[Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Sanford Whiteman 
SPAMC32 0.5.55 is available for download at

http://www.mailmage.com/download/software/freeutils/spamc32/release

Users  anticipating  the  big RegEx rollout will have to wait a little
longer,  but there are some very powerful new features and performance
improvements in this release:

-  You  can  add  a  SKIPIFWEIGHT-type  threshold  to  ensure  that no
SpamAssassin  tests  will  be  run  if  the  message is already over a
certain  weight:  SPAMC32 will pass (0) such messages immediately. See
the -cw/-sw combo.

-   You   can  specify  a  Declude-specific  SpamAssassin  weightrange
regardless of SPAMD's 'required_hits' directive. This is useful if you
want  to create several different Declude tests with different Declude
weights;  if  you  don't  have/don't  want control over a remote SPAMD
server;  or if you want to change the effective SpamAssassin threshold
without restarting the daemon. See the -lt/-ht combo.

-   SPAMC32  -?  and  relNotes.txt  are  still  the  main  sources  of
documentation. I'll get there soon. :)

SPAMC32 Release 0.5.55
1/12/2004

*

IMPORTANT  NOTE:  Several defaults have been changed with this version
to  better  fit with anticipated deployments of Declude/IMail/SPAMC32.
While I know this is somewhat poor development practice, the installed
base  of SPAMC32 is small enough that I felt it would be better to use
more appropriate defaults from this point forward. In addition, if you
are   currently   using  the  suggested  GLOBAL.CFG  test  description
displayed  by  SPAMC32  -?, there are no necessary changes, though you
will  be  passing  redundant data. All current users *must* review the
[*]  entries  in  the  release notes to see if you're trusting certain
defaults in your installation.

  *

Release notes for this version:

[ + Added feature]
[ * Improved/changed feature ]
[ - Bug fix  ]
[ ^ Cosmetic/naming change   ]

[+]  Added  switches '-cw' (current weight) and '-sw' (skip-if weight)
to  allow  short-circuiting  SpamAssassin tests if the current Declude
weight of the message exceeds a set threshold. (These switches must be
used together.)

[+]  Added  switches 'lt' (low threshold) and 'ht' (high threshold) to
allow  admins  to  set spam parameters on the client side, rather than
using SPAMD's required_hits setting. SPAMD results between the low and
high  values  will  be considered spam regardless of the required_hits
setting,   allowing  for  multiple  tests  and  live  updates  without
restarting SPAMD. (These switches must be used together.)

[*]  Changed  default  reporting  behavior (when not using '-c', '-r',
'-s',   '-y'   switches)   to   '-c'   (check  only)  for  performance
considerations.

[*]  Removed  'process'  option  completely: is redundant w/Declude as
aggregator.

[*]  Changed default maximum message size (when not using '-a' switch)
to 32000.

[*] Changed default timeout (when not using '-t' switch) to 10.

[*] Changed suggested Declude test description for GLOBAL.CFG to leave
out values that are now defaults (timeout and message size), and fixed
error  that  suggested  that  the  %QUEUENAME%  parameter needed to be
specifically   added   to   the  command  line  (Declude  appends  the
%QUEUENAME%  automatically.  Existing  users  are urged to review this
change.

[^] Various code segments consolidated for performance.



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i15 Log Issues

2004-01-13 Thread R. Scott Perry 

Yes, I'm still using LogLevel=MID.

Never changed it - unless someone tells me that LOW or HIGH are more
appopriate.
There is a new 1.77i16 at http://www.declude.com/interim that addresses 
this and some other issues that have come up with 1.77i15.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] More 1.77i15 Log Issues

2004-01-13 Thread R. Scott Perry 

Should the Tests Failed summary line be complete, e.g., should it
replace every single Failed line that appears in the HIGH log mode?  This
way, log analyzers can simply parse the Tests Failed summary and learn about
every test AND every action?
Correct.

If so, I believe there may be one issue.  My Tests Failed line don't seem to
itemize ANY negative test results, not even word filters.  Could it be, that
your Tests Failed is using the HIDETESTS definitions to suppress
information?
The one that shows the negative weights (the one that ends with Total 
weight = ) appears at LOGLEVEL MID and higher, and is separate from the 
new one (that starts with Tests failed).  The new one replaces the 
LOGLEVEL LOW log file entries, and therefore will only record the tests 
that would have generated a log file entry.  This is appropriate as the 
negative weights affect the total weight of the E-mail (Total weight = 
line), but do not affect the actions that are taken (Tests failed line).

Note that the HIDETESTS option does not affect what is shown in either line.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re[4]: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Russ Uhte \(Lists\) 
At 05:05 PM 1/12/2004, Sanford Whiteman wrote:
 I guess that was a noble try... but it didn't work.

Well, it probably worked, just not enough. :)
Yeah, I'll buy that! :)


 I'm  going  to try to separate the spamd/spamc processes and see how
 that  goes.
That  will alleviate the utilization issue, for sure. Depending on the
age  of  your  server,  you  should  think  about adding an additional
processor.  I  find that that's one fun part about running mail on old
boxes  with  new disks: as it gives you ability to scale up processing
on  the  cheap  as  needed,  while  still  giving peak performance for
disk-starved  tasks.  A lot of people inadvertently err on the side of
processor power by buying new boxes and ignoring DASD optimization.
Unfortunately, this particular server is out of space for new drives 
internally.  Now realistically, I could rebuild it and do it right, and it 
would probably last a very long time.  When I got the server, it had 4 
drives configured for Raid 5 in a single logical drive with 3 
partitions.  I added two more drives in a mirrored set, and moved the spool 
to this.  That helped drastically.  I may look into external scsi drives...


 I  know  this  server is grossly underpowered for what I'm trying to
 do,  but I inherited it this way, and I don't think I'm gonna get to
 buy a new one here anytime soon. The person before didn't understand
 how to spec out a mailserver.
Gotcha.

One  thing  you should know about that I'm building into SPAMC32 right
now  is  a  SKIPIFWEIGHT  option  that  will return 0 immediately if a
(Declude) weight has already been exceeded, thus saving processing for
way out-of-range spam.
Now that would be awesome.  If there's anything I can do to help, let me 
know.  I don't know a much about VB (I think that's what it's written in?) 
but I'd be willing to help in anyway I can.

Thanks,
Russ
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Russ Uhte \(Lists\) 
At 05:52 PM 1/12/2004, Matt wrote:
Russ,

I'm not sure what actions will result in bypassing Declude Virus, but HOLD 
and DELETE surely do.  Since over 80% of E-mail is spam on the typical 
system, that should save you a great deal over processing everything with 
Virus, though JunkMail is where most of the processing goes when you are 
running custom filters.  I'm not sure if you have upgraded to 1.77i7+ yet, 
but the SKIPIFWEIGHT, MAXWEIGHT and END functionality was a huge savings 
for my server.  Even re-ordering your custom filters to put the bigger 
hogs with the least impact and rarest hits at the bottom was a big help 
with SKIPIFWEIGHT.  Probably more than 80% of my spam never hits a custom 
filter, and 97% of my spam never hits every filter file.
Yeah, I'm currently running 1.77i15 as of this morning, and I've been using 
your latest filters.  Previously, I had to remove your old filters due to 
processing limitations, but the new ones are great!!

Yeah, I guess it makes since that if I'm stopping 160,000 of the message 
with Junkmail, that I now only have to scan 40,000 messages for virii.


I just upgraded to IMail 8 and am using WHITELIST AUTH and PREWHITELIST 
ON, and that also saves on processing.  I'm nowhere near your utilization, 
but I hate to ever see my processors pegged due to the fact that the 
machine currently performs many tasks besides E-mail.
I haven't yet turned those options on, but I guess I probably should.  I 
hate to see a server this busy as well, but fortunately, all it does is 
mail.  I'm still debating on a gateway mail server (like IMGate)...  Still 
weighing all the Pros and Cons to try and determine if it's worth my time 
to learn a whole new mail server software package.  Only time will tell...

-Russ 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i15 Log Issues

2004-01-13 Thread nrmathew 
Scott,Would it be possible, or desirable by others to name the interim executable files with the version name (ie Declude_1.77i15)? Sometimes by the time I read of a new interim release described as 1.77i15 and download it, it has become 1.77i17. Just an idea.Neal M.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: "R. Scott Perry" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 01/13/2004 08:14AMSubject: RE: [Declude.JunkMail] 1.77i15 Log IssuesYes, I'm still using LogLevel=MID.Never changed it - unless someone tells me that LOW or HIGH are moreappopriate.There is a new 1.77i16 at http://www.declude.com/interimthat addresses this and some other issues that have come up with 1.77i15. -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailservers.Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.Find out what you've been missing: Ask about our free 30-day evaluation.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i15 Log Issues

2004-01-13 Thread nrmathew 
I think I just realized why you might not want to do this - it would probably break some auto updating programs out there. Any other options?Neal M.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 01/13/2004 08:49AMSubject: RE: [Declude.JunkMail] 1.77i15 Log IssuesScott,  Would it be possible, or desirable by others to name the interim executable files with the version name (ie Declude_1.77i15)? Sometimes by the time I read of a new interim release described as 1.77i15 and download it, it has become 1.77i17. Just an idea.  Neal M. [EMAIL PROTECTED] wrote: - To: [EMAIL PROTECTED] From: "R. Scott Perry" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] Date: 01/13/2004 08:14AM Subject: RE: [Declude.JunkMail] 1.77i15 Log Issues Yes, I'm still using LogLevel=MID.  Never changed it - unless someone tells me that LOW or HIGH are more appopriate. There is a new 1.77i16 at http://www.declude.com/interim that addresses this and some other issues that have come up with 1.77i15.  -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Bigpond

2004-01-13 Thread David Daniels 
I blocked them years ago after they ignored hundreds of spam complaints.
I've had one person complain and since she is an employee I told her to have
it sent to her hotmail account.

David Daniels
Administrator
Starfish Internet Service
[EMAIL PROTECTED]
- Original Message -
From: Glen Harvy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:04 AM
Subject: RE: [Declude.JunkMail] Bigpond


 ha ha ha

 send them an email at [EMAIL PROTECTED] and we'll all have a giggle :-)

 good luck and happy hunting.

 better still - just blacklist them and you'll wipe out 75% of all emails
 coming from down under :-)

 _
 Glen Harvy
 Aquarius Communications
 for all your Internet Needs.
 Phone 9977 3788 Fax 9977 3844

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
  (Lists)
  Sent: Tuesday, 13 January 2004 12:06
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.JunkMail] Bigpond
 
 
  Then they better clean up their act and take are hardball stance
  on all spam
  flowing through their servers.
 
  John Tolmachoff
  Engineer/Consultant/Owner
  eServices For You
 
 
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
   [EMAIL PROTECTED] On Behalf Of Glen Harvy
   Sent: Monday, January 12, 2004 3:12 PM
   To: [EMAIL PROTECTED]
   Subject: RE: [Declude.JunkMail] Bigpond
   Importance: High
  
   Hi,
  
   I suspect they most certainly will - legal action that is.
  
   Bigpond is 51% Australian Government owned and the rest is listed on
the
   sharemarket.
  
   They are Australia's largest internet provider capturing over 70% of
the
   market.
  
   They have a monopoly via Telstra - Australia's largest
  telephone company.
  
   They have a similar attitude to Microsoft - sue first and
  negotiate later.
  
   _
   Glen Harvy
   Aquarius Communications
   for all your Internet Needs.
   Phone 9977 3788 Fax 9977 3844
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John
  Tolmachoff
(Lists)
Sent: Tuesday, 13 January 2004 04:47
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Bigpond
   
   
I was just going to say, almost all of those IP addresses are
from the same
ISP in Australia.
   
If we want to play hardball, block all the IPs, and then the ISP
will
   have
to take action.
   
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
   
   
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Matt
 Sent: Monday, January 12, 2004 9:36 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Bigpond

 Let me correct something.

 BigPond.com isn't a spam house, they are a DSL provider in
  Australia.
 They however have a large number of mail servers that consistently
   relay
 spam.  It's almost like they are hosting spammers, and have
  them relay
 through their own servers instead of direct delivery.  There's a
ton
   of
 it.  I'm not sure what to do about this situation.  Maybe
  someone else
 has some ideas.

 Matt



 Matt wrote:

  John,
 
  Looks like a spam house to me.
 
  http://www.senderbase.org/search?searchString=bigpond.com
 
  Block by IP.  Google shows that they've used different
  domains from
  these blocks, and the REVDNS entry could be gone tomorrow.
 
  Use Scott's CIDR tool if you are uncertain about the ranges.
Dig
  through surrounding blocks with reverse DNS to see if
  there are even
  larger blocks present.  Lastly, report your findings to
  the board :)
 
  Matt
 
 
 
  John Tolmachoff (Lists) wrote:
 
  Is there legit e-mail that comes from Bigpond mail
  servers, or can
   I
  heavily
  weight REVDNS ENDSWITH .bigpond.com?
 
  John Tolmachoff
  Engineer/Consultant/Owner
  eServices For You
 
 
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 
 
 
 

 --
 =
 MailPure custom filters for Declude JunkMail Pro.
 http://www.mailpure.com/software/
 =


 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL

RE: [Declude.JunkMail] More 1.77i15 Log Issues

2004-01-13 Thread Andy Schmidt 
Hi Scott:

Okay - that's fair enough.

So one should think of the line labeled Tests failed: as a line that
really contains Actions taken:


Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Matt 
Russ,

Another idea would be to block SBL with IMail 8 so that stuff never gets 
to Declude.  SBL can be as much as 25% of my traffic, and I weight that 
in Declude so that it deletes on just that one hit.  This could 
potentially save you a good deal of processing power and be huge for 
your system.  You can still keep track of statistics by using IMail's 
daily report to show you how many messages got stopped that way and 
adding them into your Declude results.

I think Kami sets IMail to delete a message after hitting a certain 
number of RBL's, this too may be a further savings if you are careful 
about it.  You could probably get rid of over 50% of your traffic that 
way and leave Declude to do the heavy lifting for what's left over.  I'm 
not yet familiar with this setup yet since I just upgraded, but I'm sure 
Kami would explain how he has it working.

BTW, on non-gatewayed domains, I'm pre-whitelisting about 15% of my 
traffic now because of WHITELIST AUTH (most of it) and AUTOWHITELIST ON 
(from the Web mail address book, but this can cause some false 
negatives, especially if people have their own E-mail listed, however 
they aren't very likely at all to have included a bulk mailing spam source).

Matt



Russ Uhte (Lists) wrote:

At 05:52 PM 1/12/2004, Matt wrote:

Russ,

I'm not sure what actions will result in bypassing Declude Virus, but 
HOLD and DELETE surely do.  Since over 80% of E-mail is spam on the 
typical system, that should save you a great deal over processing 
everything with Virus, though JunkMail is where most of the 
processing goes when you are running custom filters.  I'm not sure if 
you have upgraded to 1.77i7+ yet, but the SKIPIFWEIGHT, MAXWEIGHT and 
END functionality was a huge savings for my server.  Even re-ordering 
your custom filters to put the bigger hogs with the least impact and 
rarest hits at the bottom was a big help with SKIPIFWEIGHT.  Probably 
more than 80% of my spam never hits a custom filter, and 97% of my 
spam never hits every filter file.


Yeah, I'm currently running 1.77i15 as of this morning, and I've been 
using your latest filters.  Previously, I had to remove your old 
filters due to processing limitations, but the new ones are great!!

Yeah, I guess it makes since that if I'm stopping 160,000 of the 
message with Junkmail, that I now only have to scan 40,000 messages 
for virii.


I just upgraded to IMail 8 and am using WHITELIST AUTH and 
PREWHITELIST ON, and that also saves on processing.  I'm nowhere near 
your utilization, but I hate to ever see my processors pegged due to 
the fact that the machine currently performs many tasks besides E-mail.


I haven't yet turned those options on, but I guess I probably should.  
I hate to see a server this busy as well, but fortunately, all it does 
is mail.  I'm still debating on a gateway mail server (like 
IMGate)...  Still weighing all the Pros and Cons to try and determine 
if it's worth my time to learn a whole new mail server software 
package.  Only time will tell...

-Russ
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Russ Uhte \(Lists\) 
At 03:57 AM 1/13/2004, Sanford Whiteman wrote:
SPAMC32 0.5.55 is available for download at

http://www.mailmage.com/download/software/freeutils/spamc32/release

Users  anticipating  the  big RegEx rollout will have to wait a little
longer,  but there are some very powerful new features and performance
improvements in this release:
-  You  can  add  a  SKIPIFWEIGHT-type  threshold  to  ensure  that no
SpamAssassin  tests  will  be  run  if  the  message is already over a
certain  weight:  SPAMC32 will pass (0) such messages immediately. See
the -cw/-sw combo.
Well, this did help considerably... but not quite enough.  I moved the 
SpamD server onto a server that currently does nothing but DNS.  It is a 
dual PIII 1GHz machine that usually runs between 0 and 5 % 
utilization.  With SpamD running on it, it averaged about 70% 
utilization.  Now my mailserver wasn't noticeably affected by the SpamC 
process.  That was using a -sw entry of 20 (my hold weight)  So, I think if 
I want to utilize SA, I'm going to have to do something drastic...  I'm 
open to suggestions if anyone has any!!  :)

-Russ 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Rick Klinge 
http://www.openhandhome.com/howtosa.html

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Russ 
 Uhte (Lists)
 Sent: Tuesday, January 13, 2004 10:00 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC 
 for Declude) 0.5.55 released
 
 
 At 03:57 AM 1/13/2004, Sanford Whiteman wrote:
 SPAMC32 0.5.55 is available for download at
 
 http://www.mailmage.com/download/software/freeutils/spamc32/release
 
 Users  anticipating  the  big RegEx rollout will have to 
 wait a little 
 longer,  but there are some very powerful new features and 
 performance 
 improvements in this release:
 
 -  You  can  add  a  SKIPIFWEIGHT-type  threshold  to  
 ensure  that no 
 SpamAssassin  tests  will  be  run  if  the  message is 
 already over a 
 certain  weight:  SPAMC32 will pass (0) such messages 
 immediately. See 
 the -cw/-sw combo.
 
 Well, this did help considerably... but not quite enough.  I 
 moved the 
 SpamD server onto a server that currently does nothing but 
 DNS.  It is a 
 dual PIII 1GHz machine that usually runs between 0 and 5 % 
 utilization.  With SpamD running on it, it averaged about 70% 
 utilization.  Now my mailserver wasn't noticeably affected by 
 the SpamC 
 process.  That was using a -sw entry of 20 (my hold weight)  
 So, I think if 
 I want to utilize SA, I'm going to have to do something 
 drastic...  I'm 
 open to suggestions if anyone has any!!  :)
 
 -Russ 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.
___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.


___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Matt [EMAIL PROTECTED]

 Another idea would be to block SBL with IMail 8 so that stuff never gets
 to Declude.  SBL can be as much as 25% of my traffic, and I weight that
 in Declude so that it deletes on just that one hit.  This could
 potentially save you a good deal of processing power and be huge for
 your system.  You can still keep track of statistics by using IMail's
 daily report to show you how many messages got stopped that way and
 adding them into your Declude results.

Deleting messages based on a single test result is very bad advice.  No test
is 100% accurate, and in my experience they are typically less than 90%.  If
it works for you, and you and your users don't care about the legitimate
messages you are most likely deleting, that's fine.  But to make this
recommendation to others without the appropriate caviate is irresponsible.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Frederick Samarelli 
Has anyone else see this.
After upgrading from 1.77i12 to 1.77i15 I get this I revert back to 1.77i12
and I am fine.

01/12/2004 18:39:34 Q303603930282ebed ERROR: nTests corrupted (1)
01/12/2004 18:39:35 Q303603930282ebed (Error 5 at 4234ac v1.77i15)
01/12/2004 18:39:35 Q303603930282ebed (log part 2 saved as C:\declude.gp2)
01/12/2004 18:39:35 Q303603930282ebed (log part 1 saved as C:\declude.gp1)
01/12/2004 18:40:00 Q304f0288029c4e8f ERROR: nTests corrupted (1)
01/12/2004 18:40:00 Q303803930282f265 ERROR: nTests corrupted (1

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Russ Uhte (Lists) [EMAIL PROTECTED]

 Well, this did help considerably... but not quite enough.  I moved the
 SpamD server onto a server that currently does nothing but DNS.  It is a
 dual PIII 1GHz machine that usually runs between 0 and 5 %
 utilization.  With SpamD running on it, it averaged about 70%
 utilization.  Now my mailserver wasn't noticeably affected by the SpamC
 process.  That was using a -sw entry of 20 (my hold weight)  So, I think
if
 I want to utilize SA, I'm going to have to do something drastic...  I'm
 open to suggestions if anyone has any!!  :)

Russ, a not too drastic option would be to run SA on a linux mail gateway
sitting in front of your IMail server and then track the hit=xx.x header
counts with Declude.  That's what we do here, and it has worked great for
us.  With this configuration you could also set IMail to gateway all
outbound mail to the SA box for all external mail delivery, thus taking this
load off of your IMail server.

Just a thought...

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Frederick Samarelli [EMAIL PROTECTED]

 Has anyone else see this.
 After upgrading from 1.77i12 to 1.77i15 I get this I revert back to
1.77i12
 and I am fine.

 01/12/2004 18:39:34 Q303603930282ebed ERROR: nTests corrupted (1)
 01/12/2004 18:39:35 Q303603930282ebed (Error 5 at 4234ac v1.77i15)
 01/12/2004 18:39:35 Q303603930282ebed (log part 2 saved as C:\declude.gp2)
 01/12/2004 18:39:35 Q303603930282ebed (log part 1 saved as C:\declude.gp1)
 01/12/2004 18:40:00 Q304f0288029c4e8f ERROR: nTests corrupted (1)
 01/12/2004 18:40:00 Q303803930282f265 ERROR: nTests corrupted (1

I think this may be one of the log issues Scott was talking about in a
earlier post that is fixed in 1.77i16.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Matt 




I think that I've pointed out the caveats many times over on blocking
with SBL. SBL is though more accurate than my system as a whole, and I
have never seen a true false positive with it.

I've asked this several times; has anyone ever seen a false positive
with SBL? I've not ever received a single reply to that question,
though this is the 3rd time I've asked it now.

I'm sure that human error can come into play, but they are the most
respected RBL out there by a mile, and if you find yourself listed on
SBL, there's a 99.99% chance that it is for good reason, and if not,
you need to get your IP out of these because you are surely being
blocked by many, many organizations. The only time that this should
happen is if you inherited a spam block and your provider didn't bother
getting the block delisted, or if you are unfortunate enough to have
hosted your server at a well known spam house.

This is the only RBL that I even weight at or above my hold weight.
I'm quite anal about false positives as well, but until someone points
out a flaw in SBL, I'm going to trust them absolutely.

I think your advice is well founded, however it is a generalization and
exceptions may apply.

Matt



Bill Landry wrote:

  - Original Message - 
From: "Matt" [EMAIL PROTECTED]

  
  
Another idea would be to block SBL with IMail 8 so that stuff never gets
to Declude.  SBL can be as much as 25% of my traffic, and I weight that
in Declude so that it deletes on just that one hit.  This could
potentially save you a good deal of processing power and be huge for
your system.  You can still keep track of statistics by using IMail's
daily report to show you how many messages got stopped that way and
adding them into your Declude results.

  
  
Deleting messages based on a single test result is very bad advice.  No test
is 100% accurate, and in my experience they are typically less than 90%.  If
it works for you, and you and your users don't care about the legitimate
messages you are most likely deleting, that's fine.  But to make this
recommendation to others without the appropriate caviate is irresponsible.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re[2]: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Sanford Whiteman 
 Russ,  a  not  too drastic option would be to run SA on a linux mail
 gateway  sitting  in  front  of your IMail server and then track the
 hit=xx.x  header counts with Declude. That's what we do here, and it
 has  worked great for us. With this configuration you could also set
 IMail  to  gateway  all outbound mail to the SA box for all external
 mail delivery, thus taking this load off of your IMail server.

Of  course,  you  could  also  (a) use a Windows-based gateway and run
SpamD on that with Declude (on your mailbox server) as the client, (b)
use  a  Windows-based  gateway and offload all of your gateway, SpamD,
*and* Declude duties to it, (c) use a *nix-based gateway and run SpamD
on  that  with  Declude  as  the client...the point is that, if you're
going  to  buy  a  new box, it could be put to many purposes with your
choice  of OS. But your current hardware setup and load isn't going to
fly  with a new processor-intensive content scanner. You're maxed out,
and  the  least  painless  way out (from a skills standpoint) is still
going to cost some bucks.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Frederick Samarelli 
Ok. When I download the latest version.
http://www.declude.com/interim

It shows as 1.77i15
- Original Message - 
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 11:32 AM
Subject: Re: [Declude.JunkMail] 1.77i15 Bug


 - Original Message - 
 From: Frederick Samarelli [EMAIL PROTECTED]

  Has anyone else see this.
  After upgrading from 1.77i12 to 1.77i15 I get this I revert back to
 1.77i12
  and I am fine.
 
  01/12/2004 18:39:34 Q303603930282ebed ERROR: nTests corrupted (1)
  01/12/2004 18:39:35 Q303603930282ebed (Error 5 at 4234ac v1.77i15)
  01/12/2004 18:39:35 Q303603930282ebed (log part 2 saved as
C:\declude.gp2)
  01/12/2004 18:39:35 Q303603930282ebed (log part 1 saved as
C:\declude.gp1)
  01/12/2004 18:40:00 Q304f0288029c4e8f ERROR: nTests corrupted (1)
  01/12/2004 18:40:00 Q303803930282f265 ERROR: nTests corrupted (1

 I think this may be one of the log issues Scott was talking about in a
 earlier post that is fixed in 1.77i16.

 Bill

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Log File Changes

2004-01-13 Thread Bill Morgan 
Hi,

I am starting work on re-writing my log file analysis program for the
new format.  The information that I want to extract is:

Fail tests with weight
Total weight
Action Taken
From e-mail address
To e-mail address
Date/Time
File Name

I am assuming that for this information, I need MID log level.  On
visual inspection of the MID log file, it looks like this format is:

00/00/00 00:00:00 Qx FailedTest1Name:weight
FailedTest2Name:weight  TOTALWEIGHT = weight.
00/00/00 00:00:00 Qx Subject: message subject
00/00/00 00:00:00 Qx From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP:
x.x.x.x ID: 
00/00/00 00:00:00 Qx FailedTest1Name:action
FailedTest2Name:action .

And for multiple recipients, the last three lines are repeated (not sure
why subject line is repeated?) for each user with the new TO address
appended to the previous TO line.  i.e.:

To: [EMAIL PROTECTED]

To: [EMAIL PROTECTED] [EMAIL PROTECTED]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

Etc.

Are my assumptions correct?  

Thanks,
Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Tests Used for Deleting?

2004-01-13 Thread Andy Schmidt 
Hi Bill,

This is of course prudent advice in general.  Let me share my experiences
(I'm not at all suggesting that this applies to anyone else's scenario).

However, after a few years of tinkering, I did realize that (at least based
on messages received by my mix of business clients) *I* was able to use some
tests to outright delete 13% of all incoming mail (an additional 50% gets
deleted by weight):

BLITZEDALL  DELETE
NJABLPROXIES DELETE
AHBLPROXIES DELETE
SORBS-HTTP  DELETE
SORBS-SOCKS DELETE
SORBS-MISC  DELETE

MAILFROMDELETE
PERCENT DELETE

(At first I was using HOLD for these tests but after many months that I
never ever had to release a single held email.) 

Apparently, when someone is ignorant enough running an open proxy (or an
infected zombie workstation) on a particular IP there is a very low
likelihood that this particular machine is ALSO used as their legitimate
SMTP server.  

When someone uses an invented from domain or tries the percent hack to
force email routing - then it is our policy that the email should not be
processed.  (It's okay to use an unattended from mailbox - but there is
never a reason to use bogus domain names, preventing our server from sending
notifications or such.)

Of course, ideally I would want to hang up on those connections during
SMTP protocol - but unfortunately, neither Imail not Declude currently
offers that option.  (I'm using ORF from VAMSOFT to do exactly that on my
backup MX running MS SMTP (IIS), as lots of spam now gets directed against
the backup MXs).


Best Regards
Andy Schmidt

Argos Networks
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-9411 x20 (Business)
Fax:+1 201 934-9206

http://www.Argos.net/ 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Tuesday, January 13, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SpamD/SpamC for Declude


- Original Message - 
From: Matt [EMAIL PROTECTED]

 Another idea would be to block SBL with IMail 8 so that stuff never 
 gets to Declude.  SBL can be as much as 25% of my traffic, and I 
 weight that in Declude so that it deletes on just that one hit.  This 
 could potentially save you a good deal of processing power and be huge 
 for your system.  You can still keep track of statistics by using 
 IMail's daily report to show you how many messages got stopped that 
 way and adding them into your Declude results.

Deleting messages based on a single test result is very bad advice.  No test
is 100% accurate, and in my experience they are typically less than 90%.  If
it works for you, and you and your users don't care about the legitimate
messages you are most likely deleting, that's fine.  But to make this
recommendation to others without the appropriate caviate is irresponsible.

Bill

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i16?

2004-01-13 Thread Andy Schmidt 
Same here - downloaded this morning after the announcement and my headers
still read:

X-Declude: Version 1.77i15; D1bad042a01feaf36.SMD from
chris.usa.hm-software.com [63.107.174.138]

Best Regards
Andy

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli
Sent: Tuesday, January 13, 2004 11:41 AM

Ok. When I download the latest version. http://www.declude.com/interim

It shows as 1.77i15

- Original Message - 
From: Bill Landry [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 11:32 AM


 I think this may be one of the log issues Scott was talking about in a 
 earlier post that is fixed in 1.77i16.

 Bill


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread R. Scott Perry 

Ok. When I download the latest version.
http://www.declude.com/interim
It shows as 1.77i15
This is very strange.  Our log files show that 1.77i16 was uploaded twice, 
yet downloading it shows 1.77i15.  Even after deleting the file from the 
web server, it can still be downloaded -- but as 1.77i15.  The HTTP headers 
don't show any caching program interfering -- but there definitely is 
one.  I'm going to have to look into this to see why it is happening.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Rick Klinge 
1.77i16 here.. Perhaps a local cache?

~Rick


 
 Ok. When I download the latest version. 
 http://www.declude.com/interim
 
 It shows as 1.77i15
 
 This is very strange.  Our log files show that 1.77i16 was 
 uploaded twice, 
 yet downloading it shows 1.77i15.  Even after deleting the 
 file from the 
 web server, it can still be downloaded -- but as 1.77i15.  
 The HTTP headers 
 don't show any caching program interfering -- but there definitely is 
 one.  I'm going to have to look into this to see why it is happening.
 

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Nick Hayer 
I tried this without success. Sandy's port for me is *much* slicker - 

-Nick Hayer

From:   Rick Klinge [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:RE: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for 
Declude)  0.5.55 released
Date sent:  Tue, 13 Jan 2004 10:04:08 -0600
Send reply to:  [EMAIL PROTECTED]

 http://www.openhandhome.com/howtosa.html
 
  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Russ 
  Uhte (Lists)
  Sent: Tuesday, January 13, 2004 10:00 AM
  To: [EMAIL PROTECTED]
  Subject: Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC 
  for Declude) 0.5.55 released
  
  
  At 03:57 AM 1/13/2004, Sanford Whiteman wrote:
  SPAMC32 0.5.55 is available for download at
  
  http://www.mailmage.com/download/software/freeutils/spamc32/release
  
  Users  anticipating  the  big RegEx rollout will have to 
  wait a little 
  longer,  but there are some very powerful new features and 
  performance 
  improvements in this release:
  
  -  You  can  add  a  SKIPIFWEIGHT-type  threshold  to  
  ensure  that no 
  SpamAssassin  tests  will  be  run  if  the  message is 
  already over a 
  certain  weight:  SPAMC32 will pass (0) such messages 
  immediately. See 
  the -cw/-sw combo.
  
  Well, this did help considerably... but not quite enough.  I 
  moved the 
  SpamD server onto a server that currently does nothing but 
  DNS.  It is a 
  dual PIII 1GHz machine that usually runs between 0 and 5 % 
  utilization.  With SpamD running on it, it averaged about 70% 
  utilization.  Now my mailserver wasn't noticeably affected by 
  the SpamC 
  process.  That was using a -sw entry of 20 (my hold weight)  
  So, I think if 
  I want to utilize SA, I'm going to have to do something 
  drastic...  I'm 
  open to suggestions if anyone has any!!  :)
  
  -Russ 
  
  ---
  [This E-mail scanned for viruses by Declude Virus]
  
  ---
  [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
 unsubscribe Declude.JunkMail.  The archives can be found at
 http://www.mail-archive.com.
 ___
 Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
 
 
 ___
 Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] messagescreen.com

2004-01-13 Thread Frederick Samarelli 
Does anyone have any info on this service.
 
 messagescreen.com

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread John Tolmachoff \(Lists\) 
Downloaded and installed about 5 minutes ago:

Declude 1.77i16 (C) Copyright 2000-2004 Computerized Horizons.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of R. Scott Perry
 Sent: Tuesday, January 13, 2004 9:12 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] 1.77i15 Bug
 
 
 Ok. When I download the latest version.
 http://www.declude.com/interim
 
 It shows as 1.77i15
 
 This is very strange.  Our log files show that 1.77i16 was uploaded twice,
 yet downloading it shows 1.77i15.  Even after deleting the file from the
 web server, it can still be downloaded -- but as 1.77i15.  The HTTP
 headers
 don't show any caching program interfering -- but there definitely is
 one.  I'm going to have to look into this to see why it is happening.
 
 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Log File Changes

2004-01-13 Thread R. Scott Perry 

I am assuming that for this information, I need MID log level.  On
visual inspection of the MID log file, it looks like this format is:
00/00/00 00:00:00 Qx FailedTest1Name:weight FailedTest2Name:weight 
 TOTALWEIGHT = weight.
00/00/00 00:00:00 Qx Subject: message subject
00/00/00 00:00:00 Qx From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 
x.x.x.x ID:
00/00/00 00:00:00 Qx FailedTest1Name:action FailedTest2Name:action 
.
That is correct.  Some of those lines appear at LOGLEVEL LOW, but to get 
them all, you would need LOGLEVEL MID (or LOGLEVEL HIGH).

And for multiple recipients, the last three lines are repeated (not sure
why subject line is repeated?) for each user with the new TO address
appended to the previous TO line.  i.e.:
To: [EMAIL PROTECTED]

To: [EMAIL PROTECTED] [EMAIL PROTECTED]

To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

Etc.

Are my assumptions correct?
That is correct.  I'll look into getting the Subject: line to only appear once.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Matt

 I think that I've pointed out the caveats many times
 over on blocking with SBL.  SBL is though more
 accurate than my system as a whole, and I have
 never seen a true false positive with it.

 I've asked this several times; has anyone ever seen
 a false positive with SBL?  I've not ever received a
 single reply to that question, though this is the 3rd
 time I've asked it now.

Because people didn't respond doesn't mean anything.  All RBLs produce
false-positives.  How could they not, they are run by humans.

 I think your advice is well founded, however it is a
 generalization and exceptions may apply.

There are no exceptions when it comes to anything run by humans, there WILL
be errors.

Just from yesterdays logs, legitimate mailing list messages blocked by SBL:
20 Subject: RE: [MS SMS] What are YOU doing to remove spyware? 2004 Edition
19 Subject: RE: [MS SMS] OT: Football
12 Subject: RE: [myOT] Alias
10 Subject: RE: [MS SMS] SMS 2003: WMI
9 Subject: RE: [MS SMS] Installing a DP over the wire.
9 Subject: RE: [myOT] MMS 2004
7 Subject: RE: [MS SMS] VBS Question
6 Subject: RE: [myOT] Stargate season opener tonight...
5 Subject: RE: [MS SMS] Central Site
5 Subject: RE: [MS SMS] Error in scan tool
4 Subject: RE: [MS SMS] ROI for 2003
4 Subject: RE: [MS SMS] SMS 2: Clients failed to connect to APM server
4 Subject: RE: [MS SMS] XP clients
3 Subject: RE: [MS SMS] SMS and Tablet PC
3 Subject: RE: [MS SMS] SMS on VMWare
3 Subject: RE: [MS SMS] SMS2003 - How to re-trigger advertisement on client
2 Subject: RE: [MS SMS] MakeColl.exe for SMS 2003?
2 Subject: RE: [MS SMS] OT: Anyone from the UK going to the MMS?
2 Subject: RE: [MS SMS] OT: Read Receipts on List messages
2 Subject: RE: [MS SMS] SMS SUSFP Updates
2 Subject: [MS SMS] XP clients
1 Subject: RE: [myOT] New Bill and Monica pics...
1 Subject: RE: [MS SMS] advanced client prestaging
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] Security scan tool upgrade
1 Subject: RE: [MS SMS] SMS 2003 MP problem
1 Subject: RE: [MS SMS] SMS Office Updates
1 Subject: RE: [MS SMS] SUS Distribute software updates wizard doesn't show
up
1 Subject: NWCYCLING:  FW: 2004 Mt. Hood Cycling Classic
1 Subject: NWCYCLING:  USCF Rulebook 2004 Changes - online
1 Subject: NWCYCLING:  WSBA Junior Informational Meeting Tonight
1 Subject: MEDITECH Issue PP #3714704 - Open
1 Subject: [partb-l] HCPCS codes
1 Subject: [NPinfo] Interesting article on the physician shortage.
1 Subject: [myOT] Test
1 Subject: [myOT] Alias
1 Subject: [MS SMS] VBS Question
1 Subject: [MS SMS] SUS Distribute software updates wizard doesn't show up
1 Subject: [MS SMS] SMS2003 - How to re-trigger advertisement on client
1 Subject: [MS SMS] SMS Office Updates
1 Subject: [MS SMS] SMS and Tablet PC
1 Subject: [MS SMS] SMS 2003: WMI
1 Subject: [MS SMS] SMS 2003 Bug
1 Subject: [MS SMS] ROI for 2003
1 Subject: [MS SMS] Query help needed
1 Subject: [MS SMS] OT: Read Receipts on List messages
1 Subject: [MS SMS] OT: Guest Account
1 Subject: [MS SMS] OT: Anyone from the UK going to the MMS?
1 Subject: [MS SMS] MakeColl.exe for SMS 2003?
1 Subject: [MS SMS] Installing a DP over the wire.
1 Subject: [MS SMS] Holy Replicating Servers Batman!
1 Subject: [MS SMS] Couple backup questions
1 Subject: [MS SMS] Central Site
1 Subject: [MS SMS] Adobe Acrobat 6 Deployment

I also found at least a dozen personal messages that were flagged by SBL,
but were delivered anyway because of the way we weight our tests.  Again,
this is just from yesterday.

Instead of applying a huge weight to a single test, why not apply a small
weight to may tests?  That way you at least get corroboration from multiple
tests, thus negating the human factor.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Tests Used for Deleting?

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Andy Schmidt [EMAIL PROTECTED]

 This is of course prudent advice in general.
 Let me share my experiences (I'm not at all
 suggesting that this applies to anyone else's
 scenario).

 However, after a few years of tinkering, I
 did realize that (at least based on messages
 received by my mix of business clients) *I*
 was able to use some tests to outright delete
 13% of all incoming mail (an additional 50%
 gets deleted by weight):

BLITZEDALL DELETE
NJABLPROXIES DELETE
AHBLPROXIES DELETE
SORBS-HTTP DELETE
SORBS-SOCKS DELETE
SORBS-MISC DELETE

MAILFROM DELETE
PERCENT DELETE

Other than the PERCENT test, I can produce false-positives from each of the
RBL tests listed above for everyday of the week.  I guess it depends on your
customer base and mail volume, but anyone running spam tests in an ISP
environment would be foolish and running great risk of deleting legitimate
messages by basing delete decisions on the results of any single RBL test
criteria.  And I feel that if you have a weight system available to you, why
take that risk at all?

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Frederick Samarelli 
It now shows 1.77i16 but still the same error.

1/13/2004 12:44:03 Q2e6302780262ca7c (Error 5 at 4127f8 v1.77i16)
01/13/2004 12:44:03 Q2e6302780262ca7c (log part 2 saved as C:\declude.gp2)
01/13/2004 12:44:03 Q2e6302780262ca7c (log part 1 saved as C:\declude.gp1)


- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 12:12 PM
Subject: Re: [Declude.JunkMail] 1.77i15 Bug



 Ok. When I download the latest version.
 http://www.declude.com/interim
 
 It shows as 1.77i15

 This is very strange.  Our log files show that 1.77i16 was uploaded twice,
 yet downloading it shows 1.77i15.  Even after deleting the file from the
 web server, it can still be downloaded -- but as 1.77i15.  The HTTP
headers
 don't show any caching program interfering -- but there definitely is
 one.  I'm going to have to look into this to see why it is happening.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i16 Live... Really!

2004-01-13 Thread Andy Schmidt 
Confirmed:
X-Declude: Version 1.77i16; D2edc073800b6a083.SMD from
corner-office.usa.hm-software.com [63.107.174.136]

Scott - I assume this does not yet fix the SPF bug that I reported (Just
asking because it was not acknowledged in any way.)

Best Regards
Andy 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Matt 




Bill,

It appears that your entire list is from one source, Topica.

Search the archives for a discussion of Topica, how their lack of
message list verification results in lots of spam, and how they are
also a spam house, even sending spam from the same block of IP's. I
thought this was an FP at first, but this is more of the malware
variety. There's a good reason for Topica to be listed. I've
explained this one caveat many times here, but a spam house is a spam
house in my book.

You should have explained with your stats how these were mostly or even
all from the same source :)

Matt



Bill Landry wrote:

  - Original Message - 
From: Matt

  
  
I think that I've pointed out the caveats many times
over on blocking with SBL.  SBL is though more
accurate than my system as a whole, and I have
never seen a true false positive with it.

  
  
  
  
I've asked this several times; has anyone ever seen
a false positive with SBL?  I've not ever received a
single reply to that question, though this is the 3rd
time I've asked it now.

  
  
Because people didn't respond doesn't mean anything.  All RBLs produce
false-positives.  How could they not, they are run by humans.

  
  
I think your advice is well founded, however it is a
generalization and exceptions may apply.

  
  
There are no exceptions when it comes to anything run by humans, there WILL
be errors.

Just from yesterdays logs, legitimate mailing list messages blocked by SBL:
20 Subject: RE: [MS SMS] What are YOU doing to remove spyware? 2004 Edition
19 Subject: RE: [MS SMS] OT: Football
12 Subject: RE: [myOT] Alias
10 Subject: RE: [MS SMS] SMS 2003: WMI
9 Subject: RE: [MS SMS] Installing a DP over the wire.
9 Subject: RE: [myOT] MMS 2004
7 Subject: RE: [MS SMS] VBS Question
6 Subject: RE: [myOT] Stargate season opener tonight...
5 Subject: RE: [MS SMS] Central Site
5 Subject: RE: [MS SMS] Error in scan tool
4 Subject: RE: [MS SMS] ROI for 2003
4 Subject: RE: [MS SMS] SMS 2: Clients failed to connect to APM server
4 Subject: RE: [MS SMS] XP clients
3 Subject: RE: [MS SMS] SMS and Tablet PC
3 Subject: RE: [MS SMS] SMS on VMWare
3 Subject: RE: [MS SMS] SMS2003 - How to re-trigger advertisement on client
2 Subject: RE: [MS SMS] MakeColl.exe for SMS 2003?
2 Subject: RE: [MS SMS] OT: Anyone from the UK going to the MMS?
2 Subject: RE: [MS SMS] OT: Read Receipts on List messages
2 Subject: RE: [MS SMS] SMS SUSFP Updates
2 Subject: [MS SMS] XP clients
1 Subject: RE: [myOT] New Bill and Monica pics...
1 Subject: RE: [MS SMS] advanced client prestaging
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] Security scan tool upgrade
1 Subject: RE: [MS SMS] SMS 2003 MP problem
1 Subject: RE: [MS SMS] SMS Office Updates
1 Subject: RE: [MS SMS] SUS Distribute software updates wizard doesn't show
up
1 Subject: NWCYCLING:  FW: 2004 Mt. Hood Cycling Classic
1 Subject: NWCYCLING:  USCF Rulebook 2004 Changes - online
1 Subject: NWCYCLING:  WSBA Junior Informational Meeting Tonight
1 Subject: MEDITECH Issue PP #3714704 - Open
1 Subject: [partb-l] HCPCS codes
1 Subject: [NPinfo] Interesting article on the physician shortage.
1 Subject: [myOT] Test
1 Subject: [myOT] Alias
1 Subject: [MS SMS] VBS Question
1 Subject: [MS SMS] SUS Distribute software updates wizard doesn't show up
1 Subject: [MS SMS] SMS2003 - How to re-trigger advertisement on client
1 Subject: [MS SMS] SMS Office Updates
1 Subject: [MS SMS] SMS and Tablet PC
1 Subject: [MS SMS] SMS 2003: WMI
1 Subject: [MS SMS] SMS 2003 Bug
1 Subject: [MS SMS] ROI for 2003
1 Subject: [MS SMS] Query help needed
1 Subject: [MS SMS] OT: Read Receipts on List messages
1 Subject: [MS SMS] OT: Guest Account
1 Subject: [MS SMS] OT: Anyone from the UK going to the MMS?
1 Subject: [MS SMS] MakeColl.exe for SMS 2003?
1 Subject: [MS SMS] Installing a DP over the wire.
1 Subject: [MS SMS] Holy Replicating Servers Batman!
1 Subject: [MS SMS] Couple backup questions
1 Subject: [MS SMS] Central Site
1 Subject: [MS SMS] Adobe Acrobat 6 Deployment

I also found at least a dozen personal messages that were flagged by SBL,
but were delivered anyway because of the way we weight our tests.  Again,
this is just from yesterday.

Instead of applying a huge weight to a single test, why not apply a small
weight to may tests?  That way you at least get corroboration from multiple
tests, thus negating the human factor.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=

[Declude.JunkMail] DLAnalyzer - Update Available For The New Log File Changes

2004-01-13 Thread DLAnalyzer Support 
For those who have downloaded/currently using DLAnalyzer to process thier 
Declude Junkmail Logs an update is available that supports the new log file 
format found in 1.77i15+.  It is also backward compatible and will still 
continue to work with the older log files as well. 

Please see the read me notes that addresses some new features added as well 
as some bug fixes for the GUI configuration utility. 

You can download the update from our site http://www.dlanalyzer.com.
Darrell 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Frederick Samarelli 
declude.gp1 file.

(Error 5 at 4127f8 v1.77i16)
(attempt to read at 73c098)
(004127F8 0012C700 (00470AB4 0012FF68) C:\IMail\Declude.exe)
(004101C5 0012C868 ( ) C:\IMail\Declude.exe)
(0040D3B6 0012FF80 (0002 00620B80) C:\IMail\Declude.exe)
(004322E0 0012FFC0 ( ) C:\IMail\Declude.exe)
(7C5987E7 0012FFF0 (0043222C ) C:\WINNT\system32\KERNEL32.dll)
- Original Message - 
From: Frederick Samarelli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 12:47 PM
Subject: Re: [Declude.JunkMail] 1.77i15 Bug


 It now shows 1.77i16 but still the same error.

 1/13/2004 12:44:03 Q2e6302780262ca7c (Error 5 at 4127f8 v1.77i16)
 01/13/2004 12:44:03 Q2e6302780262ca7c (log part 2 saved as C:\declude.gp2)
 01/13/2004 12:44:03 Q2e6302780262ca7c (log part 1 saved as C:\declude.gp1)


 - Original Message - 
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, January 13, 2004 12:12 PM
 Subject: Re: [Declude.JunkMail] 1.77i15 Bug


 
  Ok. When I download the latest version.
  http://www.declude.com/interim
  
  It shows as 1.77i15
 
  This is very strange.  Our log files show that 1.77i16 was uploaded
twice,
  yet downloading it shows 1.77i15.  Even after deleting the file from the
  web server, it can still be downloaded -- but as 1.77i15.  The HTTP
 headers
  don't show any caching program interfering -- but there definitely is
  one.  I'm going to have to look into this to see why it is happening.
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
  Declude Virus: Catches known viruses and is the leader in mailserver
  vulnerability detection.
  Find out what you've been missing: Ask about our free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] messagescreen.com

2004-01-13 Thread Rick Klinge 
MessageScreen is a sophisticated anti-spam, anti-virus, and content
filtering solution that is tightly integrated with Novell GroupWise,
Microsoft Exchange, and Lotus Domino email platforms. MessageScreen's
gateway-level filtering technology stops over 97% of spam and produces
virtually no false positives.

http://www.messagescreen.com/Products/MessageScreen/index.htm

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Frederick Samarelli
 Sent: Tuesday, January 13, 2004 11:30 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] messagescreen.com
 
 
 Does anyone have any info on this service.
  
  messagescreen.com
 

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SpamD/SpamC for Declude

2004-01-13 Thread Bill Landry 



Matt, legitimate messages are legitimate no matter 
the source that they come from, would you not agree with this? You would 
have deleted all of these messages, as well the other dozen or so legitimate 
personal messages I found. I don't see any credibility in your position 
here that it is okay to delete legitimate messages based on where they are 
delivered from.

Bill

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, January 13, 2004 9:45 
  AM
  Subject: Re: [Declude.JunkMail] 
  SpamD/SpamC for Declude
  Bill,It appears that your entire list is from one 
  source, Topica.Search the archives for a discussion of Topica, how 
  their lack of message list verification results in lots of spam, and how they 
  are also a spam house, even sending spam from the same block of IP's. I 
  thought this was an FP at first, but this is more of the malware 
  variety. There's a good reason for Topica to be listed. I've 
  explained this one caveat many times here, but a spam house is a spam house in 
  my book.You should have explained with your stats how these were 
  mostly or even all from the same source :)MattBill 
  Landry wrote:
  - Original Message - 
From: Matt

  
I think that I've pointed out the caveats many times
over on blocking with SBL.  SBL is though more
accurate than my system as a whole, and I have
never seen a true false positive with it.

  
I've asked this several times; has anyone ever seen
a false positive with SBL?  I've not ever received a
single reply to that question, though this is the 3rd
time I've asked it now.

Because people didn't respond doesn't mean anything.  All RBLs produce
false-positives.  How could they not, they are run by humans.

  
I think your advice is well founded, however it is a
generalization and exceptions may apply.

There are no exceptions when it comes to anything run by humans, there WILL
be errors.

Just from yesterdays logs, legitimate mailing list messages blocked by SBL:
20 Subject: RE: [MS SMS] What are YOU doing to remove spyware? 2004 Edition
19 Subject: RE: [MS SMS] OT: Football
12 Subject: RE: [myOT] Alias
10 Subject: RE: [MS SMS] SMS 2003: WMI
9 Subject: RE: [MS SMS] Installing a DP over the wire.
9 Subject: RE: [myOT] MMS 2004
7 Subject: RE: [MS SMS] VBS Question
6 Subject: RE: [myOT] Stargate season opener tonight...
5 Subject: RE: [MS SMS] Central Site
5 Subject: RE: [MS SMS] Error in scan tool
4 Subject: RE: [MS SMS] ROI for 2003
4 Subject: RE: [MS SMS] SMS 2: Clients failed to connect to APM server
4 Subject: RE: [MS SMS] XP clients
3 Subject: RE: [MS SMS] SMS and Tablet PC
3 Subject: RE: [MS SMS] SMS on VMWare
3 Subject: RE: [MS SMS] SMS2003 - How to re-trigger advertisement on client
2 Subject: RE: [MS SMS] MakeColl.exe for SMS 2003?
2 Subject: RE: [MS SMS] OT: Anyone from the UK going to the MMS?
2 Subject: RE: [MS SMS] OT: Read Receipts on List messages
2 Subject: RE: [MS SMS] SMS SUSFP Updates
2 Subject: [MS SMS] XP clients
1 Subject: RE: [myOT] New Bill and Monica pics...
1 Subject: RE: [MS SMS] advanced client prestaging
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] FW: Clarification on recent email from Shavlik
Technologies
1 Subject: RE: [MS SMS] Security scan tool upgrade
1 Subject: RE: [MS SMS] SMS 2003 MP problem
1 Subject: RE: [MS SMS] SMS Office Updates
1 Subject: RE: [MS SMS] SUS Distribute software updates wizard doesn't show
up
1 Subject: NWCYCLING:  FW: 2004 Mt. Hood Cycling Classic
1 Subject: NWCYCLING:  USCF Rulebook 2004 Changes - online
1 Subject: NWCYCLING:  WSBA Junior Informational Meeting Tonight
1 Subject: MEDITECH Issue PP #3714704 - Open
1 Subject: [partb-l] HCPCS codes
1 Subject: [NPinfo] Interesting article on the physician shortage.
1 Subject: [myOT] Test
1 Subject: [myOT] Alias
1 Subject: [MS SMS] VBS Question
1 Subject: [MS SMS] SUS Distribute software updates wizard doesn't show up
1 Subject: [MS SMS] SMS2003 - How to re-trigger advertisement on client
1 Subject: [MS SMS] SMS Office Updates
1 Subject: [MS SMS] SMS and Tablet PC
1 Subject: [MS SMS] SMS 2003: WMI
1 Subject: [MS SMS] SMS 2003 Bug
1 Subject: [MS SMS] ROI for 2003
1 Subject: [MS SMS] Query help needed
1 Subject: [MS SMS] OT: Read Receipts on List messages
1 Subject: [MS SMS] OT: Guest Account
1 Subject: [MS SMS] OT: Anyone from the UK going to the MMS?
1 Subject: [MS SMS] MakeColl.exe for SMS 2003?
1 Subject: [MS SMS] Installing a DP over the wire.
1 Subject: [MS SMS] Holy Replicating Servers Batman!
1 Subject: [MS SMS] Couple backup questions
1 Subject: [MS SMS] Central Site
1 Subject: [MS SMS] Adobe Acrobat 6 Deployment

I also found at least a dozen personal messages that were flagged by SBL,
but were delivered anyway because of the way we weight our tests.  Again,
this is just from yesterday.

Instead of applying

RE: [Declude.JunkMail] 1.77i16 Live... Really!

2004-01-13 Thread R. Scott Perry 

... the SPF bug that I reported (Just asking because it was not 
acknowledged in any way.)
That is currently being investigated.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] whitelisted

2004-01-13 Thread andyb 
HI,

I'm getting spam, and it is being whitelisted because of HABEAS...  Here are
the headers.

These emails are definately spam.  Looks like HABEAS has been compromised?

Comments Please.

thanks, Andy

Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
  (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 03:42:04 -0200
Message-ID: [EMAIL PROTECTED]
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
From: Blaine Shaffer [EMAIL PROTECTED]
Reply-To: Blaine Shaffer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many M3ds Y5iov
Date: Tue, 13 Jan 2004 04:49:04 -0100
X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=--891940459175399
X-Priority: 5
X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
X-RBL-Warning: Total weight: 0
X-Note: Total spam weight of this E-mail is 0.
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread R. Scott Perry 

It now shows 1.77i16 but still the same error.

1/13/2004 12:44:03 Q2e6302780262ca7c (Error 5 at 4127f8 v1.77i16)
01/13/2004 12:44:03 Q2e6302780262ca7c (log part 2 saved as C:\declude.gp2)
01/13/2004 12:44:03 Q2e6302780262ca7c (log part 1 saved as C:\declude.gp1)
There is a v1.77i17 that has been placed online to deal with 
this.  However, given the mystery caching problem, you may or may not be 
able to get 1.77i17 (we're still getting i15 when we try to download from 
here, even though i17 is online).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread R. Scott Perry 

I'm getting spam, and it is being whitelisted because of HABEAS...  Here are
the headers.
These emails are definately spam.  Looks like HABEAS has been compromised?
Yes; the pharmacourt.biz spammers have infringed on the Habeas intellectual 
property rights.  Habeas is going after them.  Until this dies down, you 
may want to temporarily comment out the WHITELIST HABEAS line in the 
\IMail\Declude\global.cfg file.  You should also report it to them (the 
spammer was nice enough to include the URL to report it at in the 
headers!).  Reporting is important because although Habeas knows that this 
has happened, they are collecting as much information as possible.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread Larry Craddock 
 These emails are definately spam.  Looks like HABEAS has been compromised?

More like spammers are forging habeas headers and challenging habeus'
ability to prosecute.

Larry Craddock

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] whitelisted

2004-01-13 Thread Rick Klinge 
Fwiw.. I would never whitelist any email based solely because they warranted
it to be spam free... Email headers can and do get forged all the time.  I
have recently sent them a letter and a lot of porno and spam email for them
to review.. 

~Rick


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of andyb
 Sent: Tuesday, January 13, 2004 12:13 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] whitelisted
 
 
 HI,
 
 I'm getting spam, and it is being whitelisted because of 
 HABEAS...  Here are the headers.
 
 These emails are definately spam.  Looks like HABEAS has been 
 compromised?
 
 Comments Please.
 
 thanks, Andy
 
 Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
   (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
 Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 
 03:42:04 -0200
 Message-ID: [EMAIL PROTECTED]
 X-Habeas-SWE-1: winter into spring
 X-Habeas-SWE-2: brightly anticipated
 X-Habeas-SWE-3: like Habeas SWE (tm)
 X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
 X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
 X-Habeas-SWE-6: email in exchange for a license for this Habeas
 X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
 X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
 X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
 From: Blaine Shaffer [EMAIL PROTECTED]
 Reply-To: Blaine Shaffer [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED]
 Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many 
 M3ds Y5iov
 Date: Tue, 13 Jan 2004 04:49:04 -0100
 X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
 MIME-Version: 1.0
 Content-Type: multipart/alternative;  boundary=--891940459175399
 X-Priority: 5
 X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
 X-RBL-Warning: Total weight: 0
 X-Note: Total spam weight of this E-mail is 0.
 X-Note: This E-mail was scanned by Declude JunkMail 
(www.declude.com) for spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.
___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.


___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] whitelisted

2004-01-13 Thread Bill 

I received 13 of these today in my personal e-mail.  I changed Habeas
from whitelist to weight -5 and it seems to have fixed the problem.
Don't know yet if non spam is getting blocked but I doubt it. 

Here is a log entry after change (weight was 36 even with the -5):

01/13/2004 11:09:12 Q26340f0201364351 HABEAS:-5 AHBL:6 CBL:4 DSBL:6
SORBS-SOCKS:5 SORBS-DUHL:4 SPAMCOP:7 SNIFFER2:9 .  Total weight = 36.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed HABEAS ().
Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed AHBL (Open Proxy -
http://www.ahbl.org/tools/lookup.php?ip=68.57.145.231;). Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed CBL (Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=68.57.145.231;). Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed DSBL
(http://dsbl.org/listing?ip=68.57.145.231;). Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed SORBS-SOCKS (Dynamic
IP Address See:
http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.57.145.231;).
Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed SORBS-DUHL (Dynamic IP
Address See:
http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=68.57.145.231;).
Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed SPAMCOP (Blocked - see
http://www.spamcop.net/bl.shtml?68.57.145.231;). Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed WEIGHT10 (Weight of 36
reaches or exceeds the limit of 10.). Action=HOLD.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed WEIGHT15 (Weight of 36
reaches or exceeds the limit of 15.). 
ction=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed WEIGHT20 (Weight of 36
reaches or exceeds the limit of 20.). Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Msg failed SNIFFER2 (Message
failed SNIFFER2: 52.). Action=IGNORE.
01/13/2004 11:09:12 Q26340f0201364351 Subject: Got Pills?Valï(u)m,
V|@gra, X(a)[EMAIL PROTECTED], S0ma Di3t Pills Many M3ds brEWTRhNhf 
01/13/2004 11:09:12 Q26340f0201364351 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 68.57.145.231 ID: 


Here is the change in Global.cfg:

#WHITELIST  HABEAS
HABEAS  habeas  x   x   -5  0


Bill


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of andyb
 Sent: Tuesday, January 13, 2004 12:13 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] whitelisted
 
 
 HI,
 
 I'm getting spam, and it is being whitelisted because of 
 HABEAS...  Here are the headers.
 
 These emails are definately spam.  Looks like HABEAS has been 
 compromised?
 
 Comments Please.
 
 thanks, Andy
 
 Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
   (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
 Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 
 03:42:04 -0200
 Message-ID: [EMAIL PROTECTED]
 X-Habeas-SWE-1: winter into spring
 X-Habeas-SWE-2: brightly anticipated
 X-Habeas-SWE-3: like Habeas SWE (tm)
 X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
 X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
 X-Habeas-SWE-6: email in exchange for a license for this Habeas
 X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
 X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
 X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
 From: Blaine Shaffer [EMAIL PROTECTED]
 Reply-To: Blaine Shaffer [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], 
 [EMAIL PROTECTED], [EMAIL PROTECTED]
 Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many 
 M3ds Y5iov
 Date: Tue, 13 Jan 2004 04:49:04 -0100
 X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
 MIME-Version: 1.0
 Content-Type: multipart/alternative;  boundary=--891940459175399
 X-Priority: 5
 X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
 X-RBL-Warning: Total weight: 0
 X-Note: Total spam weight of this E-mail is 0.
 X-Note: This E-mail was scanned by Declude JunkMail 
(www.declude.com) for spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Russ Uhte \(Lists\) 
At 11:30 AM 1/13/2004, Bill Landry wrote:
Russ, a not too drastic option would be to run SA on a linux mail gateway
sitting in front of your IMail server and then track the hit=xx.x header
counts with Declude.  That's what we do here, and it has worked great for
us.  With this configuration you could also set IMail to gateway all
outbound mail to the SA box for all external mail delivery, thus taking this
Bill... This is what I would like to do, but there are a couple 
issues/questions I have.

1.  How do I reject messages with an invalid RCPT TO: command?
2.  What size machine do I need?  Let's say I process 200,000 messages a 
day, and I want to plan for 20% growth before this box is retired.  I 
understand that fast hard drives and proper partitioning are still 
extremely important, but what about processor/memory requirements?  I'm 
guessing this would be pretty high need as well.

Thanks,
Russ 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] messagescreen.com

2004-01-13 Thread Frederick Samarelli 
But how does it work? Good --- bad
- Original Message - 
From: Rick Klinge [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:02 PM
Subject: RE: [Declude.JunkMail] messagescreen.com


 MessageScreen is a sophisticated anti-spam, anti-virus, and content
 filtering solution that is tightly integrated with Novell GroupWise,
 Microsoft Exchange, and Lotus Domino email platforms. MessageScreen's
 gateway-level filtering technology stops over 97% of spam and produces
 virtually no false positives.

 http://www.messagescreen.com/Products/MessageScreen/index.htm

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  Frederick Samarelli
  Sent: Tuesday, January 13, 2004 11:30 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] messagescreen.com
 
 
  Does anyone have any info on this service.
 
   messagescreen.com
 

 ___
 Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread Frederick Samarelli 
I got that this morning as well.

I commented out the HABEAS test.
- Original Message - 
From: andyb [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:13 PM
Subject: [Declude.JunkMail] whitelisted


 HI,

 I'm getting spam, and it is being whitelisted because of HABEAS...  Here
are
 the headers.

 These emails are definately spam.  Looks like HABEAS has been compromised?

 Comments Please.

 thanks, Andy

 Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
   (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
 Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004
03:42:04 -0200
 Message-ID: [EMAIL PROTECTED]
 X-Habeas-SWE-1: winter into spring
 X-Habeas-SWE-2: brightly anticipated
 X-Habeas-SWE-3: like Habeas SWE (tm)
 X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
 X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
 X-Habeas-SWE-6: email in exchange for a license for this Habeas
 X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
 X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
 X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
 From: Blaine Shaffer [EMAIL PROTECTED]
 Reply-To: Blaine Shaffer [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED],
 [EMAIL PROTECTED]
 Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many M3ds Y5iov
 Date: Tue, 13 Jan 2004 04:49:04 -0100
 X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
  boundary=--891940459175399
 X-Priority: 5
 X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
 X-RBL-Warning: Total weight: 0
 X-Note: Total spam weight of this E-mail is 0.
 X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
 spam.
 X-Spam-Tests-Failed: Whitelisted [0]
 X-RCPT-TO: [EMAIL PROTECTED]
 X-UIDL: 370486507
 Status: U



 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] 1.77i16 Live... Really!

2004-01-13 Thread Colbeck, Andrew 
More weirdness.  It may only be mine.

I just used wget to fetch the current interim, which was 1.77i17 and when I
did a

declude.exe -diag

all looked good.  Then I copied it to the IMail server and tried there, and
got the report I'm putting in the attached text file.  From my log, it looks
like I started getting this:

01/13/2004 10:31:49 Q398554ca00983e88 (Error 5 at 410bae v1.77i17)
01/13/2004 10:31:49 Q398554ca00983e88 (log part 2 saved as C:\declude.gp2)
01/13/2004 10:31:49 Q398554ca00983e88 (log part 1 saved as C:\declude.gp1)
01/13/2004 10:31:49 Q399410e600bc7874 Skipping E-mail from IP 10.192.0.215
; whitelisted [10.192.0.215].
01/13/2004 10:31:49 Q399410e600bc7874 ERROR: nTests corrupted (1b): 3d485349

in my log.  I hope that helps.  I've switched back to the interim I was
happy with, v1.77i12

YMMV

Andrew 8)

-Original Message-
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 13, 2004 10:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] 1.77i16 Live... Really!



... the SPF bug that I reported (Just asking because it was not 
acknowledged in any way.)

That is currently being investigated.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Declude 1.77i17 (C) Copyright 2000-2004 Computerized Horizons.


Diagnostics ON (Declude v1.77i17).

Declude JunkMail:  Config file found (d:\imail\Declude\global.CFG).
Declude Virus: Not installed (no d:\imail\Declude\Virus.CFG file).
Declude Hijack:Not installed (no d:\imail\Declude\Hijack.CFG file).
Declude Confirm:   Not installed (no d:\imail\Declude\Confirm.CFG file).

1028150089 spam tests defined: IPNOTINMX NOLEGITCONTENT BASE64 BADHEADERS HELOBOGUS 
MAILFROM PERCENT REVDNS ROUTING SPAMHEADERS WEIGHT20 COMMENTS SUBJSPACE10 SUBJSPACE15 
SUBJSPACE25 LONGSUBJECT NONENGLISH CMDSPACE COUNTRY SPAMDOMAINS DSBL DSBLMULTI PIGS 
DSN NOABUSE NOPOSTMASTER ORDB SPAMCOP BONDEDSENDER-DYNA AHBL-GOOD FLOWGO SPAMHAUS 
XBL-DYNA NJABL NJABLDUL NJABLSOURCES NJABLMULTI FIVETENSRC FIVETENMULTI FIVETENSINGLE 
FIVETENWEBFORM NJABL-DYNABLOCK BH-CNKR BH-WANADOO BH-CIBERLYNX BH-CYBERCON BR-RU BR-BR 
BR-JP BLITZEDALL SORBS-HTTP-DYNA SORBS-SOCKS-DYNA SORBS-MISC-DYNA SORBS-SMTP-DYNA 
SORBS-SPAM-DYNA SORBS-WEB SORBS-BLOCK SORBS-ZOMBIE SORBS-DYNA SORBS-BADCONF 
SORBS-NOMAIL HIL DRBL-RU DNSRBL-SPAM WYTNIJ PSBL RELAYWATCHER-DYNA MAILPOLICE-BULK 
MAILPOLICE-PORN SPAMBAG SECURITYSAGE WILDCARD-DOMAIN-AC WILDCARD-DOMAIN-CC 
WILDCARD-DOMAIN-CX WILDCARD-DOMAIN-MP WILDCARD-DOMAIN-MUSEUM WILDCARD-DOMAIN-NU1 
WILDCARD-DOMAIN-NU2 WILDCARD-DOMAIN-PH WILDCARD-DOMAIN-PW1 WILDCARD-DOMAIN-PW2 
WILDCARD-DOMAIN-SH WILDCARD-DOMAIN-TD WILDCARD-DOMAIN-TK1 WILDCARD-DOMAIN-TK2 
WILDCARD-DOMAIN-TM WILDCARD-DOMAIN-WS SBBL AHBL-RELAY-DYNA AHBL-PROXY-DYNA 
AHBL-SOURCE-DYNA AHBL-MAYBE AHBL-FORMMAIL AHBL-SUPPDIRECT AHBL-SUPPINDIR 
AHBL-ENDUSER-DYNA AHBL-SHOOT AHBL-NOABUSE AHBL-IGNORE5XX AHBL-NONRFC AHBL-OTHER SOLID 
BENTALLIPWL BENTALLIPBL BENTALLKILLFILE ANTIGIBBERISHSUB ANTIGIBBERISH GIBBERISHSUB 
GIBBERISH DYNAMIC BENTALLHABEAS BENTALLBOUNCEIN COMCAST-DYNA SHAWCABLE-DYNA 
BENTALLKILLDEL BENTALLSPAM BENTALLSPAMSUBJ BENTALLVIRUS BENTALLNEGTEXT BENTALLSPAMHINT 
BENTALLURL1203 BENTALLHTML BENTALLURLHINT BENTALLURLHOSTS BENTALLSPAMUNSUB 
BENTALLSPAMURLPORN BENTALLHOAX SNIFFER SNIFFERMALWARE SNIFFERGREY DSBLALL 
GIBBERISHBODY BENTALLURLHTML   
 ×!5   rsplow=0012C844 high=0012FFF0

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Matt 




This took actual research to figure out :) Topica is absolutely a spam
house, and I wouldn't be at all surprised to see them populating their
database with addresses and list demographics from Topica.com. Many of
the lists that Topica sends out are auto-subscribed to by a bot that
they operate, so they are merely re-distributing much of the content.

Here's the SBL evidence file for the main Topica block:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12236

Here's one of their blocks that I have blacklisted:

http://www.senderbase.org/search?searchString=66.180.244.0%2F25

Here's a nice evidence file from Google:

http://groups.google.com/groups?q=topica.com+group:*abuse*start=10hl=enlr=ie=UTF-8scoring=dselm=e1e3rvkq62pvs1mi997tamhk701s571m5a%40thor.wirehub.nlrnum=12

Here's what happens with their unconfirmed list subscriptions (4-9 year
old child porn list memberships):

http://groups.google.com/groups?q=topica.com+group:*abuse*start=20hl=enlr=ie=UTF-8scoring=dselm=200310170813.h9H8DauA024020%40jupiter.gwalter.demon.co.ukrnum=22

The SBL listing as well as Google Groups suggests strongly that they
are using their list business as a part of their address collection, or
in the very least they don't hardly at all practice a foolproof method
of verifying memberships in their lists as fake addresses get
subscribed, and on person even complained about getting subscribed to
something like 28 of their lists all at once as suspected retribution
for something, hearsay of course, but there's lots more, 5,480 matches
in abuse newsgroups in fact.

Topica -
http://groups.google.com/groups?hl=enlr=ie=ISO-8859-1scoring=dq=Topica+group%3A*abuse*btnG=Google+Search

And some other abuse newsgroup hits:

tpca.net -
http://groups.google.com/groups?scoring=dq=tpca.net+group:*abuse*
servitall.com -
http://groups.google.com/groups?scoring=dq=Servitall.com+group:*abuse*
pl00.com -
http://groups.google.com/groups?scoring=dq=pl00.com+group:*abuse*

These guys clearly front their listserv business as a way to enable
their spam operations, and spamming listserv operators take advantage
of their policies in order to gain entry into your system. How could
you possibly want to let this stuff into your server?

As far as the other SBL FP's that you said you have relating to
personal E-mail, I'd be very curious as to what the SBL listing said in
relation. SBL has an FP rate that far exceeds my own on my system.
I'd drop them substantially in weighting if I felt that their standards
were lacking.

Matt




Bill Landry wrote:

  
  
  
  
  Matt, legitimate messages are
legitimate no matter the source that they come from, would you not
agree with this? You would have deleted all of these messages, as well
the other dozen or so legitimate personal messages I found. I don't
see any credibility in your position here that it is okay to delete
legitimate messages based on where they are delivered from.
  
  Bill
  
-
Original Message - 
From:
Matt

To:
[EMAIL PROTECTED]

Sent:
Tuesday, January 13, 2004 9:45 AM
Subject:
Re: [Declude.JunkMail] SpamD/SpamC for Declude


Bill,

It appears that your entire list is from one source, Topica.

Search the archives for a discussion of Topica, how their lack of
message list verification results in lots of spam, and how they are
also a spam house, even sending spam from the same block of IP's. I
thought this was an FP at first, but this is more of the malware
variety. There's a good reason for Topica to be listed. I've
explained this one caveat many times here, but a spam house is a spam
house in my book.

You should have explained with your stats how these were mostly or even
all from the same source :)

Matt



Bill Landry wrote:

  - Original Message - 
From: Matt

  
  
I think that I've pointed out the caveats many times
over on blocking with SBL.  SBL is though more
accurate than my system as a whole, and I have
never seen a true false positive with it.

  
  
  
  
I've asked this several times; has anyone ever seen
a false positive with SBL?  I've not ever received a
single reply to that question, though this is the 3rd
time I've asked it now.

  
  
Because people didn't respond doesn't mean anything.  All RBLs produce
false-positives.  How could they not, they are run by humans.

  
  
I think your advice is well founded, however it is a
generalization and exceptions may apply.

  
  
There are no exceptions when it comes to anything run by humans, there WILL
be errors.

Just from yesterdays logs, legitimate mailing list messages blocked by SBL:
20 Subject: RE: [MS SMS] What are YOU doing to remove spyware? 2004 Edition
19 Subject: RE: [MS SMS] OT: Football
12 Subject: RE: [myOT] Alias
10 Subject: RE: [MS SMS] SMS 2003: WMI
9 Subject: RE: [MS SMS] Installing a DP over the wire.
9 Subject: RE: [myOT] MMS 2004
7 Subject:

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Bill Landry 



Wow, what does any of this have to do with 
delivering legitimate messages rather than deleting them? I do not 
intentionally deliver spam from any source, including these - but I do deliver 
the legitimate messages sent from any source(ah, the true benefits of a 
spam weighting system). You, on the other hand, summarily delete anything 
that may come from a source of spam, whether the message is legitimate or 
not. I simply do not understand this philosophy, nor that you would argue 
in favor of it.

Bill

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, January 13, 2004 10:29 
  AM
  Subject: Re: [Declude.JunkMail] Topica 
  and SBL
  This took actual research to figure out :) Topica is 
  absolutely a spam house, and I wouldn't be at all surprised to see them 
  populating their database with addresses and list demographics from 
  Topica.com. Many of the lists that Topica sends out are auto-subscribed 
  to by a bot that they operate, so they are merely re-distributing much of the 
  content.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread Frederick Samarelli 
Same problem.
01/13/2004 13:53:21 Q3ea002ea02623b93 ERROR: nTests corrupted (1):
961824839-200
01/13/2004 13:53:22 Q3ea002ea02623b93 (Error 5 at 42351c v1.77i17)
01/13/2004 13:53:22 Q3ea002ea02623b93 (log part 2 saved as C:\declude.gp2)
01/13/2004 13:53:22 Q3ea002ea02623b93 (log part 1 saved as C:\declude.gp1)


- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:09 PM
Subject: Re: [Declude.JunkMail] 1.77i15 Bug



 It now shows 1.77i16 but still the same error.
 
 1/13/2004 12:44:03 Q2e6302780262ca7c (Error 5 at 4127f8 v1.77i16)
 01/13/2004 12:44:03 Q2e6302780262ca7c (log part 2 saved as
C:\declude.gp2)
 01/13/2004 12:44:03 Q2e6302780262ca7c (log part 1 saved as
C:\declude.gp1)

 There is a v1.77i17 that has been placed online to deal with
 this.  However, given the mystery caching problem, you may or may not be
 able to get 1.77i17 (we're still getting i15 when we try to download from
 here, even though i17 is online).

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.77i15 Bug

2004-01-13 Thread R. Scott Perry 

Same problem.
01/13/2004 13:53:21 Q3ea002ea02623b93 ERROR: nTests corrupted (1):
961824839-200
There is a 1.77i18 at http://www.declude.com/interim that should fix this.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Log File Changes

2004-01-13 Thread Bill 
From visual inspection, it looks like there is also warning lines in
this format:

01/07/2004 00:13:11 Qa376165600fc12a6 WARNING: some type of error report
here


These are easy enough to ignore during my analysis.  Are there other
types of lines that may be of concern?

Thanks,
Bill

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of R. 
 Scott Perry
 Sent: Tuesday, January 13, 2004 11:31 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Log File Changes
 
 
 
 I am assuming that for this information, I need MID log level.  On 
 visual inspection of the MID log file, it looks like this format is:
 
 00/00/00 00:00:00 Qx FailedTest1Name:weight 
 FailedTest2Name:weight
  TOTALWEIGHT = weight.
 00/00/00 00:00:00 Qx Subject: message subject
 00/00/00 00:00:00 Qx From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]  IP: 
 x.x.x.x ID:
 00/00/00 00:00:00 Qx FailedTest1Name:action 
 FailedTest2Name:action 
 .
 
 That is correct.  Some of those lines appear at LOGLEVEL LOW, 
 but to get 
 them all, you would need LOGLEVEL MID (or LOGLEVEL HIGH).
 
 And for multiple recipients, the last three lines are repeated (not 
 sure why subject line is repeated?) for each user with the new TO 
 address appended to the previous TO line.  i.e.:
 
 To: [EMAIL PROTECTED]
 
 To: [EMAIL PROTECTED] [EMAIL PROTECTED]
 
 To: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
 
 Etc.
 
 Are my assumptions correct?
 
 That is correct.  I'll look into getting the Subject: line to 
 only appear once.
 
 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail 
 mailservers. Declude Virus: Catches known viruses and is the 
 leader in mailserver 
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day 
 evaluation.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
unsubscribe Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Nick Hayer 
Can anyone recommend a web interfaced dns management console for end 
users? Want end users to be able to manage their own domains eg: 
adding, deleting, edits. Thanks much!

-Nick Hayer

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread John Tolmachoff \(Lists\) 









TREADING LIGHTLY



I think what Matt maybe saying, is that
even if legit messages come through Topica, Topica may be harvesting those
addresses from the legit messages for use in unintended ways, AKA spam.





John Tolmachoff

Engineer/Consultant/Owner

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Tuesday, January 13, 2004 10:59 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail]
Topica and SBL





Wow, what does any of this have to do with delivering
legitimate messages rather than deleting them? I do not intentionally
deliver spam from any source, including these - but I do deliver the legitimate
messages sent from any source(ah, the true benefits of a spam weighting
system). You, on the other hand, summarily delete anything that may come
from a source of spam, whether the message is legitimate or not. I simply
do not understand this philosophy, nor that you would argue in favor of it.











Bill







- Original Message - 





From: Matt 





To: [EMAIL PROTECTED]






Sent: Tuesday, January
 13, 2004 10:29 AM





Subject: Re:
[Declude.JunkMail] Topica and SBL









This took actual research to figure out :)
Topica is absolutely a spam house, and I wouldn't be at all surprised to see
them populating their database with addresses and list demographics from
Topica.com. Many of the lists that Topica sends out are auto-subscribed
to by a bot that they operate, so they are merely re-distributing much of the
content.

Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Russ Uhte (Lists) [EMAIL PROTECTED]


 Bill... This is what I would like to do, but there are a couple
 issues/questions I have.

Russ, we should probably take this off-line.  But briefly:

 1.  How do I reject messages with an invalid RCPT TO: command?

There are a couple of ways you can handle this, depending on where you host
your IMail user database.

 2.  What size machine do I need?  Let's say I process 200,000 messages a
 day, and I want to plan for 20% growth before this box is retired.  I
 understand that fast hard drives and proper partitioning are still
 extremely important, but what about processor/memory requirements?  I'm
 guessing this would be pretty high need as well.

Personally, I would much rather setup two smaller gateway servers with equal
MX settings then one big gateway server.  The reason for this is that it
allows you to split the load and also be able to loose a server or take it
off-line for maintenance and still keep delivering mail.

Please contact me off-list if you would like to discuss this further.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] whitelisted

2004-01-13 Thread Colbeck, Andrew 
Andy, Habeas has not been compromised.  Since Saturday, a spammer has been
using the Habeas warrant in the headers to get his junk past
configurations like yours.

This header text is easy to insert.  Note that the X-Mailer: header is also
being faked.  Each of the spams I've seen like this have come through a
zombie on a consumer broadband computer.  And is advertising one of three
domain names.

The general consensus is that you shouldn't WHITELIST on any easily forged
text, including the Habeas warrant.  Check the archive in the last few days
for this list for more discussion and sample configurations that have
shared.

http://www.mail-archive.com/[EMAIL PROTECTED]/

Andrew 8)

-Original Message-
From: andyb [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 13, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] whitelisted


HI,

I'm getting spam, and it is being whitelisted because of HABEAS...  Here are
the headers.

These emails are definately spam.  Looks like HABEAS has been compromised?

Comments Please.

thanks, Andy

Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
  (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 03:42:04 -0200
Message-ID: [EMAIL PROTECTED]
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
From: Blaine Shaffer [EMAIL PROTECTED]
Reply-To: Blaine Shaffer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many M3ds Y5iov
Date: Tue, 13 Jan 2004 04:49:04 -0100
X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=--891940459175399
X-Priority: 5
X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
X-RBL-Warning: Total weight: 0
X-Note: Total spam weight of this E-mail is 0.
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Matt 




Bill,

If this stuff comes from the same IP, both good and bad, then how do
you tell it apart? Do you merely rely on content filters?

Their servers send lots of spam and they are well aware of the
problems. When you combine their semi-legit business with the fact
that they are spamming openly from 10 or more different address blocks,
and they use 100's of domains, I think the right thing to do becomes
obvious. I'm sure that this is what led SBL to finally list them.

The fact is that if I was knowingly selling bulk mail services to
spammers from my own server as well as sending personal E-mail from it,
you would be justified in blocking me. Topica's practices will
probably end up converting their service over to virtually all spam
over time, because legit senders will find their service to be a poor
choice based on their business practices.

The bottom line remains, Topica is a spam house, and on their supposed
legit service, they maintain relationships with known spammers despite
abuse reports. They are leaving us with no choice, because they left
us with no good way to differentiate. Topica is a bad, bad company.

Matt




Bill Landry wrote:

  
  
  
  Wow, what does any of this have to
do with delivering legitimate messages rather than deleting them? I do
not intentionally deliver spam from any source, including these - but I
do deliver the legitimate messages sent from any source(ah, the true
benefits of a spam weighting system). You, on the other hand,
summarily delete anything that may come from a source of spam, whether
the message is legitimate or not. I simply do not understand this
philosophy, nor that you would argue in favor of it.
  
  Bill
  
-
Original Message - 
From:
Matt

To:
[EMAIL PROTECTED]

Sent:
Tuesday, January 13, 2004 10:29 AM
Subject:
Re: [Declude.JunkMail] Topica and SBL


This took actual research to figure out :) Topica is absolutely a spam
house, and I wouldn't be at all surprised to see them populating their
database with addresses and list demographics from Topica.com. Many of
the lists that Topica sends out are auto-subscribed to by a bot that
they operate, so they are merely re-distributing much of the content.


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread andyb 
This was whitelisted as it is/was part of the default config file...

- Original Message -
From: Rick Klinge [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:25 PM
Subject: RE: [Declude.JunkMail] whitelisted


Fwiw.. I would never whitelist any email based solely because they warranted
it to be spam free... Email headers can and do get forged all the time.  I
have recently sent them a letter and a lot of porno and spam email for them
to review..

~Rick


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of andyb
 Sent: Tuesday, January 13, 2004 12:13 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] whitelisted


 HI,

 I'm getting spam, and it is being whitelisted because of
 HABEAS...  Here are the headers.

 These emails are definately spam.  Looks like HABEAS has been
 compromised?

 Comments Please.

 thanks, Andy

 Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
   (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
 Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004
 03:42:04 -0200
 Message-ID: [EMAIL PROTECTED]
 X-Habeas-SWE-1: winter into spring
 X-Habeas-SWE-2: brightly anticipated
 X-Habeas-SWE-3: like Habeas SWE (tm)
 X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
 X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
 X-Habeas-SWE-6: email in exchange for a license for this Habeas
 X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
 X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
 X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
 From: Blaine Shaffer [EMAIL PROTECTED]
 Reply-To: Blaine Shaffer [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
 [EMAIL PROTECTED], [EMAIL PROTECTED]
 Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many
 M3ds Y5iov
 Date: Tue, 13 Jan 2004 04:49:04 -0100
 X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
 MIME-Version: 1.0
 Content-Type: multipart/alternative;  boundary=--891940459175399
 X-Priority: 5
 X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
 X-RBL-Warning: Total weight: 0
 X-Note: Total spam weight of this E-mail is 0.
 X-Note: This E-mail was scanned by Declude JunkMail
(www.declude.com) for spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.
___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.


___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Habeas fraud?

2004-01-13 Thread Omar K. 
Several spam emails are being whitelisted by declude, I didn’t know what was
causing it as I don’t have any whitelisting going on, until I noticed the
habeas header.

Am I correct in thinking that this spam messages got whitelisted because of
Habeas? And if so, what next step should I take other than turning off
Habeas whitelisting?


Received: from ACB83BEE.ipt.aol.com [172.184.59.238] by jeeran.com
  (SMTPD32-6.06) id AE443C3010A; Tue, 13 Jan 2004 19:43:32 +0200
Received: from 179.46.253.160 by 172.184.59.238; Tue, 13 Jan 2004 03:45:03
-0200
Message-ID: [EMAIL PROTECTED]
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
From: Rodolfo Horner [EMAIL PROTECTED]
Reply-To: Rodolfo Horner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Want Meds? S(o)mA, X(a)[EMAIL PROTECTED], Valï(u)m, V|@gra. Di3t Pills Many 
M3ds
40cw7H 
Date: Tue, 13 Jan 2004 01:38:03 -0400
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=--546890453042068292
X-Priority: 5
X-Declude-Sender: [EMAIL PROTECTED] [172.184.59.238]
X-Note: This E-mail was scanned by jeeran.com for spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 351356022
Status: U

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Bill Landry 



So I got to ask then, is this a good enough reason 
to delete legitimate messages?

Bill

  - Original Message - 
  From: 
  John Tolmachoff (Lists) 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, January 13, 2004 11:17 
  AM
  Subject: RE: [Declude.JunkMail] Topica 
  and SBL
  
  
  TREADING 
  LIGHTLY
  
  I think what Matt 
  maybe saying, is that even if legit messages come through Topica, Topica may 
  be harvesting those addresses from the legit messages for use in unintended 
  ways, AKA spam.
  
  
  John 
  Tolmachoff
  Engineer/Consultant/Owner
  eServices For 
  You
  
  
  -Original 
  Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Bill LandrySent: Tuesday, 
  January 13, 2004 
  10:59 
  AMTo: 
  [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Topica 
  and SBL
  
  
  Wow, what does any of this have to 
  do with delivering legitimate messages rather than deleting them? I do 
  not intentionally deliver spam from any source, including these - but I do 
  deliver the legitimate messages sent from any source(ah, the true 
  benefits of a spam weighting system). You, on the other hand, summarily 
  delete anything that may come from a source of spam, whether the message is 
  legitimate or not. I simply do not understand this philosophy, nor that 
  you would argue in favor of it.
  
  
  
  Bill
  

- Original Message - 


From: Matt 


To: [EMAIL PROTECTED] 


Sent: 
Tuesday, January 13, 
2004 10:29 
AM

Subject: Re: 
[Declude.JunkMail] Topica and SBL


This took actual research to figure out :) 
Topica is absolutely a spam house, and I wouldn't be at all surprised to see 
them populating their database with addresses and list demographics from 
Topica.com. Many of the lists that Topica sends out are 
auto-subscribed to by a bot that they operate, so they are merely 
re-distributing much of the 
content.

RE: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Kevin Bilbee 
You did not mention the DNS server being used. like BIND, Simple DNS, MS
DNS???


Kevin Bilbee



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer
 Sent: Tuesday, January 13, 2004 11:09 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] *OT* Web dns management console


 Can anyone recommend a web interfaced dns management console for end
 users? Want end users to be able to manage their own domains eg:
 adding, deleting, edits. Thanks much!

   -Nick Hayer

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread andyb 
I have been reporting as they come up.

Thanks, Andy

- Original Message -
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:13 PM
Subject: Re: [Declude.JunkMail] whitelisted



 I'm getting spam, and it is being whitelisted because of HABEAS...  Here
are
 the headers.
 
 These emails are definately spam.  Looks like HABEAS has been
compromised?

 Yes; the pharmacourt.biz spammers have infringed on the Habeas
intellectual
 property rights.  Habeas is going after them.  Until this dies down, you
 may want to temporarily comment out the WHITELIST HABEAS line in the
 \IMail\Declude\global.cfg file.  You should also report it to them (the
 spammer was nice enough to include the URL to report it at in the
 headers!).  Reporting is important because although Habeas knows that this
 has happened, they are collecting as much information as possible.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Rick Klinge 
Yup,

http://www.jhsoft.com

Works.. No problems at all

~Rick

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
 Sent: Tuesday, January 13, 2004 1:09 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] *OT* Web dns management console
 
 
 Can anyone recommend a web interfaced dns management console for end 
 users? Want end users to be able to manage their own domains eg: 
 adding, deleting, edits. Thanks much!
 
   -Nick Hayer

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Joshua Levitsky 



Except that you are contributing to their database 
of valid addresses so you get other spam and you are doing "business" with a 
spammer... even if it is a free list. The point that Matt makes.. which is a 
valid one.. is that Topica shouldn't be used by anyone because their existance 
makes spam even worse for all. You shouldn't enable spammers, and your use of 
their lists is doing just that.
--Joshua Levitsky, MCSE, 
CISSPSystem EngineerTime Inc. Information Technology[5957 F27C 9C71 
E9A7 274A 0447 C9B9 75A4 9B41 D4D1]

  - Original Message - 
  From: 
  Bill 
  Landry 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, January 13, 2004 1:58 
  PM
  Subject: Re: [Declude.JunkMail] Topica 
  and SBL
  
  Wow, what does any of this have to do with 
  delivering legitimate messages rather than deleting them? I do not 
  intentionally deliver spam from any source, including these - but I do deliver 
  the legitimate messages sent from any source(ah, the true benefits of a 
  spam weighting system). You, on the other hand, summarily delete 
  anything that may come from a source of spam, whether the message is 
  legitimate or not. I simply do not understand this philosophy, nor that 
  you would argue in favor of it.
  
  Bill
  
- Original Message - 
From: 
Matt 

To: [EMAIL PROTECTED] 

Sent: Tuesday, January 13, 2004 10:29 
AM
Subject: Re: [Declude.JunkMail] Topica 
and SBL
This took actual research to figure out :) Topica is 
absolutely a spam house, and I wouldn't be at all surprised to see them 
populating their database with addresses and list demographics from 
Topica.com. Many of the lists that Topica sends out are 
auto-subscribed to by a bot that they operate, so they are merely 
re-distributing much of the content.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Matt 




John,

That's part of it, but that part was only speculative. Topica does
harvest from the Web and newsgroups for their spam for sure.

Topica is a very shifty company that likes to juggle address blocks.
In order to avoid listings, they have an active campaign to encourage
people to whitelist their list servers. They were a Habeas client, but
they had their status pulled very quickly. Now they have tricked
Bonded Sender into list them, and I assure you, that won't last long
either if Bonded Sender wants to maintain any clout in the community
(be your own judge).

Matt



John Tolmachoff (Lists) wrote:

  
  
  
  
  TREADING
LIGHTLY
  
  I think what
Matt maybe saying, is that
even if legit messages come through Topica, Topica may be harvesting
those
addresses from the legit messages for use in unintended ways, AKA spam.
  
  
  John
Tolmachoff
  Engineer/Consultant/Owner
  eServices
For You
  
  
  
  -Original
Message-
  From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry
  Sent: Tuesday,
January 13, 2004 10:59
AM
  To:
[EMAIL PROTECTED]
  Subject: Re:
[Declude.JunkMail]
Topica and SBL
  
  
  Wow, what does any of
this have to do with delivering
legitimate messages rather than deleting them? I do not intentionally
deliver spam from any source, including these - but I do deliver the
legitimate
messages sent from any source(ah, the true benefits of a spam
weighting
system). You, on the other hand, summarily delete anything that may
come
from a source of spam, whether the message is legitimate or not. I
simply
do not understand this philosophy, nor that you would argue in favor of
it.
  
  
  
  
  
  Bill
  
  

- Original Message
- 


From: Matt



To: [EMAIL PROTECTED]



Sent: Tuesday, January 13, 2004 10:29 AM


Subject: Re:
[Declude.JunkMail] Topica and SBL




This took actual
research to figure out :)
Topica is absolutely a spam house, and I wouldn't be at all surprised
to see
them populating their database with addresses and list demographics
from
Topica.com. Many of the lists that Topica sends out are
auto-subscribed
to by a bot that they operate, so they are merely re-distributing much
of the
content.
  
  
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread andyb 
Hi,

If people can use Habeas headers to get their spam delivered, then Habeas
HAS been compromised.  To say otherwise is a symantic difference that I
don't care to debate.  Bottom line is that Habeus Warrant doesn't mean
anything right now.

As for a configuration like mine, as I said, this is included in the
default config files obtained directly from Declude.  Call me ignorant,
that's fine.  I have to trust the makers of the software to know what they
are doing until I find out/learn otherwise.

The purpose of the list is to share info.  I could have just  taken care of
this quietly but instead chose to share the issue on the list because if it
was happening to me, I'm sure it is happening to others.

I'm sorry if my tone sounds a little indignant.  I'm not a stupid person,
just a busy one with way too much information to process at times.

Thanks, Andy
- Original Message -
From: Colbeck, Andrew [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:46 PM
Subject: RE: [Declude.JunkMail] whitelisted


Andy, Habeas has not been compromised.  Since Saturday, a spammer has been
using the Habeas warrant in the headers to get his junk past
configurations like yours.

This header text is easy to insert.  Note that the X-Mailer: header is also
being faked.  Each of the spams I've seen like this have come through a
zombie on a consumer broadband computer.  And is advertising one of three
domain names.

The general consensus is that you shouldn't WHITELIST on any easily forged
text, including the Habeas warrant.  Check the archive in the last few days
for this list for more discussion and sample configurations that have
shared.

http://www.mail-archive.com/[EMAIL PROTECTED]/

Andrew 8)

-Original Message-
From: andyb [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 10:13 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] whitelisted


HI,

I'm getting spam, and it is being whitelisted because of HABEAS...  Here are
the headers.

These emails are definately spam.  Looks like HABEAS has been compromised?

Comments Please.

thanks, Andy

Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
  (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 03:42:04 -0200
Message-ID: [EMAIL PROTECTED]
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
From: Blaine Shaffer [EMAIL PROTECTED]
Reply-To: Blaine Shaffer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many M3ds Y5iov
Date: Tue, 13 Jan 2004 04:49:04 -0100
X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary=--891940459175399
X-Priority: 5
X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
X-RBL-Warning: Total weight: 0
X-Note: Total spam weight of this E-mail is 0.
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread John Tolmachoff \(Lists\) 
GENERAL WARNING.

More control available to the end user means more problems can be created by
the end user.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Nick Hayer
 Sent: Tuesday, January 13, 2004 11:09 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] *OT* Web dns management console
 
 Can anyone recommend a web interfaced dns management console for end
 users? Want end users to be able to manage their own domains eg:
 adding, deleting, edits. Thanks much!
 
   -Nick Hayer
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Joshua Levitsky 



When the messages come from a system that 
participates in building spam lists and the distribution of spam then yes. You 
must take a stand that you won't have anything to do with a company like Topica. 
By using the legitimate part of their business you are feeding their corrupt 
part of their business and you are ultimately making the Internet a slightly 
worse place to be. 
--Joshua Levitsky, MCSE, CISSPSystem EngineerTime Inc. 
Information Technology[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 
D4D1]

  - Original Message - 
  From: 
  Bill 
  Landry 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, January 13, 2004 2:32 
  PM
  Subject: Re: [Declude.JunkMail] Topica 
  and SBL
  
  So I got to ask then, is this a good enough 
  reason to delete legitimate messages?
  
  Bill

Re: [Declude.JunkMail] whitelisted

2004-01-13 Thread Joshua Levitsky 
On their website you can report the spam and they will go after them... in 
theory... but for now because so many people are bundling the headers in 
spam you should probably not whitelist Habeas headers.

--
Joshua Levitsky, MCSE, CISSP
System Engineer
Time Inc. Information Technology
[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
- Original Message - 
From: andyb [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 1:13 PM
Subject: [Declude.JunkMail] whitelisted


HI,

I'm getting spam, and it is being whitelisted because of HABEAS...  Here 
are
the headers.

These emails are definately spam.  Looks like HABEAS has been compromised?

Comments Please.

thanks, Andy

Received: from cs78191007.pp.htv.fi [62.78.191.7] by thumpernet.com
 (SMTPD32-6.06) id A0E113013E; Tue, 13 Jan 2004 12:54:41 -0500
Received: from 240.80.76.18 by 81.218.114.4; Tue, 13 Jan 2004 
03:42:04 -0200
Message-ID: [EMAIL PROTECTED]
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to http://www.habeas.com/report/.
From: Blaine Shaffer [EMAIL PROTECTED]
Reply-To: Blaine Shaffer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: GOT Valï(u)m, Viagr@, X(a)[EMAIL PROTECTED], Som@ Di3t Pills Many M3ds Y5iov
Date: Tue, 13 Jan 2004 04:49:04 -0100
X-Mailer: NetJunction (NetJunction 5.0-p1)/MIME
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=--891940459175399
X-Priority: 5
X-Declude-Sender: [EMAIL PROTECTED] [62.78.191.7]
X-RBL-Warning: Total weight: 0
X-Note: Total spam weight of this E-mail is 0.
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: Whitelisted [0]
X-RCPT-TO: [EMAIL PROTECTED]
X-UIDL: 370486507
Status: U



---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Matt 




I'm not deleting legitimate messages the last time I checked.

If my customers want to sign up for Topica, they can add them to their
Web mail address book. I figure that this is only a transition period
until Topica loses all of their legit business due to their practices.

Clearly, I am well aware of this issue :)

I'm much more concerned about the personal E-mail that you said was
also blocked by SBL. I would definitely consider dropping their weight
based on your claim that you saw 10 such messages in a day.

Also, don't assume that I am irresponsible in regard to weighting. I
watch my system like a hawk, and I use over 100 different tests, with
only two capable of deleting a message based on one hit (the other
being my own IP blacklist). When I find a problem, I always fix it,
though some need further verification and monitoring.

Matt



Bill Landry wrote:

  
  
  
  So I got to ask then, is this a good
enough reason to delete legitimate messages?
  
  Bill
  
-
Original Message - 
From:
John Tolmachoff (Lists)

To:
[EMAIL PROTECTED]

Sent:
Tuesday, January 13, 2004 11:17 AM
Subject:
RE: [Declude.JunkMail] Topica and SBL



TREADING
LIGHTLY

I think what
Matt maybe saying, is that even if legit messages come through Topica,
Topica may be harvesting those addresses from the legit messages for
use in unintended ways, AKA spam.


John
Tolmachoff
Engineer/Consultant/Owner
eServices
For You



-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry
Sent: Tuesday,
January 13, 2004 10:59
AM
To:
[EMAIL PROTECTED]
Subject: Re:
[Declude.JunkMail] Topica and SBL


Wow, what does any of
this have to do with delivering legitimate messages rather than
deleting them? I do not intentionally deliver spam from any source,
including these - but I do deliver the legitimate messages sent from
any source(ah, the true benefits of a spam weighting system). You, on
the other hand, summarily delete anything that may come from a source
of spam, whether the message is legitimate or not. I simply do not
understand this philosophy, nor that you would argue in favor of it.





Bill


  
  - Original Message
- 
  
  
  From: Matt
  
  
  
  To: [EMAIL PROTECTED]
  
  
  
  Sent: Tuesday, January 13, 2004 10:29 AM
  
  
  Subject: Re: [Declude.JunkMail]
Topica and SBL
  
  
  
  
  This took actual research to
figure out :) Topica is absolutely a spam house, and I wouldn't be at
all surprised to see them populating their database with addresses and
list demographics from Topica.com. Many of the lists that Topica sends
out are auto-subscribed to by a bot that they operate, so they are
merely re-distributing much of the content.



  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Hosting Support 
Hi Nick,

I put together a simple one in .NET for MS DNS that uses SQL2K and the
dnscmd utility to manage the most common functions in DNS (adding, deleting
Host and MX records).  Note that it does currently require IIS, the .NET
framework, and SQL2K on the MS DNS server.  If you're interested, we can
talk offline to see if it is a fit for your needs.

Darin.


- Original Message - 
From: Nick Hayer [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 2:09 PM
Subject: Re: [Declude.JunkMail] *OT* Web dns management console


Can anyone recommend a web interfaced dns management console for end
users? Want end users to be able to manage their own domains eg:
adding, deleting, edits. Thanks much!

-Nick Hayer

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

_
[This E-mail virus scanned by 4C Web]



_
[This E-mail virus scanned by 4C Web]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Nick Hayer 
I'm using bind 8x but I would switch no problem to have the user 
interface...

-Nick

From:   Kevin Bilbee [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:RE: [Declude.JunkMail] *OT* Web dns management console
Date sent:  Tue, 13 Jan 2004 11:56:12 -0800
Send reply to:  [EMAIL PROTECTED]

 You did not mention the DNS server being used. like BIND, Simple DNS,
 MS DNS???
 
 
 Kevin Bilbee
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer
  Sent: Tuesday, January 13, 2004 11:09 AM To:
  [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] *OT*
  Web dns management console
 
 
  Can anyone recommend a web interfaced dns management console for end
  users? Want end users to be able to manage their own domains eg:
  adding, deleting, edits. Thanks much!
 
  -Nick Hayer
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found at
  http://www.mail-archive.com.
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Joshua Levitsky

 Except that you are contributing to their database
 of valid addresses so you get other spam and you
 are doing business with a spammer... even if it is
 a free list. The point that Matt makes.. which is a
 valid one.. is that Topica shouldn't be used by
 anyone because their existance makes spam even
 worse for all. You shouldn't enable spammers,
 and your use of their lists is doing just that.

Oh yeah, well let me know how that works for you when you advise your
customers and users that they cannot subscribe to legitimate lists hosted by
topica (and others) because some of there address space has been know to
send spam.  I'm sure that will go over real big.  When your customers are
ready to drop your services because of this, be sure to send them my way,
since I will always deliver their legitimate messages to them, no matter the
source, and make every effort to block spam from being delivered to them.

Guess what, the rules for ISPs and other businesses are different then those
that are applied to private e-mail domains like joshie.com.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Andy Schmidt 
Title: Message



I 
guess this goes towards where one chooses to draw the line - spammersvs. 
"organizations supporting spammers". Someone who knowingly gets involved with a 
spammer, should probably expect that their email will not longer be delivered 
reliably.

Similar to blocking an infected/Zombie machine by IP. I do realize 
that this machine could ALSO generate legitimate requests from my server - but 
it is up to them to fix their problem so that the block can be 
removed.

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Bill LandrySent: Tuesday, January 13, 2004 02:33 
PMTo: [EMAIL PROTECTED]Subject: Re: 
[Declude.JunkMail] Topica and SBL

  So I got to ask then, is this a good enough 
  reason to delete legitimate messages?
  
  Bill

Re: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Bill Landry 
I whole heartedly agree.  Allowing end users, who usually know nothing about
how DNS works, to manage their own domain zone files I think is a recipe for
disaster.

Just me 2 cents...

Bill
- Original Message - 
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 11:30 AM
Subject: RE: [Declude.JunkMail] *OT* Web dns management console


GENERAL WARNING.

More control available to the end user means more problems can be created by
the end user.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Nick Hayer
 Sent: Tuesday, January 13, 2004 11:09 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] *OT* Web dns management console

 Can anyone recommend a web interfaced dns management console for end
 users? Want end users to be able to manage their own domains eg:
 adding, deleting, edits. Thanks much!

 -Nick Hayer

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Hosting Support 
Totally agree, John.  That's why the simple interface I put together has
multiple security levels: one for users that could get into trouble by
accidentally deleting their MX records and www, etc. hostsand another
for more educated users who can be trusted to manage those.  Generally
shared hosting users can get access to the simple things like adding and
deleting , and collocated customers can perform somewhat more advanced tasks
like MX and common host (www, ftp, mail, etc.) record management.

Overall, it saves us a small amount of support time and makes some of our
customers happy when they have the power to make changes themselves without
having to contact someone else to do it.

Darin.


- Original Message - 
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 2:30 PM
Subject: RE: [Declude.JunkMail] *OT* Web dns management console


GENERAL WARNING.

More control available to the end user means more problems can be created by
the end user.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Nick Hayer
 Sent: Tuesday, January 13, 2004 11:09 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] *OT* Web dns management console

 Can anyone recommend a web interfaced dns management console for end
 users? Want end users to be able to manage their own domains eg:
 adding, deleting, edits. Thanks much!

 -Nick Hayer

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

_
[This E-mail virus scanned by 4C Web]



_
[This E-mail virus scanned by 4C Web]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPF Bug!

2004-01-13 Thread R. Scott Perry 

I believe I found a bug in your SPF implementation.

http://www.infinitepenguins.net/SPF/check.php?action=spfcheckipv4=195.127.133.117helo=uli4[EMAIL PROTECTED]http://www.infinitepenguins.net/SPF/check.php?action=spfcheckipv4=195.127.133.117helo=uli4[EMAIL PROTECTED]

will PASS, because 195.127.133.117 matches a:roedermark.hm-software.com/25

Yet, Declude (and DNSStuff) FAILS the same combination:
http://www.dnsstuff.com/tools/[EMAIL 
PROTECTED]ip=195.127.133.117http://www.dnsstuff.com/tools/[EMAIL 
PROTECTED]ip=195.127.133.117
There does seem to be an issue with our SPF parsing when a: is used along 
with a CIDR range.  This will be fixed for the next interim release.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Joshua Levitsky 
- Original Message - 
From: Bill Landry [EMAIL PROTECTED]
Sent: Tuesday, January 13, 2004 3:31 PM
Subject: Re: [Declude.JunkMail] Topica and SBL


Guess what, the rules for ISPs and other businesses are different then 
those
that are applied to private e-mail domains like joshie.com.


Guess what? I work for AOL. Just because I happen to run my own domain 
doesn't mean I don't apply these same thought processes to internal policies 
and I have worked at T.I.A.C. (now owned by Earthlink) as a NOC engineer as 
well as IDT. So don't try to brush me off with putz comments like that.

--
Joshua Levitsky, MCSE, CISSP
System Engineer
Time Inc. Information Technology
[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Joshua Levitsky

 When the messages come from a system that
 participates in building spam lists and the
 distribution of spam then yes. You must take
 a stand that you won't have anything to do with
 a company like Topica. By using the legitimate
 part of their business you are feeding their corrupt
 part of their business and you are ultimately making
 the Internet a slightly worse place to be.

Obviously coming from someone that knows nothing about the IPS business.  I
would venture to guess that you do not even have the faintest idea of how
many legitimate lists topica hosts or you would probably be singing a
different song.

And again, it's easy to make these kinds irrational judgement call when the
only e-mail messages you will be affecting are those to your own little
vanity domain.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Topica and SBL

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Joshua Levitsky [EMAIL PROTECTED]

  Guess what, the rules for ISPs and other businesses are different then
  those
  that are applied to private e-mail domains like joshie.com.


 Guess what? I work for AOL. Just because I happen to run my own domain
 doesn't mean I don't apply these same thought processes to internal
policies
 and I have worked at T.I.A.C. (now owned by Earthlink) as a NOC engineer
as
 well as IDT. So don't try to brush me off with putz comments like that.

And do you have any roll in setting e-mail policy for AOL?  I bet AOL
doesn't block legitimate list e-mail from topica or any other legitimate
list source.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] *OT* Web dns management console

2004-01-13 Thread Kevin Bilbee 
A quick google search of BIND WEB INTERFACE gave me lots of hits.

try www.DNSZONE.ORG


Kevin Bilbee

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer
 Sent: Tuesday, January 13, 2004 12:33 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] *OT* Web dns management console
 
 
 I'm using bind 8x but I would switch no problem to have the user 
 interface...
 
 -Nick
 
 From: Kevin Bilbee [EMAIL PROTECTED]
 To:   [EMAIL PROTECTED]
 Subject:  RE: [Declude.JunkMail] *OT* Web dns 
 management console
 Date sent:Tue, 13 Jan 2004 11:56:12 -0800
 Send reply to:[EMAIL PROTECTED]
 
  You did not mention the DNS server being used. like BIND, Simple DNS,
  MS DNS???
  
  
  Kevin Bilbee
  
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer
   Sent: Tuesday, January 13, 2004 11:09 AM To:
   [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] *OT*
   Web dns management console
  
  
   Can anyone recommend a web interfaced dns management console for end
   users? Want end users to be able to manage their own domains eg:
   adding, deleting, edits. Thanks much!
  
 -Nick Hayer
  
   ---
   [This E-mail was scanned for viruses by Declude Virus
   (http://www.declude.com)]
  
   ---
   This E-mail came from the Declude.JunkMail mailing list.  To
   unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
   type unsubscribe Declude.JunkMail.  The archives can be found at
   http://www.mail-archive.com.
  
  
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
  
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
  
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SFP is catching on...

2004-01-13 Thread Bill Landry 
SPF counts for the past couple of weeks:
==
  1 1st.net PASS
  1 accesscomm.ca FAIL
  8 alta-vista.com FAIL
  1 alta-vista.com FAIL
  3 altavista.co.kr FAIL
  2 altavista.co.uk FAIL
106 altavista.com FAIL
 12 altavista.com FAIL
  2 altavista.de FAIL
  3 altavista.fr FAIL
  2 altavista.fr FAIL
  2 altavista.net FAIL
  2 altavista.net FAIL
  4 altavista.nl FAIL
 14 altavista.se FAIL
  2 altavista.se FAIL
136 aol.com FAIL
618 aol.com PASS
203 aol.com UNKNOWN
  9 arcada.fi UNKNOWN
  4 b1.mx0.net PASS
 14 b2.mx0.net PASS
 28 baschny.de FAIL
  7 baschny.de FAIL
  1 bayol.com FAIL
  2 catchamail.com FAIL
  2 celt.dias.ie FAIL
  1 chinabytemail.com FAIL
  7 citlink.net FAIL
 12 citlink.net PASS
  2 citlink.net PASS
  2 cmc.net PASS
  2 columbiamemorial.org PASS
205 declude.com PASS
 40 email.cooking.com PASS
  5 email.cooking.com UNKNOWN
  5 email.cooking.com UNKNOWN
  1 eml.coastal.com PASS
  1 firstlink.com PASS
  4 frontiernet.net FAIL
 13 frontiernet.net PASS
  3 frontiernet.net PASS
  1 globalsite.net FAIL
  4 grendelnet.com FAIL
  2 guay.com FAIL
  4 heifong.phase.org PASS
  2 heifong.phase.org PASS
  3 HM-Software.com PASS
  1 imaginet.co.uk FAIL
  2 india-11.com FAIL
  1 info.de FAIL
  3 inlandnet.com FAIL
  1 ipns.com FAIL
  2 ipns.com PASS
  4 isleuthmail.com FAIL
  1 it.uq.edu.au FAIL
  1 jauns.com FAIL
  1 jbi.hio.no FAIL
  2 jbi.hio.no FAIL
  1 jmason.org PASS
  2 kluge.net PASS
  1 kundenserver.de PASS
  1 linuxfreemail.com FAIL
 10 list.thomsonmedia.com FAIL
 19 lists.smarterliving.com PASS
  3 lists.smarterliving.com PASS
  1 livesafe.com FAIL
  1 lu.net FAIL
  2 mail.pt UNKNOWN
  2 meer.net FAIL
  5 mills.gr UNKNOWN
  2 mini-mail.com FAIL
  5 mx.plaxo.com PASS
  1 mx07.roc.ny.frontiernet.net PASS
  2 nekodojo.org FAIL
  2 netins.net UNKNOWN
  1 netradiomail.com FAIL
  1 newnorth.net FAIL
  3 olesky.com PASS
  1 ox.ac.uk UNKNOWN
  1 parallax.ws PASS
  1 phase.org PASS
  1 phase.org PASS
 16 pobox.com PASS
  6 pobox.com UNKNOWN
 35 pointshare.com FAIL
 39 Pointshare.com FAIL
 10 pointshare.com FAIL
 17 pointshare.com PASS
  1 pointshare.com UNKNOWN
  2 power.net FAIL
  2 purpleturtle.com FAIL
 16 rambler.ru UNKNOWN
  1 rambler.ru UNKNOWN
  3 roadrunnernf.net FAIL
 16 softhome.net FAIL
  1 softhome.net FAIL
  2 SoftHome.net PASS
  5 speed.net UNKNOWN
  4 subdimension.com FAIL
  2 symantec.com PASS
  1 topmail.de FAIL
  3 tvnet.lv FAIL
504 v2.listbox.com PASS
 73 v2.listbox.com PASS
 32 worldonline.de FAIL
==

Looks like SPF is starting to catch on.

Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SFP is catching on...

2004-01-13 Thread Colbeck, Andrew 
Thanks for sharing, Bill.

Can you also shed some light on these for us?

 35 pointshare.com FAIL
 39 Pointshare.com FAIL
 10 pointshare.com FAIL
 17 pointshare.com PASS
  1 pointshare.com UNKNOWN

Andrew 8)

-Original Message-
From: Bill Landry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 13, 2004 4:26 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] SFP is catching on...


SPF counts for the past couple of weeks:
==
  1 1st.net PASS
  1 accesscomm.ca FAIL
  8 alta-vista.com FAIL
  1 alta-vista.com FAIL
  3 altavista.co.kr FAIL
snip
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SFP is catching on...

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Colbeck, Andrew [EMAIL PROTECTED]


 Thanks for sharing, Bill.

 Can you also shed some light on these for us?

  35 pointshare.com FAIL
  39 Pointshare.com FAIL
  10 pointshare.com FAIL
  17 pointshare.com PASS
   1 pointshare.com UNKNOWN

The passes are from a system that sends notification messages to customer
e-mail domains that we host, and since these ip address are include in our
SPF record, they pass.  The fails are from incoming mail that attempted to
forge the from address to look like they were coming from
[EMAIL PROTECTED]  The unknown is due to a message that came in after
I made an error in our SPF record which include a ?all instead of -all.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPF unknown

2004-01-13 Thread Bill Landry 
Scott, is there currently any way to distinguish between the following
unknown records:

- unknown (record exists)
- unknown (record does not exist)

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SFP is catching on...

2004-01-13 Thread Colbeck, Andrew 
I appreciate the explanation Bill.  I won't be implementing SPF until it's
aged a little and I am confident that I understand it aright.

The score of 35 and 10 look like the same domain; were they to mail hosts
with different MX records?  I assume that the 39 score is separate because
of case-sensitivity in your reporting.

And now to go into SPF for Dummies territory, the mailfroms were
definitely spoofed, or in the normal course of events could have been
mailing list or greeting card invitations that unwisely put in the
sender's address in the mailfrom instead of their own?

Andrew.

-Original Message-
From: Bill Landry [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 13, 2004 4:56 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SFP is catching on...


- Original Message - 
From: Colbeck, Andrew [EMAIL PROTECTED]


 Thanks for sharing, Bill.

 Can you also shed some light on these for us?

  35 pointshare.com FAIL
  39 Pointshare.com FAIL
  10 pointshare.com FAIL
  17 pointshare.com PASS
   1 pointshare.com UNKNOWN

The passes are from a system that sends notification messages to customer
e-mail domains that we host, and since these ip address are include in our
SPF record, they pass.  The fails are from incoming mail that attempted to
forge the from address to look like they were coming from
[EMAIL PROTECTED]  The unknown is due to a message that came in after
I made an error in our SPF record which include a ?all instead of -all.

Bill

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] safe way to whitelist this

2004-01-13 Thread David Dodell 
I get email from the susd.org domain on a regular basic, but they are
poorly setup.  The headers appear as such:
X-Declude-Sender: [EMAIL PROTECTED] [204.228.60.250]
X-Spam-Tests-Failed: BASE64, HELOBOGUS, REVDNS, WEIGHT10 [10]
X-Country-Chain: UNITED STATES-destination
X-Note: This E-mail was sent from [No Reverse DNS] ([204.228.60.250]).
X-Hello: pyle.susd.org
X-Declude-Date: 01/13/2004 13:46:08 [0]
I have the domain setup in a reverse domain test, but that doesn't
negative weigh because they don't have a valid reverse DNS.
How can I whitelist this domain safely?

David

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPF unknown

2004-01-13 Thread R. Scott Perry 

Scott, is there currently any way to distinguish between the following
unknown records:
- unknown (record exists)
- unknown (record does not exist)
Not currently (per the specs for SPF).  However, there have been people 
using SPF on other platforms that have been requesting a distinction, so 
this is something that we may incorporate.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SFP is catching on...

2004-01-13 Thread R. Scott Perry 

And now to go into SPF for Dummies territory, the mailfroms were
definitely spoofed, or in the normal course of events could have been
mailing list or greeting card invitations that unwisely put in the
sender's address in the mailfrom instead of their own?
It could be either.  However, the burden now lies on the greeting card 
sites (and in rare cases mailing lists) to fix their 
problem.  Specifically, the sites that have a problem are ones that let a 
web site user enter an E-mail address, and they use that address in the 
SMTP envelope.  Instead, they should be using their own address (which 
ensures that any bounce messages will go back to them).  If it is set up 
properly, it will work with SPF.  But, of course, there are some greeting 
card sites and similar sites (such as news sites) that aren't properly set 
up yet.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] safe way to whitelist this

2004-01-13 Thread Matt 




Don't whitelist, negative weight if you are the administrator. There
are two things to go after, the MAILFROM, or the REMOTEIP. It appears
that the school district has only one mail server, in which case you
could create a filter file called PSEUDO-WHITE and add in the following
line:

REMOTEIP -10 IS 204.228.60.250

Alternatively if you are running the standard version, you can create
an ipfile with the following entry and weight it negatively in your
Global.cfg:

204.228.60.250/32

If you get susd.org E-mail from various sources, you can try a filter
file with MAILFROM, or a fromfile in JunkMail Standard. Choose IP over
the mail from address because it is never spoofed from what I can tell
(but you should never say never of course).

One other thing would be to review your weighting settings because
that's a little tight to be holding on IMO. I weight BASE64 at 3 and
HELOBOGUS as 4, though that is just one piece of the entire picture of
course. I suspect that this message came from Exchange Web mail, and
there are 3 Microsoft X-mail headers that you might want to be
counterweighting for failing BASE64 because Microsoft will base64
attach plain text in Web mail. Search the archives for "microsoft
exchange", I'd rather not post it again. When Scott comes out with
some "not" tests, you can help to protect from spammers exploiting such
negative weighting by adding some END statements to the filter file
since all of these have other required header elements that need be
present.

Matt


David Dodell (by way of R. Scott Perry )
wrote:
I get
email from the susd.org domain on a regular basic, but they are
  
poorly setup. The headers appear as such:
  
  
X-Declude-Sender: [EMAIL PROTECTED] [204.228.60.250]
  
X-Spam-Tests-Failed: BASE64, HELOBOGUS, REVDNS, WEIGHT10 [10]
  
X-Country-Chain: UNITED STATES-destination
  
X-Note: This E-mail was sent from [No Reverse DNS] ([204.228.60.250]).
  
X-Hello: pyle.susd.org
  
X-Declude-Date: 01/13/2004 13:46:08 [0]
  
  
  
I have the domain setup in a reverse domain test, but that doesn't
  
negative weigh because they don't have a valid reverse DNS.
  
  
How can I whitelist this domain safely?
  
  
David
  
  
---
  
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
  
  
---
  
This E-mail came from the Declude.JunkMail mailing list. To
  
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  
type "unsubscribe Declude.JunkMail". The archives can be found
  
at http://www.mail-archive.com.
  
  
  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] SFP is catching on...

2004-01-13 Thread DLAnalyzer Support 
Has there been any real stance on what people are actually doing with this 
test?  negative weight is it returns PASS, adding weight if it fails? 

Darrell 

Bill Landry writes: 

SPF counts for the past couple of weeks:
==
  1 1st.net PASS
  1 accesscomm.ca FAIL
  8 alta-vista.com FAIL
  1 alta-vista.com FAIL
  3 altavista.co.kr FAIL
  2 altavista.co.uk FAIL
106 altavista.com FAIL
 12 altavista.com FAIL
  2 altavista.de FAIL
  3 altavista.fr FAIL
  2 altavista.fr FAIL
  2 altavista.net FAIL
  2 altavista.net FAIL
  4 altavista.nl FAIL
 14 altavista.se FAIL
  2 altavista.se FAIL
136 aol.com FAIL
618 aol.com PASS
203 aol.com UNKNOWN
  9 arcada.fi UNKNOWN
  4 b1.mx0.net PASS
 14 b2.mx0.net PASS
 28 baschny.de FAIL
  7 baschny.de FAIL
  1 bayol.com FAIL
  2 catchamail.com FAIL
  2 celt.dias.ie FAIL
  1 chinabytemail.com FAIL
  7 citlink.net FAIL
 12 citlink.net PASS
  2 citlink.net PASS
  2 cmc.net PASS
  2 columbiamemorial.org PASS
205 declude.com PASS
 40 email.cooking.com PASS
  5 email.cooking.com UNKNOWN
  5 email.cooking.com UNKNOWN
  1 eml.coastal.com PASS
  1 firstlink.com PASS
  4 frontiernet.net FAIL
 13 frontiernet.net PASS
  3 frontiernet.net PASS
  1 globalsite.net FAIL
  4 grendelnet.com FAIL
  2 guay.com FAIL
  4 heifong.phase.org PASS
  2 heifong.phase.org PASS
  3 HM-Software.com PASS
  1 imaginet.co.uk FAIL
  2 india-11.com FAIL
  1 info.de FAIL
  3 inlandnet.com FAIL
  1 ipns.com FAIL
  2 ipns.com PASS
  4 isleuthmail.com FAIL
  1 it.uq.edu.au FAIL
  1 jauns.com FAIL
  1 jbi.hio.no FAIL
  2 jbi.hio.no FAIL
  1 jmason.org PASS
  2 kluge.net PASS
  1 kundenserver.de PASS
  1 linuxfreemail.com FAIL
 10 list.thomsonmedia.com FAIL
 19 lists.smarterliving.com PASS
  3 lists.smarterliving.com PASS
  1 livesafe.com FAIL
  1 lu.net FAIL
  2 mail.pt UNKNOWN
  2 meer.net FAIL
  5 mills.gr UNKNOWN
  2 mini-mail.com FAIL
  5 mx.plaxo.com PASS
  1 mx07.roc.ny.frontiernet.net PASS
  2 nekodojo.org FAIL
  2 netins.net UNKNOWN
  1 netradiomail.com FAIL
  1 newnorth.net FAIL
  3 olesky.com PASS
  1 ox.ac.uk UNKNOWN
  1 parallax.ws PASS
  1 phase.org PASS
  1 phase.org PASS
 16 pobox.com PASS
  6 pobox.com UNKNOWN
 35 pointshare.com FAIL
 39 Pointshare.com FAIL
 10 pointshare.com FAIL
 17 pointshare.com PASS
  1 pointshare.com UNKNOWN
  2 power.net FAIL
  2 purpleturtle.com FAIL
 16 rambler.ru UNKNOWN
  1 rambler.ru UNKNOWN
  3 roadrunnernf.net FAIL
 16 softhome.net FAIL
  1 softhome.net FAIL
  2 SoftHome.net PASS
  5 speed.net UNKNOWN
  4 subdimension.com FAIL
  2 symantec.com PASS
  1 topmail.de FAIL
  3 tvnet.lv FAIL
504 v2.listbox.com PASS
 73 v2.listbox.com PASS
 32 worldonline.de FAIL
== 

Looks like SPF is starting to catch on. 

Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] safe way to whitelist this

2004-01-13 Thread DLAnalyzer Support 
Personally I try not to whitelist.  If the mail comes from a few servers 
than you can setup a reverse weight IPFILE for there specific IP addresses.  
Whitelisting is very suspectible to forging.  I learned the hardway by 
whitelisting @dell.com and a spammer took me to town with that.  Now I only 
reverse weight on DNS or lower weight through an IPFILE. 

Darrell 

David Dodell writes: 

I get email from the susd.org domain on a regular basic, but they are
poorly setup.  The headers appear as such: 

X-Declude-Sender: [EMAIL PROTECTED] [204.228.60.250]
X-Spam-Tests-Failed: BASE64, HELOBOGUS, REVDNS, WEIGHT10 [10]
X-Country-Chain: UNITED STATES-destination
X-Note: This E-mail was sent from [No Reverse DNS] ([204.228.60.250]).
X-Hello: pyle.susd.org
X-Declude-Date: 01/13/2004 13:46:08 [0] 

I have the domain setup in a reverse domain test, but that doesn't
negative weigh because they don't have a valid reverse DNS. 

How can I whitelist this domain safely? 

David 

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Check Out DLAnalyzer a comprehensive reporting tool for
Declude Junkmail Logs - http://www.dlanalyzer.com 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Another ip4r paid service site

2004-01-13 Thread Bill Landry 
http://www.the-carrot-and-the-stick.com

http://www.the-carrot-and-the-stick.com/How_To/index.php?VIEW=direct_query

ip4raccept.the-carrot-and-the-stick.com127.0.0.5
ip4rreject.the-carrot-and-the-stick.com127.0.0.10

Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Another ip4r paid service site

2004-01-13 Thread Rick Klinge 
That looks like a joke to me? A company that actually thinks email marketing
is legit? I don't believe any email marketing company. Period.  That site
looks so phony they don't even have a email point of contact.. At least none
that I could easily find.  All I could discern is that they have a web site
via Canada and maybe a legit business address in California.

Thanks for the info Bill,

~Rick

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
 Sent: Tuesday, January 13, 2004 9:27 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] Another ip4r paid service site
 
 
 http://www.the-carrot-and-the-stick.com
 
 http://www.the-carrot-and-the-stick.com/How_To/index.php?VIEW=
 direct_query
 
 ip4raccept.the-carrot-and-the-stick.com127.0.0.5
 ip4rreject.the-carrot-and-the-stick.com127.0.0.10
 
 Bill

___
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] explanation of errors, where to find?

2004-01-13 Thread Roland Braun 
Hi all,

bad headers, broken mail clients and so on ar logged together with error numbers like 804e.

Where can we review explanations of these error codes?

Thanks!
Roland 

--
Dr. Roland Braun  
Max Planck Institute for Comparative Public Law
and International Law
Im Neuenheimer Feld 535; D-69120 Heidelberg
Phone: +49 6221 482 608; Fax: +49 6221 482 278	

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] explanation of errors, where to find?

2004-01-13 Thread Bill Landry 
- Original Message - 
From: Roland Braun [EMAIL PROTECTED]

 bad headers, broken mail clients and so on ar logged together with error
numbers like 804e.

 Where can we review explanations of these error codes?

There is a code look-up page at http://www.declude.com/tools/header.php

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.