test machines. It appears as
if I have spamd up and running successfully. I can telnet to the ip
address of the spamd server on port 783, and I see the message logged by
spamd on the console. However, when I go to run spamc from a machine, it
Could you move this from whitelisting to weighting in order to help
protect from such things for non-Pro users? That might make a lot of
sense. This is just some header code, and that's all it takes.
You can use:
HABEAS habeas x x -5 0
in the global.cfg file to accomplish
My config file reads (and always had):
LOGLEVELMID
LOG_OK NONE
That lead me to assume that I was running LogLevel MID.
Correct (minus the OK messages).
On January 7, I reported a problem with the log files after upgrading to
version i12. See the enclosed log snippet - it clearly
on 1/12/04 9:59 AM, Larry Craddock wrote:
Good point and I do agree with one minor counter point ... we have little to
no feedback about how *the police are handling the situation.
Plus how many spam messages will be whitelisted while the police
investigate the incident and the courts go
Scott,
Whatever happened to the feature where Declude spits out a million dollars?
Eagerly waiting, but getting frustrated.
Matt :)
R. Scott Perry wrote:
Could you move this from whitelisting to weighting in order to help
protect from such things for non-Pro users? That might make a lot
At 10:02 AM 1/12/2004, Russ Uhte \(Lists\) wrote:
I'm trying to get this set up on a couple of test machines. It appears as
if I have spamd up and running successfully. I can telnet to the ip
address of the spamd server on port 783, and I see the message logged by
spamd on the console.
Hi Scott:
Thanks for your patience in explaining that.
I know understand that your absolute statement No other changes were made.
LOGLEVEL MID is not involved should have been read by me as:
Even though no EXPLICIT changes to MID level logging were made, LOGLEVEL
MID was changed implicitly by
Hi Russ,
I have it set for 8. I hold on 10 delete on 30. It runs on my
mailserver.
In local.cf I have
required_hits 3.00
-Nick Hayer
Date sent: Mon, 12 Jan 2004 10:55:47 -0500
To: [EMAIL PROTECTED]
From: Russ Uhte
At 11:10 AM 1/12/2004, Nick Hayer wrote:
Hi Russ,
I have it set for 8. I hold on 10 delete on 30. It runs on my
mailserver.
Awesome!! When you installed all the CPAN stuff, did you also install the
HTML::parser? It told me when I went to make the spamassassin package,
that it was missing. I
John,
Looks like a spam house to me.
http://www.senderbase.org/search?searchString=bigpond.com
Block by IP. Google shows that they've used different domains from
these blocks, and the REVDNS entry could be gone tomorrow.
Use Scott's CIDR tool if you are uncertain about the ranges. Dig
Declude sure is a Swiss Army Knife...
I want to see Habeas succeed, and I think that misuse of their warrant by
a spammer through zombies is going to be a real test for them. Their
business model is built around suing a SpamHaus or a misbehaved mailing
house (like Topica, to pick something at
I am considering adding google.com to SPAMDOMAINS, as I see a number of spam
with a from address of @google.com. Can I safely assume that any legit
message from Google will be from a google.com server?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for
Let me correct something.
BigPond.com isn't a spam house, they are a DSL provider in Australia.
They however have a large number of mail servers that consistently relay
spam. It's almost like they are hosting spammers, and have them relay
through their own servers instead of direct delivery.
Is there legit e-mail that comes from Bigpond mail servers, or can I heavily
weight REVDNS ENDSWITH .bigpond.com?
I believe that they are a large ISP in Australia -- we have two samples of
legitimate E-mails with @bigpond.com return addresses.
I think they should be treated like large U.S.
Okay... forget this question... RTFM...
Wow, and here I thought I was still working on the manual. :)
Now the important question... for those of you using this, what
percentage of your hold weight are you giving this test?
Thus far, 80/120 and rising.
--Sandy
I was just going to say, almost all of those IP addresses are from the same
ISP in Australia.
If we want to play hardball, block all the IPs, and then the ISP will have
to take action.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL
Awesome!! When you installed all the CPAN stuff, did you also install
the HTML::parser? It told me when I went to make the spamassassin
package, that it was missing.
Yes - That was missing with me as well.
I just installed it, and all seems
okay...
kool. So its workn? What do you think of
At 12:39 PM 1/12/2004, Sanford Whiteman wrote:
Okay... forget this question... RTFM...
Wow, and here I thought I was still working on the manual. :)
Yeah... not really the manual, but the spamd -? works too!! :)
I just installed it on my server which is a pretty busy server. I think
someone
All the ones I saw did not have a @bigpond.com from address, only the REVDNS
was big pond.
For now, I have set REVDNS 15 ENDSWITH .bigpond.com.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL
This server normally processes about 200,000 emails a day, running
sniffer, most of the MailPure filters, and antivirus. Normally the
processor utilization during peak times is right around 40-50% on a
1 minute average.
That's pretty high to start out. Try lowering the priority of
We're getting a LOT of spam with HABEAS headers, presumably because the
spammers are using hijacked systems. We have had to turn off that feature.
As long as systems can be hijacked, Habeas and SPF won't be worth very much.
Do most people use WHITELIST HABEAS? I'm thinking of turning
this
Best bang for the buck: http://www.jhsoft.com/
And way too easy to setup..
~Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of P C
Sent: Monday, January 12, 2004 12:45 PM - FamHost
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] DNS trouble
I use the windows based DNS server .. I have it set on its own machine.
Then I have a machine for Imail/Declude, another machine for WWW, One for my
accounting software, and a machine for NEWS total of 5 machines.. i run my
secondary dns on the back of my accounting server. But I guess you would
Could someone recommend the best (most stable) DNS Server for Windows 2000+? Or, can
the Windows 2003 built in DNS Server handle traffic for a small ISP (3000 customers)
plus Imail/Declude DNS-based spam database lookups and the occasional DDOS attack?
Our current Linux DNS server
Ditto for me on SimpleDNS Plus from JHSoft.com; I've used it on Windows XP
and Windows Server 2000 without any issues, with cache sizes such that the
memory used exceeded 200 MB.
Quick enough, but a little slow to start and read in a large previous cache
(this is optional). And the GUI is
We have also turned off the HABEAS whitelist due to large amounts of spam.
We are also added pharma court.biz to our body filter.
Kevin Bilbee
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Keith Anderson
Sent: Monday, January 12, 2004 10:31 AM
To:
At 01:23 PM 1/12/2004, Sanford Whiteman wrote:
This server normally processes about 200,000 emails a day, running
sniffer, most of the MailPure filters, and antivirus. Normally the
processor utilization during peak times is right around 40-50% on a
1 minute average.
That's pretty high
I guess that was a noble try... but it didn't work.
Well, it probably worked, just not enough. :)
I'm going to try to separate the spamd/spamc processes and see how
that goes.
That will alleviate the utilization issue, for sure. Depending on the
age of your server, you should think
I have used the Win2000 DNS server happily for quite some time. We host
about 500 websites and 4000 mailboxes. We average about 25 DNS requests per
second and peak around 200. We do not provide access, only server-based
services.
I write all the zone files by hand. I find it quicker and easier
any news on this matter?
The issue with 1.77i12 and the bypasswhitelist option has been fixed in
v1.77i15 at http://www.declude.com/interim . So if a user sends an E-mail
with one recipient that is an alias that expands to 5 addresses, the
bypasswhitelist option will only count it as one
Russ,
I'm not sure what actions will result in bypassing Declude Virus, but
HOLD and DELETE surely do. Since over 80% of E-mail is spam on the
typical system, that should save you a great deal over processing
everything with Virus, though JunkMail is where most of the processing
goes when
Hi,
I suspect they most certainly will - legal action that is.
Bigpond is 51% Australian Government owned and the rest is listed on the
sharemarket.
They are Australia's largest internet provider capturing over 70% of the
market.
They have a monopoly via Telstra - Australia's largest telephone
I have not seen any spam with HABEAS headers UNTIL I viewed some messages
caught by Declude Virus because of the Outlook 'CR' Vulnerability. I am
forwarding these to the site.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
Any comments, good or bad?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
Then they better clean up their act and take are hardball stance on all spam
flowing through their servers.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Glen Harvy
Hi Scott:
Just in case this is an indication of a problem somewhere, here a two
abnormalities (possibly related to white listing)
A) Weight changed between first line (3) and last line (0) of log?
01/12/2004 17:39:05 Q21ff107901f265c0 DSBLMULTI:3 . Total weight = 3.
01/12/2004 17:39:05
I also found some today, held by Virus. Dunno if there have been others
that did get through.
Glenn Z.
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, January 12, 2004 5:42 PM
Subject: RE: [Declude.JunkMail] WHITELIST HABEAS
I
A) Weight changed between first line (3) and last line (0) of log?
That one is correct:
01/12/2004 17:39:05 Q21ff107901f265c0 DSBLMULTI:3 . Total weight = 3.
01/12/2004 17:39:05 Q21ff107901f265c0 NOT bypassing whitelisting of E-mail
with weight =20 (3) and at least 1 recipients (1).
Yes, I'm still using LogLevel=MID.
Never changed it - unless someone tells me that LOW or HIGH are more
appopriate.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
After upgrading from 1.77i12 to 1.77i17 I get this.
01/12/2004 18:39:34 Q303603930282ebed ERROR: nTests corrupted (1)
01/12/2004 18:39:35 Q303603930282ebed (Error 5 at 4234ac v1.77i15)
01/12/2004 18:39:35 Q303603930282ebed (log part 2 saved as C:\declude.gp2)
01/12/2004 18:39:35 Q303603930282ebed
Hi Scott:
Should the Tests Failed summary line be complete, e.g., should it
replace every single Failed line that appears in the HIGH log mode? This
way, log analyzers can simply parse the Tests Failed summary and learn about
every test AND every action?
If so, I believe there may be one issue.
Title: Message
The spamassasin integration stuff is so cool. I
wonder if anyone has had any problems with it. Anyone have anything that bit
them in any options they tried? I'm running spamd on a linux box and it is using
very little CPU. If anyone here is nervous about the install on a linux
ha ha ha
send them an email at [EMAIL PROTECTED] and we'll all have a giggle :-)
good luck and happy hunting.
better still - just blacklist them and you'll wipe out 75% of all emails
coming from down under :-)
_
Glen Harvy
Aquarius Communications
for all
64 matches
Mail list logo
