Or, simply fixing the one test to have pass/fail weights assignable with
each test (in the .txt file, rather than the weights defined once in the
global.cfg, where in this case, they would be set to zero, zero -- thus
unknown domains are ignored)
something like:
.yahoo.co .yahoo. 5 -5
voila - a
From: Dan Geiser
On a separate topic, I'm curious to know how everyone handles the spam
which
makes it into the imail\spool\spam directory.
We're small. I still scan now and then, but have found VERY few items to
keep. I can scan 500 messages in about 2-3 minutes tops (I sort by domain
from
We haven't had a single email fail the percent test in 6 months (actually,
since 9/2002 when we started monitoring).
OSSMART had a bunch fail in march, the only month it ever detected any.
-Original Message-
From: Glenn
I don't use the HOLD action, except for one test (Percent). I
most likely, the problem is compuserve mail coming from bellsouth.net
(should be compuserve or aol.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Serge
Sent: Friday, June 13, 2003 3:37 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] spam domains
Scott,
I received a spam msg tonight that had no declude headers on it at all. The
message was received last night just before the server was brought down for
maintenance and virus scanned just before that time as well. However, before
Junkmail got a chance to process it, down went the server.
Note, that for internal email, the IP address used in SPAMDOMAINS is the
email address of the sender. So, for us, that gets translated to our ISP's
name, as only the mail server has rDNS set up (we trap on our own mail
server address in spamdomains, as that was being faked by quite a bit of
email
But, this would also subtract weight from emails that didn't fail
spamdomains. FWIW, we ADD a small amount of weight to most of these, rather
than subtract.
Karen
-Original Message-
From: Bill Landry
A better way to do this is to setup a RDNS Filter and add a
negative weight
for
use spamdomains. works great.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Doug McKee
Sent: Sunday, June 22, 2003 5:34 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Another new test
This morning I received three spam from my own email
We quit whitelisting the postmaster for this reason several weeks ago.
Our (unstated policy): if you get no reply, try some other email program
that isn't known as a spammer (Hey, it works for AOL! -- and no, please
don't start on that again).
Mail that is legit seems to get thru ok, spam to the
These are very old compuserve-style ID's. The two numbers represent the
person's User ID to log into Compuserve (actually, there is a comma in their
ID, but for internet access it becomes a period). I still use mine as a
backup (and get spam there, under both the number and name/alias assigned,
I just received a junk mail (coffee offer) with the following header
snippet:
X-Declude-Sender:
[EMAIL PROTECTED] [69.24.239.48]
X-Declude: Failed FIVETEN-SRC, IPNOTINMX, NOLEGITCONTENT [2]
X-Note: This E-mail was sent from out028.tpcper.com ([69.24.239.48]).
X-Countries: [IANA
Scott,
I never saw any comment on the country code problem I was having. Is there
an updated list that would have properly identified this email? Is there a
way to detect reserved countries?
Karen
-- original msg --
I just received a junk mail (coffee offer) with the following header
Could he not copy the messages to a special user, then use the command
line to move all the *.SMD to the SPAM directory from that user's mailbox?
Set up a batch file and schedule the task to move them every few minutes?
-Original Message-
From: R. Scott Perry
It sounds like you're
Make sure you DO NOT whitelist your own domain, ip address, the postmaster
or abuse email addresses. Most of our ignore results for spam came when
one or more of these was whitelisted (especially postmaster or abuse -- real
mails never seem to have problems going there, but any spam that cc's the
Can someone take a look at the headers on this email and tell me why it
failed badheaders? I'd like to hold on that test (since it is supposed to
be such a small % of FP), but the first (and today only) message that failed
the test after starting the hold is from CBS Marketwatch. They have
I just hope you don't include either of the below (since that range includes
are very valid email server and probably a few more).
Use the single address of your own server (since the problem is people
pretending to be YOU, not ME (I hope)).
Karen
-Original Message-
From: Glenn Brooks
I've seen connects that used our IP address as their HELO/EHLO strings.
Same for using our domain name (none were able to deliver their mail, most
were relay attempts).
Interesting list. I may add it, after reviewing some of the mailfrom
characters (I see more and more bad mailfroms, most so they
used by
spammers (usually cable or dial-up).
Karen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Karen D. Oland
Sent: Friday, July 11, 2003 3:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Lost One Account - Help Please
I just hope you
Sorry, I didn't mean to imply that whitelisting my IP had anything to do
with the HELO. And, yes, we do block spoofing at the router. At least one or
two people in the past, however, have seemed to have problems with spam
attacks that were resolved by removing their own IP's from whitelists.
Glenn,
I look up the HELO strings in the LOG*.TXT files. Most of the time you can
match on IS for the IP address, instead of CONTAINS, but it does depend on
the string. Some of the ones trying to relay thru us recently is
http://monoin.com;, another is www.xyz34.uk.co.sg. So, it depends on what
Thanks Scott. We'll just have to program around their problems here, they
obviously aren't interested in fixing anything there.
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
Sent: Friday, July 11, 2003 3:35 PM
To: [EMAIL PROTECTED]
HELO/EHLO depends solely on the mail server, not
internal vs exteral users addresses (unless they are running their own mail
server on their desktops.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Joshua
LevitskySent: Sunday, July 13, 2003
add your own domain to spamdomains -- their ip will fail the revdns compare.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rifat Levis
Sent: Monday, July 14, 2003 7:10 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Any suggestion for this ?
The two lines
WHITELIST TO abuse@
WHITELIST TO postmaster@
will cause an extremely large amount of spam to bypass your filters (or
woud, if they were correct). We saw close to 60% or better that CC'd the
postmaster to take advantage of declude's inability to separate messages
into multiple
A fairly large number of large companies have email systems that fail
badheaders -- holding on it brought daily FP's here. We use a weight on
BADHEADERS instead and then a negative weight (WHITELST filter below) on
known mail servers with problems.
From today's samples:
Received: from
Although that is possible, it is also (MORE) likely he has someone in the
recipient list whitelisted (like postmaster@) (or the email is from a
whitelisted sender, but no as likely as the recipient).
Karen
-Original Message-
From: R. Scott Perry
Why two different action results?
So, your internal users are sending out spam with a score of over 150?
-Original Message-
From: Robert Forsyth
guess would be that this is for outgoing E-mail, in the
\IMail\Declude\global.cfg file.
Found it...forgot to check the Outbound rules in the GLOBAL.
sorry for
Have you checked the entries in the file to make sure there are no following
spaces after the domain names?
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott MacLean
Sent: Tuesday, July 29, 2003 12:09 PM
To: [EMAIL PROTECTED]
Subject: Re:
I agree. We have the same problem here when sending from offsite. If/when
declude lets us test for SMTP AUTH, then our issue (and most likely yours)
will be resolved. For mailing lists that are expected (or getting caught
using spamdomains), we add negative weight (enough to offset either
Is that somehow different from resigning down? Or just resigning?
And by definition, if you resigned from the list, would that not mean you
left?
-Original Message-
From: Kevin Bilbee
I did get tossed from the list and had to resign up.
---
[This E-mail scanned for viruses by
Doesn't this announcement mean that as of Aug 11, SPAMHAUS will have to be
checked directly and will NO LONGER provide info to osirusoft? That
appeared to be the gist of the announcement.
From: Colbeck, Andrew
Keith, you don't need to do anything. The RBL providers will do the work.
What
We are not that big yet, but are getting there on the filters. On the other
hand, our server is not as robust as the big guys (and our mail volume
would not justify upgrading).
I moved most of the blacklists (fromfile) entries into the kill list for
IMAIL, just because these seemed to catch about
quarantine, quick san once a month and have only rescued one -- rest to the
bit bucket. Most don't even have correctly spelled subject lines.
-Original Message-
From: paul
What about the rest on the list? Do you delete vulnerabilities?
---
[This E-mail scanned for viruses by Declude
change all weight rules under weight50 to weightrange and add the upper
end of the range as the last paramter:
WEIGHT10weightrange x x 10 19
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent:
Have you tried content blocking on the URL's in the body?
Or checked the from or RDNS ranges to see if they have anything in common?
Usually, when I've seen this, it is one new spammer, shoving out as many as
possible before their new IP is known and blocked.
K
-Original Message-
There are a few people who are receiving over 30 spams a day and that is
just unacceptable considering we are running antispam software.
Also, what do you have whitelisted?
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus
Why do you update definitions so seldom? FProt updated the same day that
SoBig.F started being circulated, from the experience of those on thsi list.
-Original Message-
From: Matthew Bramble
I would have been letting Sobig.F through Declude plus F-Prot from Monday
all the way through
[1] Dialup accounts where the ISP blocks outgoing SMTP E-mail. This is
very, very common, and has been done for years. To handle this, E-mail
must be sent through the ISP's mailserver.
Unfortunately, for many telecommuters, they cannot send business mail thru
the ISP, but must have it
Greg,
Did you add any replacements for OSIRUSOFT? Or just comment them out?
Karen
-Original Message-
From: Greg Foulks
Correct I have not added/removed any gateways or backup
mailservers, changed
any IP's for DNS or changed a DNS responsibility.
---
[This E-mail scanned for
Delete the nobody alias. Then, only valid email in his domain will be
accepted. Delete all old employees not on the list of valid names you just
received from the domain.
-Original Message-
From: Keith Johnson
The problem with using the CONTAINS is that I would have to have
a
100 pts if it fails?
Karen
-Original Message-
From: Keith Johnson
Karen,
My bad, I failed to mention this is a Store and Forward
domain...
Keith
-Original Message-
From: Karen D. Oland
Delete the nobody alias. Then, only valid email in his domain
Scott,
This feature would be of GREAT use. Many simply haven't thought out the
implications of allowing the ability to combine tests.
One example: the gentleman that wants to filter for specific names, but only
one one domain -- this should allow setting that up.
Adding the ability to combine
Actually, it could be a minor change to the processing -- at the
$default$.junkmaillevel, rather than global.cfg -- as this is not a
test, but a handling of the test results. It would mean order dependence,
usually (or the processing of combining tests done first, then other
handling done).
You actually
reminded me of how complex this would be. Both the Global.cfg and
appropriate .junkmail file would have to be loaded into memory, some tests
run, consult the files, other tests run, consult the files, final
tests run, consult the files and so forth.
You are trying to make this
Just that we get a lot of that type of REVDNS or forged HELO/EHLO on spam.
So, we started blocking them. There are no doubt a few exceptions, but I
can't remember any. We also add -100 to a number of companies' email, as
they fail numerous tests -- including NOABUSE, IPNOTINMX, etc. -- and get
WHITELIST FROM @bbc.reply.tm0.com
WHITELIST FROM @bbs.co.uk
WHITELIST FROM @bbcdailyemail.reply.tm0.com
WHITELIST FROM @bounce.lodo.exactis.com
yet it still tagged it as spam.
X-Declude-Sender: [EMAIL PROTECTED]
[64.210.92.56]
The WHITELIST FROM @bounce.lodo.exactis.com
Which is why you subtract points for true IP's of your own servers (to
compensate for the other lines catching the domain name)!
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Thursday, September 25, 2003 3:21 PM
To: [EMAIL
Do you have any lines in wordfilter that use negative weight? Only the last
one that failed is usually show in the header (could be more that failed).
Karen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Scott MacLean
Sent: Thursday, September 25, 2003
conversely, I have lots of legit mail that fails it.
K
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble
Sent: Thursday, September 25, 2003 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] MPCM?
Scott MacLean wrote:
*sigh*
I'll go you one better. I got one in the real mail (from Spain, I am in the
US). Says I won 650,000 in a lottery, all I need to do is fill in the
official looking ppage of personal info, bank acct and emergency contacts so
they can deposit it for me. Of course, I have to act fast or it all goes
If the group is improperly set up (allowing open posting to anyone that
subscribes, with no checking of the email address or first posts by the
moderator, then spammers have a field day on those groups (they can join and
post within seconds, then move to the next group). Most that do this are
We've been getting one with the link
http://[EMAIL PROTECTED]:%31%35%37/,
covered with a gif that makes it look like the link is on ebay.com.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt
not to speak of trademark and or copyright
try adding:
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
Sorry about the blank post.
Try adding:
REVDNS -20 ENDSWITH .AOL.COM
in a filter file (with an appropriate weight to let your legit AOL mail pass
(or to offset what you add for spamcop).
Karen
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by
Your logs would be much easier to read (and your rules more clear) if you
used weightrange instead of weight for your tests (unless you are adding
labels and not doing some type of route/hold/delete action. Even with
labels, the users' rules could get confused trying to deal with mail that
failed
This is actually a virus:
FROM: Microsoft Network Security Section [EMAIL PROTECTED]
TO: [EMAIL PROTECTED]
SUBJECT: New Internet Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=gkxrxour
Message-Id: [EMAIL PROTECTED]
Date: Mon, 6 Oct 2003 08:33:57 +1300
This
Also, make sure you scan ZIP files (many people don't)
-Original Message-
From: Robert Grosshandler
John provided a great filter, since fprot and Norton didn't see
the probably corrupt virus.
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for
Blacklisted meaning I've created a blacklist file of known spamming return
addresses that if found adds a weight of 50 which would exceed the delete
action of 40.
Which this email did not fail (since it's name was not in the list of failed
tests)
Not sure what you mean by weightrange... My
I think you mean..
REVDNS -20 ENDSWITH MX.AOL.COM
Then you have to add one for each MX number (the ones I've seen are
formatted with mx5.aol.com, etc.
Most spam I get from *.ptr.aol.com fails so many other tests that they dont'
get thru anyway.
Karen
---
[This E-mail scanned for viruses by
We get those too -- they test clean and pass thru the A/V portion. We
catch them with rules similar to yours. Along with the undeliverable mail
reject messages and you have a virus messages from other postmasters
(which is why I think it forges addresses quite a bit, since we do not have
any
How will this filter deal with this header.
Received: from scmp-m01.mail.aol.com (scmp-m01.mail.aol.com
[172.20.75.169]) by omr-m01.mx.aol.com (v95.1) with ESMTP id RELAYIN6-
Received: from imo-r04.mx.aol.com (imo-r04.mail.aol.com
[172.31.37.4]) by scmp-m01.mail.aol.com (v92.16) with ESMTP
Not to mention that spamdomains should catch it as well.
-Original Message-
From: John Tolmachoff
Samantha, if you look at the Declude Sender header, you will see
this is not
from Microsoft, but rather a virus. (Or corrupt version of.)
There have been some posts here and on the
Does SKIPIFWEIGHT also work in FROMFILE or SPAMDOMAINS test files?
Karen
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just
Does SKIPIFWEIGHT also work in FROMFILE or SPAMDOMAINS test files?
No, it only applies to the filter files.
-Scott
Can you please add to the wish list? Again, this would help cut down on
running more tests when an email is already over the
because you didn't tell declude the name of the file:
SPAMDOMAINS spamdomains C:\IMail\Declude\spamdomains.txtx 6
0
-Original Message-
From:David Daniels
Can anybody give me a clue as to why my spamdomains test doesn't work? I
have this in
I've seen this twice in the last month. IMAIL 7.15, declude 1.76. No
real-time scanning of email directories. May be related to hard disk
traffic, but not specific to IMAIL 8.x
-Original Message-
From: R. Scott Perry
Sent: Wednesday, December 03, 2003 1:01 PM
To: [EMAIL PROTECTED]
66 matches
Mail list logo