Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
That’s a good idea, so I looked at what I have in the config file: !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- !-- BitValue_8 = comes from red.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=2 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / I’m not an expert, but this seems to say that showing up in the black, grey, or red lists gets you scores of 7, 0 2 corresponding to bitmasks results of 127.0.0.2, 127.0.0.4, and 127.0.0.8. So then I went to the uribl.com web site to look up the definitions of these lists: ■black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added. ■grey.uribl.com - This lists contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE. This zone rebuilds several times a day as necessary. ■red.uribl.com - This list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk. From this, I don’t understand why red would rate a score of 2 and grey a score of 0. It seems to me that grey is in between black and red, and should probably have a score of 3 or 4. In my system, that kind of score wouldn’t be enough to cause the message to be treated as spam (my Declude threshold for “ordinary email” is 5), but it would if combined with other failed tests. Any thoughts on this? Thanks, Ben From: Nick Hayer Sent: Tuesday, April 05, 2011 5:52 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you read the Inv-Uribl log file? maybe it scores bitmask results and 127.0.0.4 response is not tagged? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Tuesday, April 05, 2011 8:36 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail.
RE: [Declude.JunkMail] email being delivered with blank body. What happened to body?
Hi, Time to call Declude on the line or (Linda) via Skype and ask them. I am using “regular” Declude on an Imail system, not the interceptor version. Met vriendelijke groet, Bonno Bloksma senior systeembeheerder tio hogeschool hospitality en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:b.blok...@tio.nl b.blok...@tio.nl / http://www.tio.nl www.tio.nl Volg ons op http://twitter.com/#!/hogeschooltio Twitter / http://www.facebook.com/pages/TIO-Hogeschool-Hospitality-en-Toerisme/103881882987989#!/pages/Hogeschool-Tio/417375345610 Facebook / http://cognatio.hyves.nl/ Hyves / http://www.youtube.com/user/hogeschooltio YouTube Van: Rick Davidson [mailto:rdavid...@nat.com] Verzonden: dinsdag 5 april 2011 20:52 Aan: Declude.JunkMail@declude.com Onderwerp: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? So running the 3.4.10.59 (or .49 what ever it is supposed to be) resulted in a bit of chaos for me So there were no more blank email bodies but instead it randomly started mixing up the Q and D files and delivering message bodies to unintended recipients (yea no kidding) The headers look normal, exactly like they are supposed to be, however the message is delivered to the wrong recipient Received: from nateet1.nat.com (64.143.180.230) by mail.nat.com (10.101.226.10) with Microsoft SMTP Server (TLS) id 8.3.137.0; Tue, 5 Apr 2011 11:53:48 -0500 Received: from mx1.nat.com (64.143.180.231) by nateet1.nat.com (64.143.180.231) with Microsoft SMTP Server id 8.3.137.0; Tue, 5 Apr 2011 11:53:42 -0500 Received: from fnbtc.net [209.149.254.11] by mx1.nat.com (Alligate(TM) SMTP Gateway v3.11.1.27) with ESMPT id b5ebbfc2087eab34.8d3a4a8f6d574...@mx1.nat.com for some...@nat.com; Tue, 05 Apr 2011 11:53:23 -0500 Received: from ([192.168.3.1]) by mail.fnbtc.net with ESMTP id J3NF5H1.30523111;Tue, 05 Apr 2011 12:16:50 -0400 Received: by fnb_tc_02.fnb_tc with Internet Mail Service (5.5.2657.72) id 2KAZYZJ7; Tue, 5 Apr 2011 12:37:54 -0400 Message-ID: 4C6283FBCA6604418688004ED2B8EC6C24ED23EB@fnb_tc_02.fnb_tc From: Mrs Someone some...@seacoastnational.com To: 'Mr Someone' some...@nat.com Subject: chairs Date: Tue, 5 Apr 2011 12:37:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: multipart/alternative; boundary=_=_NextPart_001_01CBF3AF.CF9AC848 X-MXRate-Prob: 0 X-MXRate-Country: US X-MXRate-Action: NONE X-Alligate-ReceivingIP: [64.143.180.230] X-Alligate-Country-Chain: United States-Destination X-Alligate-Tarpit: NOSUBD;GREY (20secs) X-Alligate-Grey: Passed X-Alligate-REVDNS: mail.fnbtc.net X-Alligate-HELO: fnbtc.net X-Alligate-Spam: NOSUBD;TARPIT; X-Alligate-MsgScan: (10) NOTGOODSNDR[10]; X-Alligate-ID: 245564 X-Originating-IP: 209.149.254.11 X-Alligate-RcptTo: some...@nat.com Return-Path: some...@seacoastnational.com X-RBL-Warning: WEIGHTER: Message failed WEIGHTER test (line 29, weight 1) X-Declude-Sender: some...@seacoastnational.com [209.149.254.11] X-Declude-Spoolname: D005433486.smd X-Declude-RefID: str=0001.0A020202.4D9B4913.0045:SCFSTAT2058654,ss=1,fgs=0 X-SendingHost: seacoastnational.com X-Country-Chain: UNITED STATES-destination X-Recipients: some...@nat.com X-Declude-Fail: BACKSCATTER [4], COMMENTS [7], WEIGHTER [1] X-Declude-Score: 12 Alligate 11:53:07.578 - (245564) Cmd recd: MAIL FROM:some...@seacoastnational.com size=5349 11:53:07.734 - (245564) Cmd recd: RCPT TO:some...@nat.com Declude Junkmail 04/05/2011 11:53:39.156 Q005433486.smd From: some...@seacoastnational.com To: some...@nat.com IP: 209.xxx.xxx.xx ID: J3NF5H1.30523111 Here is where it goes bad, the handoff from Declude to Exchange, there are two new recipients and an additional sender address 2011-04-05T16:53:42.453Z,64.143.180.231,,64.143.180.231,mx1,08CDBFF5751E827C;2011-04-05T16:53:42.296Z;0,mx1\Inbound From Internet,SMTP,RECEIVE,31471,4C6283FBCA6604418688004ED2B8EC6C24ED23EB@fnb_tc_02.fnb_tc,someo...@nat.com;someo...@nat.com,,9626,2,,,chairs,some...@seacoastnational.com,some...@msn.com,10I: the message above was delivered to someo...@nat.com and someo...@nat.com from some...@msn.com instead of what was contained in the headers Rolled back to previous version… -- Rick From: Rick Davidson Sent: Tuesday, April 05, 2011 8:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with blank body. What happened to body? Login to the interim area Go to interceptor There is a dir called 3.4.10.59 Swap out the decludeproc.exe files I am running it this morning and indeed that issue does not exist, however the diags.txt says it is 3.4.10.49 -- rick From: Harry Vanderzand [mailto:ha...@intown.net] Sent: Tuesday, April 05, 2011 8:05 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] email being delivered with
RE: [Declude.JunkMail] How do you read the Inv-Uribl log file?
The 127.0.0.4 is a gray listing for the uribl. I personally don't score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I’ve never tried tweaking inv-uribl, scores black and red but not grey. I’m thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don’t score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
