[Declude.JunkMail] SPAMDOMAINS workaround question
Is there a way to use this test on domains that receive forwarded email? Ex someone from AOL sends an email to a server that automatically forwards the email to the server that is running DJM. Since the sending server DJM sees is not aol.com/netscape.net in this example the email incorrectly fails the SPAMDOMAINS test. It would seem WHITELISTING a server wouldn't work because you have no idea in advance from which server a good email may be forwarded from. Thanks! --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.75 (release version) released
Great! Question though regarding previous beta tests, will they be added to the manual or are they abandonded? Thanks -Nick Hayer Date sent: Tue, 22 Jul 2003 13:46:54 -0400 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:[Declude.JunkMail] Declude JunkMail v1.75 (release version) released Send reply to: [EMAIL PROTECTED] We have just released Declude JunkMail v1.75 (release version). See http://www.declude.com/junkmail/manual.htm . Notable changes since the last beta include: o A number of minor fixes Other additions and fixes can be found in the release notes, at http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service Agreement is entitled to free upgrades (see http://www.declude.com/agree.htm for information on the Declude Service Agreement). --- Quick Resource Reference: Tech Support: [EMAIL PROTECTED] Mailing List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.junkmail your name in the body New Releases List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.releases your name in the body Troubleshooting: See manual URL above; look at Troubleshooting section Emergency Uninstall: See manual URL above; look at Emergency Uninstall section Urgent Support: urgent @declude.com (for urgent/time-sensitive issues only) Declude Addons/Tools URL: http://www.declude.com/tools Manual: http://www.declude.com/junkmail/manual.htm --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A good SD.TXT File?
I give it a much lower rate because it will fail legitimate forwarded email. This is the only issue I have discovered - -Nick Hayer Giving it a weight of 20 but be careful that this is not the only test it will fail as it can be dangerous to block from the large domains. -Original Message- From: Danny Klopfer [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A good SD.TXT File? The SPAMDOMAINS with an sd.txt file sounds interesting? Is this working well for you? What weight are you giving it? -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] Behalf Of Mark Gordon Sent: Tuesday, July 22, 2003 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] A good SD.TXT File? amazon.com aol.com netscape.net att.net attbi.com bellatlantic.net verizon.net bellsouth.net bellsouth.com charter.net china.com comcast.net compuserve.com aol.com cs.com aol.com concentric. .cnchost.com cox.net earthlink. email.it webmessenger.it excite.com excitenetwork.com @gmx. .gmx. gte.net verizon.net hotmail.com msn.com juno.com untd.com lycos.com lycos.at spray.net mac.com apple.com mailcity.com lycos.com mindspring. earthlink. msn.com hotmail.com netscape.net aol.com netzero.com untd.com prodigy.net qwest.net .rr.com sympatico.ca bellnexxia.net usa.net mx.net @yahoo. .yahoo. zzn.com mailcentro.com t-online.de t-online.com wanadoo.fr @cs.com .aol.com -Original Message- From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] A good SD.TXT File? Anyone have one handy that might assist me? Hahaha Thanks.. Jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OSRELAY question.
Actually, http://www.declude.com/junkmail/support/ip4r.htm shows that there are plenty of spam databases left. :) -Scott You are correct - BUT - besides the default ones listed in the *old* manual how can we know which to use that give the most accurate results and are not duplicates of each other? Would it be possible for you to make a new recommended list? -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Test based on results of other tests
Folks, Is there a test that can be based on the results of 2 or more other specific tests? ex: an email that fails both HELOBOGUS and BADHEADERS would fail HELOHEAD and have x number of points added/deducted to it? Thanks Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail Tests and Configs
Jonathan, Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up... -Nick #GLOBAL.CFG edited # #SETTINGS CONSOLE ON HOP 0 #HOPHIGH1 IPBYPASS127.0.0.1 LOOSENSPAMHEADERS OFF LOGFILE spool\dec.log LOGLEVELMID PREWHITELISTON WHITELIST AUTH XSENDER ON XSPOOLNAME ON #HEADERS XINHEADER X-Country-Chain: %COUNTRYCHAIN% XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-Note: Spam tests: %TESTSFAILED%. XINHEADER X-Note: Reverse DNS: %REVDNS%. XINHEADER X-Note: Header code: %HEADERCODE% XINHEADER X-Note: Queue name: %QUEUENAME% XOUTHEADER X-Note: Total spam weight of this e-mail is %WEIGHT%. XOUTHEADER X-Note: Reverse DNS %REVDNS% . #FROMFILE ## BADSENDERS fromfilee:\IMail\Declude\badaddresses.txt x 5 0 KillListGen fromfilee:\IMail\Declude\Destination.txt x 10 0 #IPFILE ## ipblacklist ipfile e:\IMail\Declude\filters\ipfile.txt x 5 0 #FILTERS ## ADULTPHRASE filter e:\IMail\Declude\filters\adultphrase.txt x 3 0 ANTI-GIBBERISHSUB filter e:\IMail\Declude\filters\Anti-GibberishSub.txt x -4 0 ANTI-Y!DIRECTED filter e:\IMail\Declude\filters\Anti-Y!Directed.txt x -11 0 BODYCURSE filter e:\IMail\Declude\filters\bodycurse.txt x 3 0 BODYSEX filter e:\IMail\Declude\filters\bodysex.txt x 3 0 COUNTRY filter e:\imail\declude\filters\country.txt x 6 0 DBL filter e:\IMail\Declude\filters\dbl.txt x 0 0 DNS_TESTS filter e:\IMail\Declude\filters\dns_tests.txt x 0 0 DYNAMIC filter e:\IMail\Declude\filters\Dynamic.txt x 3 0 FOREIGN filter e:\IMail\Declude\Filters\Foreign.txt x 3 0 GIBBERISH filter e:\IMail\Declude\filters\Gibberish.txt x 4 0 GIBBERISHSUBfilter e:\IMail\Declude\filters\GibberishSub.txt x 4 0 GMA_SENTfilter e:\imail\declude\filters\gma.txt x 0 0 MALICIOUS filter e:\IMail\Declude\filters\viri.txt x 6 0 OBFUSCATION filter e:\IMail\Declude\filters\Obfuscation.txt x 7 0 REVDNSCKfilter e:\IMail\Declude\filters\revdns.txt x 0 0 SUBJCURSE filter e:\IMail\Declude\filters\subjcurse.txt x 3 0 SUBJSEX filter e:\IMail\Declude\filters\subjsex.txt x 3 0 TLD-AFRICAN filter e:\IMail\Declude\Filters\TLD-African.txt x 3 0 TLD-ASIAN filter e:\IMail\Declude\Filters\TLD-Asian.txt x 3 0 TLD-CARIBBEAN filter e:\IMail\Declude\Filters\TLD-Caribbean.txt x 3 0 TLD-CENTRALAMERICAN filter e:\IMail\Declude\Filters\TLD-CentralAmerican.txt x 3 0 TLD-EASTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-EasternEuropean.txt x 3 0 TLD-MIDDLEEASTERN filter e:\IMail\Declude\Filters\TLD-MiddleEastern.txt x 3 0 TLD-OCEANIC filter e:\IMail\Declude\Filters\TLD-Oceanic.txt x 3 0 TLD-SOUTHAMERICAN filter e:\IMail\Declude\Filters\TLD-SouthAmerican.txt x 3 0 TLD-WESTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-WesternEuropean.txt x 3 0 TLD-TRUSTED-HELOfilter e:\IMail\Declude\Filters\TLD-Trusted-HELO.txt x 0 0 TLD-TRUSTED-MAILFROMfilter e:\IMail\Declude\Filters\TLD-Trusted-MAILFROM.txt x 0 0 TLD-TRUSTED-REVDNS filter e:\IMail\Declude\Filters\TLD-Trusted-REVDNS.txt x 0 0 VIRUSBLKfilter e:\IMail\Declude\filters\virusblk.txt x 50 0 WORDFILTER filter
Re: [Declude.JunkMail] Junkmail Tests and Configs
x70 SPAMHEADERSspamheadersxx50 NOLEGITCONTENTnolegitcontentxx0-1 BASE64base64xx30 COMMMENTScomments5x70 NONENGLISHnonenglishxx20 BCC-3bcc3x10 BCC-5bcc5x10 SUBSPACE-15subjectspaces15x10 SUBSPACE-25subjectspaces25x20 SUBSPACE-40subjectspaces40x30 Matt Nick Hayer wrote: Jonathan, Here is my setup - hopefully it will help. Anyone feel free to tell me what I have messed up... -Nick #GLOBAL.CFG edited # #SETTINGS ## CONSOLE ON HOP 0 #HOPHIGH 1 IPBYPASS 127.0.0.1 LOOSENSPAMHEADERSOFF LOGFILE spool\dec.log LOGLEVEL MID PREWHITELIST ON WHITELISTAUTH XSENDER ON XSPOOLNAME ON #HEADERS ## XINHEADER X-Country-Chain: %COUNTRYCHAIN% XINHEADER X-Note: Total spam weight of this E-mail is %WEIGHT%. XINHEADER X-Note: Spam tests: %TESTSFAILED%. XINHEADERX-Note: Reverse DNS: %REVDNS%. XINHEADER X-Note: Header code: %HEADERCODE% XINHEADERX-Note: Queue name: %QUEUENAME% XOUTHEADER X-Note: Total spam weight of this e-mail is %WEIGHT%. XOUTHEADER X-Note: Reverse DNS %REVDNS% . #FROMFILE ## BADSENDERS fromfilee:\IMail\Declude\badaddresses.txt x 5 0 KillListGen fromfilee:\IMail\Declude\Destination.txt x 10 0 #IPFILE ## ipblacklist ipfile e:\IMail\Declude\filters\ipfile.txt x 5 0 #FILTERS ## ADULTPHRASE filter e:\IMail\Declude\filters\adultphrase.txt x 3 0 ANTI-GIBBERISHSUBfilter e:\IMail\Declude\filters\Anti-GibberishSub.t xt x -4 0 ANTI-Y!DIRECTED filter e:\IMail\Declude\filters\Anti-Y!Directed.txt x -11 0 BODYCURSE filter e:\IMail\Declude\filters\bodycurse.txt x 3 0 BODYSEX filter e:\IMail\Declude\filters\bodysex.txt x 3 0 COUNTRY filter e:\imail\declude\filters\country.txtx 6 0 DBL filter e:\IMail\Declude\filters\dbl.txt x 0 0 DNS_TESTSfilter e:\IMail\Declude\filters\dns_tests.txt x 0 0 DYNAMIC filter e:\IMail\Declude\filters\Dynamic.txt x 3 0 FOREIGN filter e:\IMail\Declude\Filters\Foreign.txt x 3 0 GIBBERISHfilter e:\IMail\Declude\filters\Gibberish.txt x 4 0 GIBBERISHSUB filter e:\IMail\Declude\filters\GibberishSub.txt x 4 0 GMA_SENTfilter e:\imail\declude\filters\gma.txt x 0 0 MALICIOUSfilter e:\IMail\Declude\filters\viri.txt x 6 0 OBFUSCATION filter e:\IMail\Declude\filters\Obfuscation.txt x 7 0 REVDNSCK filter e:\IMail\Declude\filters\revdns.txt x 0 0 SUBJCURSEfilter e:\IMail\Declude\filters\subjcurse.txt x 3 0 SUBJSEX filter e:\IMail\Declude\filters\subjsex.txt x 3 0 TLD-AFRICAN filter e:\IMail\Declude\Filters\TLD-African.txt x 3 0 TLD-ASIANfilter e:\IMail\Declude\Filters\TLD-Asian.txt x 3 0 TLD-CARIBBEANfilter e:\IMail\Declude\Filters\TLD-Caribbean.txt x 3 0 TLD-CENTRALAMERICAN filter e:\IMail\Declude\Filters\TLD-CentralAmeric an.txt x 3 0 TLD-EASTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-EasternEurope an.txt x 3 0 TLD-MIDDLEEASTERNfilter e:\IMail\Declude\Filters\TLD-MiddleEastern.t xt x 3 0 TLD-OCEANIC filter e:\IMail\Declude\Filters\TLD-Oceanic.txt x 3 0 TLD-SOUTHAMERICANfilter e:\IMail\Declude\Filters\TLD-SouthAmerican.t xt x 3 0 TLD-WESTERNEUROPEAN filter e:\IMail\Declude\Filters\TLD-WesternEurope an.txt x 3 0 TLD-TRUSTED-HELO filter e:\IMail\Declude\Filters\TLD-Trusted-HELO.txt x 0 0 TLD
Re: [Declude.JunkMail] dns blacklist
Scott, I have over 5000 ip's that I have blocked with Imails ACL -now over time I am worried that some my need to be removed. Since I cannot think of a way to check them all at once I am considering a filter file with thousands of lines or is a dns blacklist the better choice? Or? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamAssassin SPAMC/SPAMD and Declude working for me...I think!
Sandy, I am definitely interested! -Nick Hayer All, I believe I've gotten one of our sites up and running with SPAMD under Cygwin (server implementation of SpamAssassin that's much, much faster than native Win32/ActivePerl SA, even running under Cygwin shell) and a customized SPAMC (SPAMD client) for Win32 plugged in to Declude. Since I'm far from a Cygwin expert, I leave setting that part up to you, but if anyone's interested in the Declude-compatible client EXE, post back and let me know. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT DNS question unable to receive mail
[I post to this list from my day job address] Have a new host called jrny.tv At http://www.dnsstuff.com/tools/lookup.ch?name=jrny.tvtype=MX all looks kool - it points to my servers vtbass.com But the servers never get the mail... At http://www.dnsreport.com/tools/mail.ch?domain=jrny.tv I get: Getting MX record for JRNY.TV... Got it! Host Preference IP(s) [Country] mail.jmy.tv. 20 65.201.175.144 [US] mail2.jmy.tv. 50 65.201.175.144 [US] So it seems jrny.tv gets switched to jmy.tv and this guy's mail gets sent to jmy.tv? Thanks -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT DNS question unable to receive mail
I just saw that. No question my fault. Date sent: Thu, 20 Nov 2003 17:29:21 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] OT DNS question unable to receive mail Send reply to: [EMAIL PROTECTED] At http://www.dnsreport.com/tools/mail.ch?domain=jrny.tv I get: Getting MX record for JRNY.TV... Got it! Host Preference IP(s) [Country] mail.jmy.tv. 20 65.201.175.144 [US] mail2.jmy.tv. 50 65.201.175.144 [US] So it seems jrny.tv gets switched to jmy.tv and this guy's mail gets sent to jmy.tv? That is correct. The problem is that the MX record for jrny.tv points to mail.jmy.tv and mail2.jmy.tv -- when it should be pointing to mail.jrny.tv and mail2.jrny.tv. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] This one eBay fraud.. came right through..
Kami,
Would you care to share your FILTER-BODYURL filter? I'm
interested in seeing what you filter on -
Thanks!
-Nick Hayer
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:[Declude.JunkMail] This one eBay fraud.. came right through..
Date sent: Thu, 20 Nov 2003 17:52:27 -0500
Organization: ClickandPledge.com
Send reply to: [EMAIL PROTECTED]
Hi..
This just came in.. definitely NOT eBay not caught as SPAM.. filters
are in order.
HEADER
=
Received: from rainer.bnt.com [12.4.218.18] by foroosh.com with ESMTP
(SMTPD32-8.04) id A2D2B700C2; Thu, 20 Nov 2003 17:40:18 -0500
Received: from adsl-068-016-167-035.sip.jan.bellsouth.net
(adsl-068-016-167-035.sip.jan.bellsouth.net [68.16.167.35])
by rainer.bnt.com (8.12.8p2/8.12.8) with SMTP id hAKMiesG012219
for [EMAIL PROTECTED]; Thu, 20 Nov 2003 17:44:43 -0500 (EST)
(envelope-from [EMAIL PROTECTED])
Received: from [134.150.44.174] by
adsl-068-016-167-035.sip.jan.bellsouth.net id 08pT0M675jj3; Thu, 20
Nov 2003 23:38:43 +0100 Message-ID: [EMAIL PROTECTED] From:
[EMAIL PROTECTED] [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: eBay Fraud
Verification Process Date: Thu, 20 Nov 2003 23:38:43 +0100 X-Mailer:
Microsoft Outlook, Build 10.0.2616 MIME-Version: 1.0 Content-Type:
multipart/alternative;
boundary=E5BEC_9EF7B6C21F_C4D68
X-Priority: 3
X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
detected. X-RBL-Warning: FILTER-BODYURL: Message failed FILTER-BODYURL
test (158) X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed
FILTER-BODY-GIBBERISH test (110) X-RBL-Warning:
FILTER-BODY-ANTIGIBBERISH: Message failed FILTER-BODY-ANTIGIBBERISH
test (73) X-RBL-Warning: COUNTRY: Message failed COUNTRY test (36)
X-Declude-Sender: [EMAIL PROTECTED] [68.16.167.35] X-Declude-Spoolname:
D42d200b700c29886.SMD X-Note: This E-mail was scanned filtered by
Declude [1.76i26] for SPAM virus. X-Weight: 10 X-Note: Sent from
Reverse DNS: adsl-068-016-167-035.sip.jan.bellsouth.net X-Hello:
adsl-068-016-167-035.sip.jan.bellsouth.net X-Spam-Tests-Failed:
NOABUSE, IPNOTINMX, NOLEGITCONTENT, FILTER-BODYURL,
FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, COUNTRY X-Note:
Recipient(s): [EMAIL PROTECTED] X-Country-Chain: CANADA-UNITED
STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL:
360625165 == !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0
Transitional//EN
html
head
titleUntitled/title
/head
bodyBR
DIV id=message
TABLE cellSpacing=0 cellPadding=0 width=100% border=0 ?
TR
TD
STYLE#message {
FONT-FAMILY: arial
}
/STYLE
XBODY
DIV
DIV/DIV
TABLE cellSpacing=0 cellPadding=0 width=600 border=0
TR
TD width=150A href=http://www.ebay.com/;
target=_blankIMG
height=80 alt=eBay logo hspace=0
src=http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102
.gif width=173 border=0/A /TD
TD vAlign=top align=right width=450MAP
name=home_myebay_map_hasJSAREA shape=RECT
target=_blank
alt=Home
coords=209,0,256,15
href=http://pages.ebay.com/index.html;
http://pages.ebay.com/index.html AREA
shape=RECT target=_blank alt=My#10;eBay
coords=257,0,318,15
href=http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?MyEbayLo
gin
http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?MyEbayLogin AREA
shape=RECT target=_blank alt=Site Map
coords=319,0,383,15
href=http://pages.ebay.com/sitemap.html;
http://pages.ebay.com/sitemap.html AREA shape=RECT
target=_blank alt=Sign In/Out coords=384,0,447,15
href=http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn;
http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn /MAPBR
clear=all/TD/TR/TABLE
P align=leftDear eBay user, BRAs part of our continuing
commitment
to
protect your account and to reduce the instance of fraud on our
website,
we are undertaking a period review of our member accounts.
BRYou are
requested to visit our site by following the link given below
BRA
href=http://www.cgi5-update.com/ebay-verify-account-57435-5645-3765/d
irDllS
Sl856-4756-JkkLEbay-547864/newUseBay485-5754-575Hq35-56-SSL/Verify.htm
target=_blankhttp://www.ebay.com/aw-cgi/eBayISAPI.dll?verification/%?
708808 0019/A/
P
A
href=http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnte
rInfo
http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfoamp;s
iteid= [EMAIL PROTECTED]/cgi_39ny5bay/
amp;[EMAIL PROTECTED]/cgi_39ny5bay
RE: [Declude.JunkMail] BODY STARTSWITH
Wow! Very kool. Thanks Scott! -Nick Date sent: Tue, 25 Nov 2003 15:11:33 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] BODY STARTSWITH Send reply to: [EMAIL PROTECTED] Are all those features recently talked about included in this release? Skip Max weight? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BODY STARTSWITH
Scott, Is there an order to which tests are executed in the global config? Are filterfiles read/executed last? Is there any way to determine the order that each filterfile is run ? Thanks -Nick Hayer Date sent: Tue, 25 Nov 2003 15:11:33 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] BODY STARTSWITH Send reply to: [EMAIL PROTECTED] Are all those features recently talked about included in this release? Skip Max weight? Yes. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] BODY STARTSWITH
Thanks Scott! Another question: Very kool addition but I'm having trouble with MAXWEIGHT Gotta be simple but I just don't get it: DJMPro v1.76i27 I created a filter called testfilter.txt it contains SKIPIFWEIGHT 40 MAXWEIGHT 20 HEADERS 1 CONTAINSfrom I sent myself an email. Total weight of the email was -5 The above filter did not kick off 11/25/2003 17:40:54 Qda65016600ce1c4c Last action = DELETE. 11/25/2003 17:40:58 Qda67016700ce27c6 nIPNOTINMX:-3 nNOLEGITCONTENT:- 3 REVDNS:1 . Total weight = -5. 11/25/2003 17:40:58 Qda67016700ce27c6 NOT bypassing whitelisting of E- mail with weight =35 (-5) and at least 2 recipients (1). 11/25/2003 17:40:58 Qda67016700ce27c6 Using [incoming] CFG file e:\IMail\Declude\$default$.junkmail. 11/25/2003 17:40:58 Qda67016700ce27c6 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 170.222.200.91 with no reverse DNS entry.). Action=IGNORE. 11/25/2003 17:40:58 Qda67016700ce27c6 L1 Message OK 11/25/2003 17:40:58 Qda67016700ce27c6 Subject: test2 11/25/2003 17:40:58 Qda67016700ce27c6 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 170.222.200.91 ID: AA5F2720038 11/25/2003 17:40:58 Qda67016700ce27c6 Last action = IGNORE. *BUT* if I changed the SKIPIFWEIGHT to 400 the filter did execute. 11/25/2003 17:59:05 Qdeb405260116f421 TESTFILTER:-1 nIPNOTINMX:-3 nNOLEGITCONTENT:-3 REVDNS:1 . Total weight = -6. 11/25/2003 17:59:05 Qdeb405260116f421 NOT bypassing whitelisting of E- mail with weight =35 (-6) and at least 2 recipients (1). 11/25/2003 17:59:05 Qdeb405260116f421 Using [incoming] CFG file e:\IMail\Declude\$default$.junkmail. 11/25/2003 17:59:05 Qdeb405260116f421 Msg failed TESTFILTER (Message failed TESTFILTER test (line 3, weight -1)). Action=IGNORE. 11/25/2003 17:59:05 Qdeb405260116f421 Msg failed REVDNS (This E-mail was sent from a MUA/MTA 170.222.200.91 with no reverse DNS entry.). Action=IGNORE. 11/25/2003 17:59:05 Qdeb405260116f421 L1 Message OK 11/25/2003 17:59:05 Qdeb405260116f421 Subject: test3 Do I need a different setting? -Nick Date sent: Tue, 25 Nov 2003 17:13:49 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] BODY STARTSWITH Send reply to: [EMAIL PROTECTED] Are filterfiles read/executed last? They are close to the last tests run. Is there any way to determine the order that each filterfile is run ? They will be run in the order they are defined in the global.cfg file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Clarification..needed
Scott, Sure seems to work like a charm. Again - very kool! -Nick There is a new interim release (1.76i28) at http://www.declude.com/release/176i/declude.exe that changes the way that the weight is calculated (in i27 it would count negative weights, but no longer will), and adds logging at LOGLEVEL HIGH that should help determine if there are other issues. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] improved performance using ramdrive?
Frederick - I suggest you try the new feature in the latest intrim release that has these commands avail: SKIPIFWEIGHT and MAXWEIGHT Place your compensatory filters [ones that reduce scoring] in the global config ahead of the other filter files. For me frankly most of my filters do not even now run - the dns tests take care of the load so cpu use is way down -Nick From: Frederick Samarelli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] improved performance using ramdrive? Date sent: Wed, 26 Nov 2003 09:44:37 -0500 Send reply to: [EMAIL PROTECTED] I have some big filters and see very little disk access. I don't think it would help. What Delcude uses is CPU CPU CPU CPU ... - Original Message - From: Gufler Markus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 9:21 AM Subject: [Declude.JunkMail] improved performance using ramdrive? Hi all, Anyone has experiences using a ramdrive for all declude exe, config and filter files? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamchk fine tuning?
Matt - What I did was in the beta version set a max weight and a min weight to be returned. [I have it set now at 8 and -2 respectivly.] Then let it run and check the log file to see what is failing - adjust accordingly. I ended up reducing the scores for failures in the ini by ~50+% since I hold on 15 and delete on 30. -Nick From: Matt Robertson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:[Declude.JunkMail] Spamchk fine tuning? Date sent: Tue, 2 Dec 2003 09:03:18 -0800 Send reply to: [EMAIL PROTECTED] I just set up spamchk and was wondering if anyone can share some fine-tuning info with me? Updated keyword lists and such? I tried subscribing to their list but all I get back is an Invalid Syntax email from their mail server. Cheers, Matt Robertson [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] F-prot updates
Markus, The last f-prot update is from 12/01/2003 Our F-Prot Updater runs every hour at xx:20 o clock. Mail processing stopped at 11:43 pm. I set up a program alias that the F-Prot notifications email to. That in turn kicks off update.exe [the f-prot update program]. Nothing wrong for sure with scheduling the updates but this alias is kinda neat and it hopefully gets me the updates right off. -Nick Hayer Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MAILFROM vs FROMFILE
Is MAILFROM in a filterfile equivalent to an entry in a FROMFILE? Is there an advantage to use one over the other? Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPF BIND OT question
Scott - If you would a little help please w/my Bind to impliment SPF: In a zone file I would add: example.com. IN TXT v=spf1 mx ptr ip4:63.170.56.4 -all mail.example.com. IN TXT v=spf1 a -all mail2.example.com. IN TXT v=spf1 a -all Is this correct - one line for the domain and one line for each mailserver? Thanks! -Nick Hayer Date sent: Thu, 18 Dec 2003 14:33:38 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] SPF support to be added to next beta Send reply to: [EMAIL PROTECTED] We will be adding support for SPF (Sender Permitted From, at http://spf.pobox.com ) to the next beta of Declude JunkMail. This is a system that lets owners of domains publish information on what mailservers people can use to send mail from the domain. We expect that this can be very useful in blocking spam (similar to the SPAMDOMAINS test), as well as helping ensure that legitimate mail gets through. For those that are interested, we now have an interim release with SPF support in it. It can be downloaded from http://www.declude.com/interim (a new URL that we are going to be using for interim releases, that explains a bit more about them). To use the new SPF test, you can add lines such as: SPFPASS spf passx -5 0 SPFFAIL spf failx 8 0 to your global.cfg file. SPF returns PASS for E-mail that passes SPF (that comes from an IP that is acceptable to the owner of the domani that it claims to be coming from), FAIL for E-mail that fails SPF (that does not come from an acceptable IP for the domain), or UNKNOWN (for E-mail from domains that do not use SPF yet, or for some other reason should return UNKNOWN). This will help reduce false positives (for domains that have SPF support), and help capture more spam (as spam comes in from domains that have SPF support, but the spammer isn't using an acceptable IP). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] PREWHITELIST ON Question
Scott - I have PREWHITELIST ON however all tests seem to be run on an email regardless - then when tests are completed the email is whitelisted. Is this broke or am I misunderstanding PREWHITELIST eg: if switched ON then testing will be done? - Thanks! -Nick Hayer snip 12/18/2003 17:50:09 Q2f1b03d9014aebb8 Filter FREEEMAIL-BODYREMOVE: Not skipping E-mail due to current weight of 9. 12/18/2003 17:50:09 Q2f1b03d9014aebb8 Filter: Set max weight to 6. 12/18/2003 17:50:09 Q2f1b03d9014aebb8 HELOBOGUS:4 SNIFFER:3 SPAMCHK:2 . Total weight = 9. 12/18/2003 17:50:09 Q2f1b03d9014aebb8 NOT bypassing whitelisting of E- mail with weight =29 (9) and at least 2 recipients (1). 12/18/2003 17:50:09 Q2f1b03d9014aebb8 E-mail whitelisted - automatically passing all spam tests [EMAIL PROTECTED] 12/18/2003 17:50:09 Q2f1b03d9014aebb8 Using [incoming] CFG file e:\IMail\Declude\$default$.junkmail. 12/18/2003 17:50:09 Q2f1b03d9014aebb8 L1 Message OK 12/18/2003 17:50:09 Q2f1b03d9014aebb8 Subject: Meredith's computer snip --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
Hi Matt, Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed? Thanks, Yes. I get hammered everyday..; I got rid of the nobody alias, filter the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's... -Nick Hayer Matt Fritz Squib wrote: Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Additional IP4R RHSBL tests
Bill, Thanks for this additl list. I too agree to run lots of tests scored low sooo here are two more: PSBLip4rpsbl.surriel.com* 1 0 DNSBL-T1ip4rt1.dnsbl.net.au * 2 0 -Nick Hayer From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:[Declude.JunkMail] Additional IP4R RHSBL tests Date sent: Tue, 23 Dec 2003 11:21:45 -0800 Send reply to: [EMAIL PROTECTED] I have been running these tests for a while (as well as other that were producing little or not results), and they have been producing good results for me. However, my philosophy is different from some others on this list in that I like to test lots of IP4R and RHSBL databases and apply relatively low weights to many tests. I feel that you get a better balance and fewer FPs this way. The more tests that flag the source the more likely it is to be spam and the higher weight that gets applied to the message. Also, since all DNS based tests get spanned simultaneously (rather than consecutively), there is no performance nor latency hit (unless one of the test sites is not responding - Scott, are you still planning to add a configurable time-out setting for the DNS based tests?). Anyway, here are the additional DNS based tests I've been using, in case you are interested in trying any of them out: * These IP4R test sites are listed on Scott's spam databases site, but without the test info: BORDERWORLD ip4r bl.borderworlds.dk * 2 0 BRAINERD ip4r blackholes.brainerd.net * 2 0 * These IP4R test sites are not yet listed on Scott's spam databases site: COMPLETEWHOIS ip4r bogons.dnsiplists.completewhois.com * 2 0 INTRUDERS ip4r intruders.docs.uu.se * 2 0 NJABL-DYNA ip4r dynablock.njabl.org * 2 0 REDHAWK ip4r access.redhawk.org * 2 0 SNARK ip4r rbl.snark.net* 2 0 SOLID ip4r dnsbl.solid.net * 2 0 SPAMRBL ip4r map.spam-rbl.com * 2 0 SPAMSOURCES ip4r spamsources.dnsbl.info * 2 0 * These RHSBL test sites are not yet listed on Scott's spam databases site: ISOC-RHSBL rhsbl dnsbl.isoc.bg* 2 0 ZONEEDIT rhsbl zebl.zoneedit.com * 2 0 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments test
Omar, I get tons of this stuff too - but it is easy to filter on for example in your bodyfilter have lines like: BODY2 CONTAINSMedicatio/ BODY2 CONTAINSOverni/ in your bodydomains filter: BODY10 CONTAINS.p1x.jpg.com Just a suggestion - -Nick Hayer From: Omar K. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:[Declude.JunkMail] Comments test Date sent: Wed, 24 Dec 2003 21:21:17 +0200 Send reply to: [EMAIL PROTECTED] Maybe im not quite familiar with the workings of the COMMENTS test, but shouldn't the included text trigger that test? If not, what suggestions do you have? I see so much spam slip by that has this charectristscs. Thanks, --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Comments test **Answered
Kami, The filters do work with the embeded html. I just sent myself a test email with the Medicat/ and it was snagged. Go home. Merry xmas! -Nick Hayer From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] Comments test Date sent: Wed, 24 Dec 2003 15:55:50 -0500 Organization: ClickandPledge.com Send reply to: [EMAIL PROTECTED] Hi; Actually I am now curious... Based on Scott Declude will take away the / before checking the email. So.. Does Medicat/ion work as a filter? If Declude takes off the ... then we should just use Medication since really Medicat/... can not be detected. True? False? Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Wednesday, December 24, 2003 3:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Comments test Omar, I get tons of this stuff too - but it is easy to filter on for example in your bodyfilter have lines like: BODY 2 CONTAINSMedicatio/ BODY2 CONTAINS Overni/ in your bodydomains filter: BODY 10 CONTAINS.p1x.jpg.com Just a suggestion - -Nick Hayer From: Omar K. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Comments test Date sent:Wed, 24 Dec 2003 21:21:17 +0200 Send reply to:[EMAIL PROTECTED] Maybe im not quite familiar with the workings of the COMMENTS test, but shouldn't the included text trigger that test? If not, what suggestions do you have? I see so much spam slip by that has this charectristscs. Thanks, --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Adult phrase filter
Gene -
Does anyone have an adult phrase filter they could share? I've been
Mine is attached. [I hope its ok to send an attachment to the list.
If not pls let me know - ]
Its a compilation of others [mostly Kami] and my own.
trying to create a filter but keep running into keywords being caught
in other words, like document and analog
Try IS rather than CONTAINS?
-Nick Hayer
I'm using 2 filters, one
filter adds weight based on keywords the other removes weight based on
keywords.
Thanks
Gene Head
ACCRAM Inc.
MCP,Net+,A+,CCNA,CCDA
[EMAIL PROTECTED]
[EMAIL PROTECTED]
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
The following section of this message contains a file attachment
prepared for transmission using the Internet MIME message format.
If you are using Pegasus Mail, or any other MIME-compliant system,
you should be able to save it or view it from within your mailer.
If you cannot, please ask your system administrator for assistance.
File information ---
File: adultphrase.zip
Date: 26 Dec 2003, 9:07
Size: 4897 bytes.
Type: ZIP-archive
adultphrase.zip
Description: Zip archive
Re: [Declude.JunkMail] Adult phrase filter
FYI, that will rarely work. For example, SUBJECT 10 IS evilword will only catch a subject of evilword, not a subject of This subject contains an evilword. BODY 10 IS ... will almost never catch anything. Rarity is good :) Its is the only way I see to trap certain words which rarely occur in regular email but are often in spam eg: ANYWHERE IS semen semen =basement -Nick Hayer -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Sorting log another question
Scott - Do you have a handy dandy way of finding all the messages that were delivered Message OK *and* failed a certain test? Like all the messages that were successfully delivered that failed SPAMDOMAINS. Even a count would be nice - Thanks -Nick Hayer If you are just looking for all lines for a message, you can use: FIND afe0021101d68bb7 dec.log /i -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamD/SpamC for Declude
Hi Russ, I have it set for 8. I hold on 10 delete on 30. It runs on my mailserver. In local.cf I have required_hits 3.00 -Nick Hayer Date sent: Mon, 12 Jan 2004 10:55:47 -0500 To: [EMAIL PROTECTED] From: Russ Uhte \(Lists\) [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] SpamD/SpamC for Declude Send reply to: [EMAIL PROTECTED] At 10:02 AM 1/12/2004, Russ Uhte \(Lists\) wrote: I'm trying to get this set up on a couple of test machines. It appears as if I have spamd up and running successfully. I can telnet to the ip address of the spamd server on port 783, and I see the message logged by spamd on the console. However, when I go to run spamc from a machine, it never connects. It just shows Loading... and then nothing. Any ideas. Okay... forget this question... RTFM... Now the important question... for those of you using this, what percentage of your hold weight are you giving this test? Do most of you install SpamD on your mail server, or do you use the TCP/IP feature of SpamC? Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamD/SpamC for Declude
Awesome!! When you installed all the CPAN stuff, did you also install the HTML::parser? It told me when I went to make the spamassassin package, that it was missing. Yes - That was missing with me as well. I just installed it, and all seems okay... kool. So its workn? What do you think of its results? -Nick Hayer -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released
I tried this without success. Sandy's port for me is *much* slicker - -Nick Hayer From: Rick Klinge [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released Date sent: Tue, 13 Jan 2004 10:04:08 -0600 Send reply to: [EMAIL PROTECTED] http://www.openhandhome.com/howtosa.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Russ Uhte (Lists) Sent: Tuesday, January 13, 2004 10:00 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.55 released At 03:57 AM 1/13/2004, Sanford Whiteman wrote: SPAMC32 0.5.55 is available for download at http://www.mailmage.com/download/software/freeutils/spamc32/release Users anticipating the big RegEx rollout will have to wait a little longer, but there are some very powerful new features and performance improvements in this release: - You can add a SKIPIFWEIGHT-type threshold to ensure that no SpamAssassin tests will be run if the message is already over a certain weight: SPAMC32 will pass (0) such messages immediately. See the -cw/-sw combo. Well, this did help considerably... but not quite enough. I moved the SpamD server onto a server that currently does nothing but DNS. It is a dual PIII 1GHz machine that usually runs between 0 and 5 % utilization. With SpamD running on it, it averaged about 70% utilization. Now my mailserver wasn't noticeably affected by the SpamC process. That was using a -sw entry of 20 (my hold weight) So, I think if I want to utilize SA, I'm going to have to do something drastic... I'm open to suggestions if anyone has any!! :) -Russ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] *OT* Web dns management console
Can anyone recommend a web interfaced dns management console for end users? Want end users to be able to manage their own domains eg: adding, deleting, edits. Thanks much! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] *OT* Web dns management console
I'm using bind 8x but I would switch no problem to have the user interface... -Nick From: Kevin Bilbee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] *OT* Web dns management console Date sent: Tue, 13 Jan 2004 11:56:12 -0800 Send reply to: [EMAIL PROTECTED] You did not mention the DNS server being used. like BIND, Simple DNS, MS DNS??? Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Hayer Sent: Tuesday, January 13, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] *OT* Web dns management console Can anyone recommend a web interfaced dns management console for end users? Want end users to be able to manage their own domains eg: adding, deleting, edits. Thanks much! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting concept..
Marc, Would you share your filter? Save me some efforts! Thanks -Nick From: Marc Hilliker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] Interesting concept.. Date sent: Tue, 20 Jan 2004 11:42:21 -0500 Organization: CQ Services, Inc. Organization: CQ Services, Inc. Send reply to: [EMAIL PROTECTED] Kami, Maybe you already know this but just in case you or others don't, mailserveruser.com is a domain that belongs to Green Horse Corporation (aka atriks.com). There is quite a list of domains (60+?) that this group of scum own. I made a filter looking for those domains in the body of the email and it catches a good number daily. For more info see: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495 - Marc - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 7:19 AM Subject: [Declude.JunkMail] Interesting concept.. I guess this qualifies as things that make you go h... http://www.mailserveruser.com/email_deployment.html Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelist filter
Scott - Performance wise would one be better off maxing out the global config [200 entries] with WHITELISTS and then use WHITELIST in a filter file? OR the filter file exclusively? Thanks -Nick Hayer Date sent: Thu, 22 Jan 2004 12:59:49 -0500 To: [EMAIL PROTECTED] From: R. Scott Perry [EMAIL PROTECTED] Subject:Re: [Declude.JunkMail] Whitelist filter Send reply to: [EMAIL PROTECTED] With the new release- are these valid lines? BodyWhitelistContainssome text REVDNSWhitelistEndswith.domain.com subjectwhiteliststartswith[Whitelist] I guess if this is the case the new whitelist just replaces the weight and all other filter syntax hold. That is correct. With the latest interim release, you can use any of the above lines. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Manual
Scott, A better manual would be nice. I grumble when I see you changed it and cannot find where *BUT* if creating a new one takes away from your literal instant tech support, advice on OT subjects, I can live with the system. From my perspective isn't fair for folks that want new features daily like me to also ask for a spiffy manual. I feel it has to be one or the other and for that reason no complaints at all on my end. Great job! -Nick Hayer Subject:Re: [Declude.JunkMail] Manual From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Keep it up guys and you'll be forced to wait for a full release to get some of these new features that add such extreme functionality to this product. If you don't like the way Scott does this, only use the latest full release with features covered in the manual. My $.02. N. Mathews [EMAIL PROTECTED] wrote: - To: [EMAIL PROTECTED] From: Mike K [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] Date: 01/23/2004 02:50PM Subject: Re: [Declude.JunkMail] Manual I have not renewed my Junkmail SA due to the lack of an updated manual. If Scott would spend the same amount of time updating the manul as he does explaining to the list how features work, the manual would be current. Monitoring and researching list archives is fine for free or diy software but for a paid product with stable features it's unacceptable. Mike --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Best Test for SPAM from AOL, Yahoo
Would you mind posting your global.cfg? Redact whatever you want private. With that maybe some good suggestions can be made -Nick Hayer From: TC Online Support [EMAIL PROTECTED] To: Declude.JunkMail [EMAIL PROTECTED] Subject:[Declude.JunkMail] Best Test for SPAM from AOL, Yahoo Date sent: Wed, 28 Jan 2004 15:20:42 -0600 Send reply to: [EMAIL PROTECTED] What are the best test weights to use for scanning e-mails from AOL and Yahoo. We are catching many valid e-mails and many SPAM e-mails are going through. We have been getting many complaints from customers about blocking valid e-mails that we have been temporarily whitelisted the domains. Also are there any other tests that can be done to stop the amount of SPAM sent to our uses. 80%-90% of our network traffic is incoming SPAM and much is going through. Thanks, Isaias Hernandez TC Online Internet Tech Support [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Best Test for SPAM from AOL, Yahoo
Isaias, I suggest you start with a fresh global cfg.. many tests you have listed are now dead. http://www.declude.com/Release/177/GLOBAL.CFG [I am assuming you are running the latest beta] Add in your filters that you had created and I believe you will see a great improvement. -Nick Hayer From: TC Online Support [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] Best Test for SPAM from AOL, Yahoo Date sent: Wed, 28 Jan 2004 15:55:08 -0600 Send reply to: [EMAIL PROTECTED] This is our global.cfg file. Isaias Hernandez -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Wednesday, January 28, 2004 3:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Best Test for SPAM from AOL, Yahoo Would you mind posting your global.cfg? Redact whatever you want private. With that maybe some good suggestions can be made -Nick Hayer From: TC Online Support [EMAIL PROTECTED] To: Declude.JunkMail [EMAIL PROTECTED] Subject: [Declude.JunkMail] Best Test for SPAM from AOL, Yahoo Date sent:Wed, 28 Jan 2004 15:20:42 -0600 Send reply to:[EMAIL PROTECTED] What are the best test weights to use for scanning e-mails from AOL and Yahoo. We are catching many valid e-mails and many SPAM e-mails are going through. We have been getting many complaints from customers about blocking valid e-mails that we have been temporarily whitelisted the domains. Also are there any other tests that can be done to stop the amount of SPAM sent to our uses. 80%-90% of our network traffic is incoming SPAM and much is going through. Thanks, Isaias Hernandez TC Online Internet Tech Support [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [IMail Forum] Continuous statistical filter updates?
thread originally from imal list Scott - others regarding SpamAssassin In your opinion: Correct. That's why for statistical filtering to be effective, you need to have very small groups that receive similar E-mails. Ideally, each user will have their own statistical database. If not, per-domain can sometimes be acceptable. Server-wide statistical databases fare worse. I have baynesian filtering enabled on Sandy's implimentation of SpamAssassin server wide. Am I just wasting cpu cycles/decreasing SA effectiveness by including this? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [IMail Forum] Continuous statistical filte r updates?
Thanks Andrew - Nick From: Colbeck, Andrew [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject:RE: [Declude.JunkMail] [IMail Forum] Continuous statistical filte r updates? Date sent: Wed, 4 Feb 2004 09:21:04 -0800 Send reply to: [EMAIL PROTECTED] It is more precise to say that Bayesian filters are best suited to individual mailboxes, and on the opposite scale they are not effective when the message base is random. Bayesian filters need to be trained, and for that you need a corpus of messages that is spam and another that is ham. The better the training, the better the result, and the reverse is true: garbage in, garbage out. Likewise, you need something or someone to keep feeding the algorithm: what were the false positives and what were the false negatives. This makes Bayes ideal for a single user yet makes it poorly suited to an ISP. If you want to implement Bayes for a corporation, you will do better, because more messages will be on topic and more and more we are all receiving similar spam. The catch is in training. You may find that Bayes is not worth using, but that the filters in SpamAssassin are worth keeping. Andrew 8) -Original Message- From: Nick Hayer [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 8:05 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] [IMail Forum] Continuous statistical filter updates? thread originally from imal list Scott - others regarding SpamAssassin In your opinion: Correct. That's why for statistical filtering to be effective, you need to have very small groups that receive similar E-mails. Ideally, each user will have their own statistical database. If not, per-domain can sometimes be acceptable. Server-wide statistical databases fare worse. I have baynesian filtering enabled on Sandy's implimentation of SpamAssassin server wide. Am I just wasting cpu cycles/decreasing SA effectiveness by including this? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Not really a white list..
Darin, As you may be aware but in case not: If you are using interim releases you can whitelist in a filter file so there is no 200 cap; another thing is if you use filters instead of fromfiles you can use the SKIPIFWEIGHT/MAXWEIGHT/MINWEIGHT processor saving switches.[The latter feature I believe is in the current beta] Not sure I should bring up features that are not in the manual. Do not want to start a documentation thread - however these tools are handy and info to config is 100% in the archives. -Nick Hayer That's what we do and it works well. I believe it's the recommended means of whitelisting, by negative weighting instead of explicit whitelisting. It also addresses the 200-limit for whitelisting. Darin. - Original Message - From: Bud Durland [EMAIL PROTECTED] To: Declude List [EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 9:33 AM Subject: [Declude.JunkMail] Not really a white list.. The number of white list address entries in my GLOBAL.CFG file is growing; many customers using broken clients, or automated responses that look like spam. I have this entry in my GLOBAL.CFG: MRPBADADDR fromfileC:\IMail\Declude\BADADDRESS.TXT x 20 0 Is there any reason I couldn't put the addresses I'm white listing now into a file, and do something like this: MRPGOODADDR fromfileC:\IMail\Declude\GOODADDRESS.TXT x -15 0 -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOP HIGH / Spam Tests
Matt - hop testing (I test the last 4 hops since my server can handle it currently and that helps with forwarding). I've only seen a few FP's Does this mean you have a HOPHIGH 4 setting in your global.cfg? Or (3) considering HOP 0 or none of this applies..? Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude version
type declude at the \imail prompt more info is declude -diag -Nick Hayer Date sent: Wed, 03 Mar 2004 16:45:20 -0500 From: Bud Durland [EMAIL PROTECTED] To: Declude List [EMAIL PROTECTED] Subject:[Declude.JunkMail] Declude version Send reply to: [EMAIL PROTECTED] I downloaded and installed the interim version of Delcude, and added 'banext ezip' to the virus.cfg file, but an encryptedzip file still got through. 'banext zip' wroks OK, though. I want to confirm that I've got the right declude executable, but am having cranial flatulence trying to remember the command to have delcude display version information. Help, please? -- --- illigitimi non carborundum --- Bud Durland, CNE Mold-Rite Plastics Network Administrator http://www.mrpcap.com --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude virus - additional info
Doug, Should post these to the declude virus list... virus with it - but got some questions 1. which version of mcafee should I use? scan.exe I think it comes with all of them but not sure. based 4.3.20, does anyone have a good automated update routine for it? If you say 7.1.0 then updating is not a problem, I'm just not sure of the command line needed. I do - email me off list and I will send you my batch file. I run it every 4 hrs. [There are others on the Declude website as well.] -Nick Hayer We're at a point were I've convinced Mgmnt that if they want zips to go through they need Declude Virus to get rid of the encrypted zips. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] e-commerce counter weights
On 29 Mar 2004 at 14:35, Technical Support wrote: What sort of counter weighting do you guys use to balance out these types of messages? I can't decide on anything to identify these types of messages with that spammers don't already try to fake. Any help would be much appreciated. As Darin responded you should use a negative weighted filter. I call mine compensatory.txt In it include REVDNS, CONTAINS, MAILFROM, etc. from the false positives that will counter weight the spam scores. As far a phrase that you could add for a BODY tag kinda hard. But they may work for you like 'Order shipped' , etc. I make compensatory.txt the first filter in global.cfg also; to be sure SKIPIFWEIGHT feature is used in the other filter files. -Nick Hayer Thank you for making YourNET Connection your connection to the world Jim O'Keefe Technical Support @YourNET Connection, Inc. mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [AUTOMATED NOTE: Your mail server [170.222.200.91] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Internet Usage Monitoring
On 30 Mar 2004 at 12:43, Kevin Bilbee wrote: Here we *used* a product called LittleBrother. It would produce complete tracking reports for every user. Very complete. Simple to use. Not sure if it is still avail. We stopped using it because of privacy/union concerns. -Nick Hayer Management wants to do web usage mainitoring. They do not at this time want to do blocking. We have a pix firewall that does what Cisco calls URL logging but in relaity it does not log the url but the ip address of the server and the path on the server to the document being viewed. What they want is a log of client ip and url including the host name. They also do not want to abandon the PIX. Any one have any suggestions? Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [170.222.200.91] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Passing weight to Externalplus test
On 7 Apr 2004 at 17:20, R. Scott Perry wrote: There is now an interim 1.79i3 at http://www.declude.com/interim that changes the %WEIGHT% variable so that it will include the current weight if it is used before the total weight is calculated. Scott, For me this is what makes me so loyal to your products. You listen to your customers.. -Nick Hayer -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [170.222.200.91] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Notification to customers of change of ownership
On 12 Apr 2004 at 14:44, R. Scott Perry wrote: Don't worry, I will continue answering questions here (and on the IMail Forum). :) If Chucky Barry don't work you promise you won't leave us correct? -Nick Hayer -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server [170.222.200.91] is missing a reverse DNS entry. All Internet hosts are required to have a reverse DNS entry. The missing reverse DNS entry will cause your mail to be treated as spam on some servers, such as AOL.] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log analysis and test check scripts
On 21 Apr 2004 at 21:24, Roger Eriksson wrote: *very* nice job Roger - Thanks! -Nick Hayer Hi, My log analysis and test check scripts are available for download at: http://www.botany.gu.se/download/decludescript/LOG_analysis.zip http://www.botany.gu.se/download/decludescript/TEST_check.zip The first script creates a list with the number of hits for each test, number of messages that are OK or whitelisted, and a spam summary (incoming messages, deleted spam, held spam, marked spam, non-spam). The second script does a pairwise comparison between a specific test and all other tests regarding number of individual hits and number of shared hits (i.e. messages that fail both tests). Both scripts have two modes, one where the analysis is based on all message hits and another where it is based on unique messages only (i.e. a message hit is only counted once irrespective of the number of recipients). The first mode is much faster, but they can give some interesting results when compared. The scripts run under both Windows NT 4 and Windows 2000. They are pure Windows command scripts and therefore not as fast as some of the other log analysis tools. The analyses below took about one minute each in all mode. /Roger == Output from the log analysis script == Declude test results -- dec0420.log --- Total number of hits -- AHBL-PROXY 4197 AHBL-RHSBL 1296 AHBL-SOURCE 362 BADHEADERS 2523 BASE64-PLUS 381 BASE64 762 CBL 16295 COMMENTS 64 DSBL 14287 DSN 2837 FORGEDLOCAL 685 GREYLIST 6 HELOBOGUS 5812 MAILFROM 1233 MAILPOLICE 902 MESSAGE OK 2672 NETBL 563 OPM 1945 ORDB 48 REVDNS 5752 RSL 1815 SBL 877 SNIFFER-ADULT 2860 SNIFFER-CASINO 44 SNIFFER-CREDIT 685 SNIFFER-EMAIL 87 SNIFFER-EXP 1494 SNIFFER-GEN 1374 SNIFFER-GREY 5 SNIFFER-INSUR 661 SNIFFER-MAL 2 SNIFFER-MEDIA 2437 SNIFFER-OBFUSC 555 SNIFFER-PHARM 5964 SNIFFER-PRINT 10 SNIFFER-RICH 889 SNIFFER-SCAM 107 SNIFFER-TOOLS 1 SNIFFER-TRAVEL 19 SNIFFER 17194 SORBS-DUHL 10199 SPAMCOP 17652 SPAMDOMAINS 3895 SPAMHEADERS 184 SPAMTRAP 150 SPFFAIL 405 SURBL 2761 URLDBL 152 WEIGHT15-19 553 WEIGHT20 18482 WHITELISTED 530 - Total number of messages Incoming: 21154 Held spam: 18482 (87%) Marked spam: 553 (2%) Non-spam: 2119 (10%) == Output from the test check script == Test check results -- dec0420.log --- Test: SBL Total number of hits: 877 --- Shared with AHBL-PROXY (4197 hits): 58 (6%) Shared with AHBL-RHSBL (1296 hits): 137 (15%) Shared with AHBL-SOURCE (362 hits): 314 (35%) Shared with BADHEADERS (2523 hits): 172 (19%) Shared with BASE64-PLUS (381 hits): 13 (1%) Shared with BASE64 (762 hits): 15 (1%) Shared with CBL (16295 hits): 355 (40%) Shared with COMMENTS (64 hits): 6 (0%) Shared with DSBL (14287 hits): 165 (18%) Shared with DSN (2837 hits): 94 (10%) Shared with FORGEDLOCAL (685 hits): 23 (2%) Shared with GREYLIST (6 hits): 0 (0%) Shared with HELOBOGUS (5812 hits): 317 (36%) Shared with MAILFROM (1233 hits): 21 (2%) Shared with MAILPOLICE (902 hits): 371 (42%) Shared with NETBL (563 hits): 15 (1%) Shared with OPM (1945 hits): 2 (0%) Shared with ORDB (48 hits): 0 (0%) Shared with REVDNS (5752 hits): 445 (50%) Shared with RSL (1815 hits): 2 (0%) Shared with SNIFFER-ADULT (2860 hits): 219 (24%) Shared with SNIFFER-CASINO (44 hits): 7 (0%) Shared with SNIFFER-CREDIT (685 hits): 99 (11%) Shared with SNIFFER-EMAIL (87 hits): 82 (9%) Shared with SNIFFER-EXP (1494 hits): 77 (8%) Shared with SNIFFER-GEN (1374 hits): 33 (3%) Shared with SNIFFER-GREY (5 hits): 0 (0%) Shared with SNIFFER-INSUR (661 hits): 39 (4%) Shared with SNIFFER-MAL (2 hits): 0 (0%) Shared with SNIFFER-MEDIA (2437 hits): 32 (3%) Shared with SNIFFER-OBFUSC (555 hits): 30 (3%) Shared with SNIFFER-PHARM (5964 hits): 156 (17%) Shared with SNIFFER-PRINT (10 hits): 9 (1%) Shared with SNIFFER-RICH (889 hits): 84 (9%) Shared with SNIFFER-SCAM (107 hits): 1 (0%) Shared with SNIFFER-TOOLS (1 hits): 1 (0%) Shared with SNIFFER-TRAVEL (19 hits): 2 (0%) Shared with SNIFFER (17194 hits): 871 (99%) Shared with SORBS-DUHL (10199 hits): 197 (22%) Shared with SPAMCOP (17652 hits): 659 (75%) Shared with SPAMDOMAINS (3895 hits): 94 (10%) Shared with SPAMHEADERS (184 hits): 34 (3%) Shared with SPAMTRAP (150 hits): 0 (0%) Shared with SPFFAIL (405 hits): 0 (0%) Shared with SURBL (2761 hits): 20 (2%) Shared with URLDBL (152 hits): 57 (6%) Shared with WEIGHT15-19 (553 hits): 17 (1%) Shared with WEIGHT20 (18482 hits): 860 (98%) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [AUTOMATED NOTE: Your mail server
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
On 13 May 2004 at 16:57, R. Scott Perry wrote: Scott, For the test type below you have dnsbl ; I have only been using rhsbl and ip4r - are these just names to flag the type of test in global.cfg or are different actions taken on each? [Hope I am somewhat clear on this..] -Nick Hayer Is there any shot of you enabling a different type of test built to do RHS lookups from the reverse DNS value? Actually, you can use something like: BULK-REVDNS dnsbl %REVDNS%.bulk.rhs.mailpolice.com* x 0 -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using RHSBL's for reverse DNS entries
On 13 May 2004 at 17:16, R. Scott Perry wrote: kool - thanks! -Nick For the test type below you have dnsbl ; I have only been using rhsbl and ip4r - are these just names to flag the type of test in global.cfg or are different actions taken on each? [Hope I am somewhat clear on this..] That is correct. ip4r will take the IP address that the E-mail came from, reverse it, and add it to the zone that you supply. So an E-mail coming from 192.0.2.25 using the zone bl.example.net would use 25.2.0.192.bl.example.net. rhsbl will take the domain in the return address and add it to the zone that you supply. So an E-mail coming from [EMAIL PROTECTED] using the zone bl.example.net would use example.com.bl.spamcop.net. dnsbl will just use the zone that you supply. So if you use %REVDNS%.bl.example.net, an E-mail coming from the IP 192.0.2.25 that has a reverse DNS entry of mail.example.com would use the zone mail.example.com.bl.spamcop.net. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Latest interim
On 11 May 2004 at 14:38, Darin Cox wrote: Boys, Scott is very knowledgeable, helpful, and quick to assist. He is also as stuborn as an old dog. He is not going to change the way he tags his releases, or writes his manual. No biggie. I suggest the good outweighs the bad... -Nick Hayer I agree...this would be an immense help. Darin. - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 2:26 PM Subject: RE: [Declude.JunkMail] Latest interim :) This definitely will not happen -- that's one of the more time-consuming parts of the interims. Scott... All I asked for was the inclusion of this in your emails.. ... This is added in our latest interim (1.76i6) Blah blah blah That is it.. :) I know we have 1.79i6- so I won't be downloading it- right now when I see your emails I say Oh.. May be I should download it- so I go to the site and put a load on your server and download it- then I see that it is the same version that I had. I am sure others do the same... This requires no change in what you do and how you do it.. But every so often let us know what is the latest interim number.. Thanks Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] f-prot
On 17 May 2004 at 9:13, Goran Jovanovic wrote: For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441 F-Prot 412 AVG 446 McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a Do I really need it?. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot I find the Mcafee is the best at detecting viruses within encrupted zips. Otherwise they are pretty even. I'd recommend using F-Prot and Mcafee. Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can find my price tomorrow. [EMAIL PROTECTED] 5/15 12:29p Can anyone tell me how f-prot compares to mcafee or symantec when it comes to keeping their database up with new viruses? That just seems pretty cheap but hey that's exactly what I'm looking for as long as it works well :) thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] f-prot
On 17 May 2004 at 20:56, Aaron J. Caviglia wrote: Where can we purchase the command line scanner? Aaron - If you are referring to the Mcafee one for $11 - Scott mentioned My 1 year McAfee VirusScan Command Line license was $11 through CDW. We paid the same thing off of State contract from Insight. -Nick Hayer Thanks, Aaron Caviglia On May 17, 2004, at 8:23 PM, Goran Jovanovic wrote: For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. So right now if you use multiple scanners when you scan with ScannerA and it finds a virus Declude will still call ScannerB and have it scan as well? Scott pointed out that his McAfee was only $11.00 for the year so the price barrier is non-existant and I see from your and Scott's responses that there are indeed reasons to have more than one scanner. Thank you all Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, May 17, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] f-prot On 17 May 2004 at 9:13, Goran Jovanovic wrote: For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441F-Prot 412AVG 446McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a Do I really need it?. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot I find the Mcafee is the best at detecting viruses within encrupted zips. Otherwise they are pretty even. I'd recommend using F-Prot and Mcafee. Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can find my price tomorrow. [EMAIL PROTECTED] 5/15 12:29p Can anyone tell me how f-prot compares to mcafee or symantec when it comes to keeping their database up with new viruses? That just seems pretty cheap but hey that's exactly what I'm looking for as long as it works well :) thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list
RE: [Declude.JunkMail] f-prot
On 17 May 2004 at 23:23, Goran Jovanovic wrote: So right now if you use multiple scanners when you scan with ScannerA and it finds a virus Declude will still call ScannerB and have it scan as well? Correct. Scott has said this is on his todo list.. -Nick Hayer Scott pointed out that his McAfee was only $11.00 for the year so the price barrier is non-existant and I see from your and Scott's responses that there are indeed reasons to have more than one scanner. Thank you all Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, May 17, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] f-prot On 17 May 2004 at 9:13, Goran Jovanovic wrote: For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441 F-Prot 412 AVG 446 McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a Do I really need it?. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot I find the Mcafee is the best at detecting viruses within encrupted zips. Otherwise they are pretty even. I'd recommend using F-Prot and Mcafee. Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can find my price tomorrow. [EMAIL PROTECTED] 5/15 12:29p Can anyone tell me how f-prot compares to mcafee or symantec when it comes to keeping their database up with new viruses? That just seems pretty cheap but hey that's exactly what I'm looking for as long as it works well :) thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tips for handling dictionary attacks
On 18 May 2004 at 12:45, Matt wrote: Very slick Matt great idea! -Nick Hayer One other thing. Unless you have a ton of traffic (~100,000/day) or have people doing BCC blasts from your server to hundreds of addresses, there is a setting in IMail 8.x that can slow down the dictionary attack so that it doesn't threaten your server's ability to process E-mail. On the SMTP Advanced tab, there is a setting for Delay between recipients, typically 0 by default. This is a time in milliseconds and it can be increased without obvious effect for normal operation to a value of 500 or even 1000. If your server can handle about 3 messages a second over a prolonged period outside of Declude, you might set the value at 500 (allowing for a little extra processing power to handle legitimate E-mail). This would mean that any local or external sender that tried to To, CC or BCC a message to say 100 addresses on your server, would take 50 seconds just to have your server respond to all of the RCPT TO commands. I had mine set to 1000 for the longest time without any reports of problems except for one person that mailed out messages to just under 100 addresses (which would take almost 2 minutes for his E-mail program to report that the message was delivered). I dropped it down a little while ago, but I'm going to pump it back up to 500 again. Matt Matt wrote: Keith, I've been seeing a sharp uptick in this sort of activity as well. Typically they include about 200 generic E-mail addresses, but some are now throwing thousands of addresses for a fuller attack. If the E-mail is going to a locally hosted domain, the best defense is to remove the nobody alias as this will stop the attempts dead at the envelope and save lots of processing power. If this is gatewayed E-mail, a solution becomes much more involved as you will need to install a different product that can do address verification for non-IMail addresses and reject at the envelope (and maintain a database of such addresses). Regarding blocking the IP's, while I'm sure you could parse them out of your logs, they tend to attack from zombies, and typically use many at the same time. Each attack seems to use different sets of zombies as well. My feeling is to just simply let it go on because I don't want to waste too much time blocking IP's at the router or SMTP envelope that change constantly. Matt Keith Purtell wrote: I'm having a new experience with our mail server. Suddenly I'm getting numerous dictionary attacks from different IP addresses. At first I blocked the IP addresses in IMail SMTP Security, but after adding a dozen I got tired. I'd rather detect the pattern and automatically stop it that way. Any tips? Keith Purtell, Web/Network Administrator VantageMed Corporation (Kansas City office) Voice: (816) 801-5200 Fax: (816) 880-4776 (800) 525-1101 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] f-prot
On 18 May 2004 at 13:56, Imail Admin wrote: I'd like to second this question. I remember seeing a couple of discussions here where people couldn't agree on which McAfee product to use as the command line scanner with Declude. And, of course, the online stores always emphasize the Windows-based products. So exactly which product is it that's needed? scan.exe - Mcafee's commandline scanner. Here is a link that I just found that has what appears to be a free copy: http://vil.nai.com/vil/virus-4d.asp DAILYSCAN.ZIP contains the scan.exe file. ] [We purchased ours but now maybe its a freebe..] -Nick Hayer Thanks, Ben - Original Message - From: John Carter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 12:56 PM Subject: RE: [Declude.JunkMail] f-prot Do you have a CDW product number on this? Called and they took forever to come back with $20+ Thanks, John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Tuesday, May 18, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot On 17 May 2004 at 20:56, Aaron J. Caviglia wrote: Where can we purchase the command line scanner? Aaron - If you are referring to the Mcafee one for $11 - Scott mentioned My 1 year McAfee VirusScan Command Line license was $11 through CDW. We paid the same thing off of State contract from Insight. -Nick Hayer Thanks, Aaron Caviglia On May 17, 2004, at 8:23 PM, Goran Jovanovic wrote: For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. So right now if you use multiple scanners when you scan with ScannerA and it finds a virus Declude will still call ScannerB and have it scan as well? Scott pointed out that his McAfee was only $11.00 for the year so the price barrier is non-existant and I see from your and Scott's responses that there are indeed reasons to have more than one scanner. Thank you all Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, May 17, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] f-prot On 17 May 2004 at 9:13, Goran Jovanovic wrote: For the folks using multiple scanners, do you have any stats on how often the secondary scanner found a virus that the first one missed? Hi Goran, Here are my latest stats: Virus Totals: 441 F-Prot 412 AVG 446 McAfee - Vunerabilities: 349 - I update the defs for all every 4 hrs on a staggered schedule. Because of possible false positives I have found it hard to rank one particular scanner over another. For me the advantage to have more than one is one [varies] company will always come out with protection for a new outbreak before another. The downside is cost and cpu overhead. For the latter there is an outstanding request to Scott to kill additional scanning once a scanner detects a virus.. -Nick Hayer I realize that the cost of F-Prot (which I am using) is quite low and others might be as well, so it is not a cost issue but rather a Do I really need it?. Thanx Goran Jovanovic The LAN Shoppe -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Scott Fisher Sent: Monday, May 17, 2004 12:49 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] f-prot I find the Mcafee is the best at detecting viruses within encrupted zips. Otherwise they are pretty even. I'd recommend using F-Prot and Mcafee. Mcafee for the DOS command line scanner is dirt cheap. I'll see if I can find my price tomorrow. [EMAIL PROTECTED] 5/15 12:29p Can anyone tell me how f-prot compares to mcafee or symantec when it comes to keeping their database up with new viruses? That just seems pretty cheap but hey that's exactly what I'm looking for as long as it works well :) thanks, Larry Craddock --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http
Re: [Declude.JunkMail] Whitelisted- getting thru
On 19 May 2004 at 9:04, Richard Farris wrote: Kinda - there is a test called BYPASSWHITELIST http://www.mail- archive.com/[EMAIL PROTECTED]/msg17561.html Hope this helps! -Nick Hayer I have noticed that some of the spam getting thru is because a I have several in my whitelist and even though it is not addressed to them it sends it on because the whitelisted email is in the CC or BCC... Isn't there any way to whitelist only if it is addressed to that person in the To: box? Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Feature request: COMBO tests
Hi Darin - On 19 May 2004 at 15:10, Darin Cox wrote: I would like to be able to group tests together and give a weight to the group rather than the individual tests. That way if one or multiple tests fail, only one weight is added. The answer is: I realize others have found a workaround for the multiple DUL issue by using custom filters [In the archives you will find exactly this example provided by Matt] This works well - a feature request for NOTCONTAINS has been made and will improve the method -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Feature request: COMBO tests
On 19 May 2004 at 16:59, Darin Cox wrote: Yes, but only for Pro licenses and custom filtering. Using weighting groups could allow Standard licenses to do this, as well as being much faster than text processing. Darin. Gotcha. Did not know of the standard ver limits -Nick - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Darin Cox [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 4:48 PM Subject: Re: [Declude.JunkMail] Feature request: COMBO tests Hi Darin - On 19 May 2004 at 15:10, Darin Cox wrote: I would like to be able to group tests together and give a weight to the group rather than the individual tests. That way if one or multiple tests fail, only one weight is added. The answer is: I realize others have found a workaround for the multiple DUL issue by using custom filters [In the archives you will find exactly this example provided by Matt] This works well - a feature request for NOTCONTAINS has been made and will improve the method -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNSstuff Website
My best guess is - Chuck Berry - whoever now own Declude can't fix it. Scott is on a cruise. No internet. No phone. When Scott returns he will reboot the box - for now we just have to make do.. -Nick Hayer On 20 May 2004 at 11:45, Matt Robertson wrote: I have been using the backup.dnsstuff.com But is it gone and they just forgot to whack the backup? dnsreport.com was (is?) the best dns report on the planet. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Are tests executed?
On 20 May 2004 at 14:46, Goran Jovanovic GJovanovic wrote: Goran, Since this has not been answered someone lower on the food chain [me] will give it a try On 20 May 2004 at 13:57, Goran Jovanovic wrote: OK if I have a test defined in the GLOBAL.CFG and I have per-domain configs and if I only add the line TESTNAME WARN (or whatever) In only one domain's $default$.junkmail file 1) Will the test be executed for each e-mail for every domain or only the tests listed in that domains .junkmail file? The test will always execute - it is defined in the global.cfg. The ACTIONS of the test will execute are defines in that domains .junkmail file 2) If the test is executed for all domains then will the score of the test be added to e-mails for all domains? Nope. the ACTION of the test - WARN, etc execution is controlled by the .junkmail where the test is listed. 3) If 2 is true then doI have to add TESTNAME IGNORE to all other domain's config files to not count the score? nope. Hope this confused ya... Bottom line the way I see it - tests are executed in the global.cfg. IF that test is defined in a particular .junkmail file that junkmail file will define the action to take. Cheers - -Nick Hayer Thanx Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Are tests executed?
On 20 May 2004 at 13:34, John Tolmachoff (Lists) wrote: Incorrect. While it is true of the action, the weight will still be added. Yup - I was thinking about 0 [zero] scoring and taking an action in the applicable junkmail file. Sorry about the misinformation.. -Nick Hayer . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] trip
Welcome back Scott - how was your trip? Any details? Were you looking for property in the islands now that you are flush with cash? -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack OT Windows IP question
Scott, I have a colo that I gateway to. The colo box is Windows 2000 running Exchange ; Hijack monitors his traffic which runs on my server. All had been fine now however they are running on their server a moderated list(s). List software is SVList. The largest list has ~ 300 members. So when the list sends out Hijack will hold the email. Hijack settings are : RELAYTHRESHOLD1 10 20 RELAYTHRESHOLD2 30 80 So now I have whitelisted their ip [ALLOWIP setting] to allow everything to function. Is there *any* way to allow a different HIJACK setting based on IP and or MAILFROM? [ A colos email traffic - since we are looking at all the traffic from a mailserver from a particular ip - is different than monitoring ip's from individual users. The MAILFROM piece would work well here since I could WHITELIST the list] Any thoughts on how I can make this work without whitelisting? I also have DJMPro. OT Question: SVList does not have a setting to work off a particular IP. Is there a way to make an IP on a windows box 'primary' or 'default' in the sense programs such as SVList will *always* use it? If so this would solve my problem Thanks as always -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack question
Scott - Is it possible to get Hijack to run after DJMP? This would help me to better manage my backup mailserver - Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack question
On 17 Jun 2004 at 17:47, R. Scott Perry wrote: Perfect. Thanks! -Nick Is it possible to get Hijack to run after DJMP? This would help me to better manage my backup mailserver - The only way to do that would be if you are also running Declude Virus, you could use the AVAFTERJM ON option to force Declude Virus to run after Declude JunkMail, which also forces Declude Hijack to run last (since Declude Hijack always runs after Declude Virus). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Hijack Not working on internal customers
On 22 Jun 2004 at 7:07, Jeffrey M Donley wrote: Hi Jeff, So in your hijack.cfg file you have ALLOWIP xxx.xxx.xxx.xxx and in the HOLDx dir hijack is retaining emails from the allowip addresses? If that is the case I suggest stopping and restarting declude console to reset hijack; if that doesn't help review your hijack logs and email Scott... -Nick Hayer I have had a continuing problem with Hijack. I have several business customers with 25 plus work stations, these customers are getting caught in hijack on outgoing mails. I have added ALLOWIP entries for all the customers with no success. It seems as though declude reads hijack cfg for a certain number of ALLOWIP entries then gives up on the last few entries. I am using 1.75 with IMail 7.15. Any suggestions? -jeff --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is this unique?
Scott - We are getting a lot of spam with this text in the email: x-mac-type=4A504547; x-mac-creator=4A565752 Question - can I filter on this or is this a common MAC string? Thanks -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is this unique?
On 25 Aug 2004 at 15:18, E. Ballerini wrote:
Hi Erminio -
I saw this explanation on a google search - my question is are the
id's unique to this mac client eg ok to filter on?
Thanks
-Nick Hayer
These are file attachments that have come from a Mac email client,
probably Outlook Express.
The mac doesn't use file extensions to determine the type of a file
(for example a JPEG), instead it uses a type ID and a creator ID which
are part of the files info (including the created date, modified date,
etc). The ID's a are 32 bit longs and are normally ASCII coded for
readability. In your case all the creator ID's are 4A565752, which is
'JVWR' and if memory serves that is the code for JPEG Viewer a
shareware image viewer, and the file types are 47494666 ('GIFf') and
4A504547 ('JPEG'), which makes sense as all the file names say .gif
and .jpg
Erminio
---
[This E-mail has been scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Question
On 15 Oct 2004 at 12:49, Alejandro Valenzuela wrote: Alex - I would like to have a test that checks if a message has been found on 3 or more black lists Then if that is the case, assign more points to it... Is this posible ?? Well I do not know how to count the number of failed tests but if you were willing to list them something along these lines will work in a filter: combo_blacklists.txt SKIPIFWEIGHT36 TESTSFAILED END NOTCONTAINS test1 TESTSFAILED END NOTCONTAINS test2 TESTSFAILED END NOTCONTAINS test3 REMOTEIP0 CONTAINS . in Gconfig: combo_blacklists.txtfilter \IMail\Declude\Filters\combo_blacklists.txt x 10 0 -Nick Thanks... Alex Valenzuela --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] E-Mail to download v1.8
On 28 Sep 2004 at 10:33, Jeff Maze wrote: Hi Jeff, Hello, Just wanted to know if there's a place to download the latest .cfg files to handle the v1.8 additions. Or even an updated declude manual? http://www.declude.com/Articles.asp?ID=116 -Nick Thanks.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack
On 28 Sep 2004 at 11:44, Richard Farris wrote: Hi Richard, You need to whitelist your ip, regretfully there is no way to config by domain - -Nick Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack
Scott - wow. Now when did that occur? I see no reference of this anywhere. Are there any other switches? Thanks -Nick Hayer On 28 Sep 2004 at 14:37, Glenn \ WCNet wrote: The current version of HiJack supports 'whitelisting' by sending address in hijack.cfg. ALLOWADDR [EMAIL PROTECTED] - Original Message - From: Mike Wiegers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 11:57 AM Subject: RE: [Declude.JunkMail] HiJack In the hijack.cfg file add: # An ALLOWIP line will let an IP address send unlimited E-mail. ALLOWIP x.x.x.x -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Tuesday, September 28, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] HiJack Now that I have HiJack, I found out yesterday when sending a mass email to all my customers that they were held...how do I take myself out of HiJack...just turn it off while I send out messages or is there another way.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support Crossroads to a Cleaner Internet --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HiJack
On 28 Sep 2004 at 16:15, R. Scott Perry wrote: That was added to v1.69, per http://www.declude.com/relnotes.htm . Thanks. It may make a nice addition to the manual as well. :) -Nick -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 1.80 and e-mail notifications
On 28 Sep 2004 at 16:58, R. Scott Perry wrote: Scott - Thanks for pointing that out -- it should be fixed now. Does this mean we need to do something on our end or retreive an interim? Thanks -Nick The format used for the forging virus lookups was changed, and we had to also make a change on our end to reflect that (which was just made). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Filter file maintenance suggestion
On 6 Oct 2004 at 18:52, Sanford Whiteman wrote: [ Don't worry, I'll cool off the cheerleading the moment a lot of SPAMC32 support posts come in. :) ] Cheers and more cheers from me. Simply Excellent! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HIDETESTS
Scott - Is there a limit to how many tests that can be hidden? Do all the tests that are listed have to be on a single line? Thanks! -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] *very* much off topic
For those that follow baseball... the RedSox gave the Yankees an 'ATOMIC' WEDGIE' :) -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPSwitch ICS
On 25 Oct 2004 at 11:22, Kevin Bilbee wrote: Scott, What other products are you preparing Declude to function with??? If you are not I sugest you do! Because your customer base of Imail will not be increasing or so it seems - if it is Collaborate or not it seems most folks will NOT - I am for sure looking elsewhere - -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] External Test for Obfuscated Subjects / update for Subject Case External Test
On 26 Oct 2004 at 10:43, Scott Fisher wrote: Nice job! Business as usual - back to spam busting.. -Nick I have created an external test that checks the subject for obfuscated subjects based on a filter file. It is available at: http://it.farmprogress.com/declude/declude.htm I have also updated my external test for Subject Case to better decode the subject and to handle skip if weight processing. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.56 released
On 1 Nov 2004 at 19:08, Sanford Whiteman wrote: Sandy, Dunno what I did but in moving to SA 3x from 2.61 I cannot get spamd to run. Any ideas? The error is can't execute /user/bin/spamd.. THanks! -Nick Hayer All, SPAMC32 has been updated to more easily function as a weight test in addition to the other command-line threshold options. See the release notes below and download from the traditional /release folder. --Sandy -- SPAMC32 Release 0.5.56 11/1/2004 * Release notes for this version: [ + Added feature] [ * Improved/changed feature ] [ - Bug fix ] [ ^ Cosmetic/naming change ] [+] Added switch '-e' to allow more granular management of SPAMD weights from a calling application. With -e enabled, SPAMC32 sets its exit code to the rounded weight received from SPAMD, regardless of client- or server- based spam thresholds. Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download /release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases /download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/dow nload/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ANN: SPAMC32 (SpamAssassin SPAMC for Declude) 0.5.56 released
On 1 Nov 2004 at 19:08, Sanford Whiteman wrote: Sandy, I have this working with SA 3.01 very nice..! Question - with your new 'e' switch - can the weight returned be capped eg a max return value? -Nick All, SPAMC32 has been updated to more easily function as a weight test in addition to the other command-line threshold options. See the release notes below and download from the traditional /release folder. --Sandy -- SPAMC32 Release 0.5.56 11/1/2004 * Release notes for this version: [ + Added feature] [ * Improved/changed feature ] [ - Bug fix ] [ ^ Cosmetic/naming change ] [+] Added switch '-e' to allow more granular management of SPAMD weights from a calling application. With -e enabled, SPAMC32 sets its exit code to the rounded weight received from SPAMD, regardless of client- or server- based spam thresholds. Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download /release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases /download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/dow nload/release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] anyone know how to stop this? topic change
On 9 Nov 2004 at 11:27, Bill Landry wrote:
Thanks!! Bill [I do have 3.0.1]
-Nick
I should have clarified, the example I give below is for SA 3.0.1,
since they changed the action from header to the more appropriate
body setting between SA 3.0.0 3.0.1. So, you have it correct if
you are using anything before 3.0.1.
Bill
- Original Message -
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 09, 2004 11:12 AM
Subject: Re: [Declude.JunkMail] anyone know how to stop this? topic
change
- Original Message -
From: Nick [EMAIL PROTECTED]
A little SpamAssassin help please -
It does, but it can also be used with Declude as an RHSBL now:
MAILPOLICE-FRAUDfraud.rhs.mailpolice.com 127.0.0.23
0
to see if I have this correct for SA 3x
In my local.cf
urirhsbl URIBL_MP fraud.rhs.mailpolice.com. A
# A reecord lookup
header URIBL_MP eval:check_uridnsbl('URIBL_MP')
describe URIBL_MP Contains a URL listed in the MP SURBL blocklist
tflags URIBL_MP net score URIBL_MP 2.0
#value returned to SA
I can use and RHSBL I like - correct?
Not quite. Here's a sample of how to setup URIRHSBL support in SA:
urirhsbl URIBL_MP_RHSBL block.rhs.mailpolice.com. A
body URIBL_MP_RHSBL eval:check_uridnsbl('URIBL_MP_RHSBL')
describe URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL
blocklist tflagsURIBL_MP_RHSBL net score URIBL_MP_RHSBL 2.0
This is for the MailPolice block list, which also incorporate the
fraud
list. If you want to use fraud only, change the hostname above
from block to fraud.
Bill
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] SA help -
On 9 Nov 2004 at 22:54, Bill Landry wrote:
Nick, I cannot think of any RHSBLs that would be candidates for
urirhssub, other than the SURBLs that currently use bitmasked
responses.
I did not have any in mind but I was looking over the setups and this
scenerio came to mind..
Thanks for you excellent help - I am beginning to come around to see
how this latest SA can compete w/Declude; I just need more work on
my learning curve.
-Nick
However, if there were an RHSBL that supported multi-quad
responses (like DNSBLs do), I would try setting it up like: =
urirhssub URIBL_EX1 multiple.example.com. A 127.0.0.1 body URIBL_EX1
eval:check_uridnsbl('URIBL_EX1') describe URIBL_EX1 Contains a URL
listed in the EX1 blocklist tflags URIBL_EX1 net score URIBL_EX1 1.0
urirhssub URIBL_EX2 multiple.example.com. A 127.0.0.2
body URIBL_EX2 eval:check_uridnsbl('URIBL_EX2')
describe URIBL_EX2 Contains a URL listed in the EX2 blocklist
tflags URIBL_EX2 net
score URIBL_EX2 1.0
urirhssub URIBL_EX3 multiple.example.com. A 127.0.0.3
body URIBL_EX3 eval:check_uridnsbl('URIBL_EX3')
describe URIBL_EX3 Contains a URL listed in the EX3 blocklist
tflags URIBL_EX3 net
score URIBL_EX3 1.0
=
This checks out fine with spamassassin --lint, so I would think that
it should work fine.
Bill
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
[Declude.JunkMail] AOL header tags
Hello - I am seeing these tags in AOL bounces - X-AOL-IP: 213.226.82.229 X-AOL-SCOLL-SCORE: 0:2:169167590:15837691 X-AOL-SCOLL-URL_COUNT: 0 Does anyone know what they represent? The first I believe is the original sender ip; since these are coming to me mainly as a result of joejobs I'm looking for a way to penalize these type bounces - Thanks -Nick --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude 2 and DELETE continued
On 1 Mar 2005 at 12:07, Andy Schmidt wrote: I have noticed from day one, that suddenly really obvious Spam that had failed countless tests and should have been deleted (with REALLY high weights) was actually being delivered. I have seen the same thing with v2.05, sent log snippits TWICE and have not had ANY response from Declude support. For me the bigger troubling issue is not that these spams are being passed its that Declude is not sharing its obvious bugs on the list - so like in this example there is no 'me too' when we encounter a problem - its like we are the lone ranger when we encounter a problem with the tech support folks telling us 'run debug'... Software has bugs - oh well - but not sharing these bugs with us is a much bigger problem Hopefully these are just growing pains with the new administration and not the way it will remain. For now any requests to tech support cc'd to the list? -Nick Hayer I had mentioned it on the list twice right after I was finally able to upgrade to 2.04 (after the crashes were fixed). I thought I was dreaming and have not yet found the time to debug it. Thanks for the pointer. If letting through high-weight Spam is low priority on the to be fixed list, then I guess I just have different priorities G? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fritz Squib Sent: Tuesday, March 01, 2005 08:42 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude 2 and DELETE Apparently I missing something bloody obvious, but with 2.0 running it seems like my delete action doesn't work as expected any more. Running the latest 2.x release downloaded last night. --Global Config-- WEIGHT20 weight x x 20 0 WEIGHT30 weight x x 32 0 --Default.junkmail-- WEIGHT20 HOLD WEIGHT30 DELETE In a brief conversation with Declude the response I got was: The problem is probably the change in the way the DELETE action works. In the past, it would delete the E-mail for all recipients. Now, it only deletes the E-mail for recipients that use the DELETE action. It still seems like the HOLD action is taking precedence over the DELETE action since mail with weight over my WEIGHT30 test winds up in the hold folder even though the log file says: 02/01/2005 12:25:06 Qbb6c48770128853b Msg failed WEIGHT30 (Weight of 44 reaches or exceeds the limit of 32.). Action=DELETE. I has sent Scott debug log files but I still haven't figure out what I'm missing. Yes there are a *few* per user .junkmail files, with an action of WARN, but most of the held mail is either not for them (nor are they CC'd or BCC'd as far as I can tell) and/or (may or may not be related) in the spam review application there is no To: field reported. I have also tried changing 'weight' to 'weightrange' with the appropriate scores, and still see the same results Anyone else ? Fritz --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 2.0 Issues
On 2 Mar 2005 at 18:07, Darin Cox wrote: Hi Darin, 2.05 will pass email that should have been deleted. The total weight may be 3 times your delete weight and the email will still be delivered. Declude tech support is aware of the problem - and as far as I know it is unresolved. I am back to 1.82 -Nick Repost. Just to clarify: Other than the logging issue you referred to, are there any known issues with 2.05? If so, is there a list I can review to determine if we're ready to upgrade? - Original Message - From: Darin Cox [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, March 01, 2005 1:51 PM Subject: Re: [Declude.JunkMail] Declude 2.0 Issues Great response to the concerns, David. Much appreciated. Just to clarify: Other than the logging issue you referred to, are there any known issues with 2.05? If so, is there a list I can review to determine if we're ready to upgrade? Thanks, Darin. - Original Message - From: David Franco-Rocha [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, March 01, 2005 1:43 PM Subject: [Declude.JunkMail] Declude 2.0 Issues No issue reported to us regarding Declude software will ever be considered trivial or unimportant. It is essential that all issues be reported to Declude Support. A number of comments made recently on these lists refer to issues never reported to Declude. It should also be understood that the Declude forums are very informative for finding out from others whether they have experienced similar issues with the software. They are not, however, intended to be a mechanism for reporting problems to us. We have been monitoring the list messages regarding the DELETE action when there is a COPYALL account and we are concerned as to perceptions that there is a problem or issue with the software. There is a difference of opinion on how a COPYALL account should actually function: (a) to receive a copy of every message processed by the mail server, whether legitimate or not; (b) to receive a copy of only those messages for which there is at least one valid delivery. Aside from differing opinions on how the COPYALL account should function, our tests show that individual recipients whose per-user configurations specified DELETE were in fact being deleted from the recipient list and were not receiving the messages. At the same time, however, we discovered that there was information in the log file that would lead one to believe that the recipient was not being deleted. If the last recipient did not have DELETE as the action to take, the last action in the log file would not read DELETE, even if the previous recipient had been deleted. We are making the appropriate changes to the log file to ensure that all actions taken will be accurately recorded. In addition, we are implementing a configurable parameter to allow or disallow actions to apply to the COPYALL account. This release will be available after user testing and acceptance. It is important to know that we respond to each and every issue raised through our support system and also that when making a quote as to what 'Declude' may have said that the correct words are used within the appropriate context. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 2.x
On 3 Mar 2005 at 15:06, David Franco-Rocha wrote: Hi David, I am having problem with the DELETE action as well; have sent 2 support requests - would this issue be related to what you describe below as well? Thanks -Nick Hayer We wish to let everyone know that through our own testing, support emails and forum responses, we understand that there is some confusion over Version 2.x actions with regard to per-user setting code changes. We are analyzing and evaluating various options and will soon release procedures to deal with this issue. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 2.x
On 3 Mar 2005 at 16:18, David Franco-Rocha wrote: Prior to 2.0, the DELETE action had the highest priority and affected all recipients of a message. Even with per-user settings, if one user triggered the DELETE action, the email was deleted for everyone. Oh. I do not use ROUTETO anywhere so at least in my case that is not a cause - Please keep us informed - in the meantime I'm back to 1.82 -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 2.x
On 3 Mar 2005 at 16:57, David Franco-Rocha wrote: Excellent David. Good idea Kevin.. This will help us all - Thanks -Nick Kevin, When was the last time someone granted you a request simply because you asked? :-) We are currently making changes to the log whereby the debug mode will show all actions for all users, so that it will be much easier to see exactly what happened to any particular email. David - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, March 03, 2005 4:51 PM Subject: RE: [Declude.JunkMail] Declude 2.x Would it be possible to change the logging to reflect the final action for each user. This would make since and make it easier to know the final disposition of the email. We use a catchall account on Imail and a message that should have been delete the final disposition showed Last action = IGNORE When it should have been deleted. If the message was processed differently for different accounts then I would expect to see Last action = DELETE - [EMAIL PROTECTED] Last action = IGNORE - [EMAIL PROTECTED] Because in all actuality there were multiple final actions. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Franco-Rocha Sent: Thursday, March 03, 2005 1:19 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 2.x Nick, Prior to 2.0, the DELETE action had the highest priority and affected all recipients of a message. Even with per-user settings, if one user triggered the DELETE action, the email was deleted for everyone. A change was made in 2.0 to allow for deletions to be made on a per-user level: If there are three recipients A, B and C, and at least one of the recipients (B, for example) triggers the DELETE action, the envelope is modified and the new recipients are A and C. That seems to be working fine. The problem arises with DELETE which has been preceded by another action that has already modified the recipient. If my per-user cfg indicates that: WEIGHT10 ROUTETO [EMAIL PROTECTED] WEIGHT15 DELETE I expect to re-route email that fails WEIGHT10 but to simply delete email when it fails the higher weight because the probability of spam there is much higher and I do not want to waste my time checking it. The problem is that the WEIGHT10 ROUTETO action removes me as a recipient and replaces me with [EMAIL PROTECTED]; when the DELETE action is triggered, it tries to delete me as a recipient, but I have already been replaced, so the deletion does not occur. There are several combinations and scenarios that can occur with multiple recipients and multiple actions, and we are studying and testing this very carefully. There may be other facets of your issue that do not apply here, and I will take a very careful look at it. David - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Thursday, March 03, 2005 3:51 PM Subject: Re: [Declude.JunkMail] Declude 2.x On 3 Mar 2005 at 15:06, David Franco-Rocha wrote: Hi David, I am having problem with the DELETE action as well; have sent 2 support requests - would this issue be related to what you describe below as well? Thanks -Nick Hayer We wish to let everyone know that through our own testing, support emails and forum responses, we understand that there is some confusion over Version 2.x actions with regard to per-user setting code changes. We are analyzing and evaluating various options and will soon release procedures to deal with this issue. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED
RE: [Declude.JunkMail] Declude 2.x
On 4 Mar 2005 at 12:51, Andy Schmidt wrote: Hi Nick, John, Eric, Fritz, Kevin, Dan, NCL Admin, et al: I recommendyou sit tight just a little longer. Done!. I'm chilled. No problem. Really. Honest! :) The only thing that slightly ticked me off was lack of communication about this bug. Now that has been addressed in detail I have no issues. No question it will get resolved now. Time to move on. -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Header Filter
I do not think this will work. The imail headers are added after declude sees the email -Nick Spaminator wrote: Hi all, I have a need to use Declude to filter mail to a user's spambox based on X-IMAIL-SPAM in the headers (we're still using an imail filter that we don't want to give up). I created a custom filter file with the following: HEADERS 10 CONTAINSX-IMAIL-SPAM (separated by tabs) And created the corresponding rules in the declude config files: BANHEADER filter D:\IMail\Declude\CustomFilters\Headers.txt x 5 0 BANHEADER WARN The idea is that the imail rules run, add the X-IMAIL-SPAM header, then declude runs and matches this test against the imail-modified headers. I have the Weight10 test set to send to the user's spambox. The problem is, it doesn't seem to work. With declude logging set to debug, I see the test being called, but the test is always NOT triggered. Processing order problem? Any tips would be greatly appreciated (new Declude user). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Header Filter
Bill Landry wrote: Actually, some IMail spam tests run before being passed to Declude and some after. The JunkMail archives will contain the gory details. Bill correct William - but the headers are after. I already tried to do this awhile ago without success.. Key here is though - awhile ago - maybe the order has been reshuffled in these later revs. Best, -Nick Spaminator wrote: Hi all, I have a need to use Declude to filter mail to a user's spambox based on X-IMAIL-SPAM in the headers (we're still using an imail filter that we don't want to give up). I created a custom filter file with the following: HEADERS 10 CONTAINS X-IMAIL-SPAM (separated by tabs) And created the corresponding rules in the declude config files: BANHEADER filter D:\IMail\Declude\CustomFilters\Headers.txt x 5 0 BANHEADER WARN The idea is that the imail rules run, add the X-IMAIL-SPAM header, then declude runs and matches this test against the imail-modified headers. I have the Weight10 test set to send to the user's spambox. The problem is, it doesn't seem to work. With declude logging set to debug, I see the test being called, but the test is always NOT triggered. Processing order problem? Any tips would be greatly appreciated (new Declude user). --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IMail Server Vulnerabilities...
8.1x has the patch out - I would suggest posting to the Imail list for info on earlier versions? Regards, -Nick Darrell ([EMAIL PROTECTED]) wrote: It looks like it will be 4 IMAP Vulnerabilties and 1 Web Calendering vulnerability. Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Darin Cox" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, May 24, 2005 5:33 PM Subject: Re: [Declude.JunkMail] IMail Server Vulnerabilities... Well, I was _trying_ to take the high road...grin Hopefully, as Kevin is suggesting, the webmail vulnerability is only with calendaring. Darin. - Original Message - From: "Matt Robertson" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Tuesday, May 24, 2005 5:26 PM Subject: Re: [Declude.JunkMail] IMail Server Vulnerabilities... So, question is... will Ipswitch create hotfixes or workarounds for versions before 8.2? Or is everyone forced to upgrade to 8.2? Wanna make a bet on which? :-) -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Update
[EMAIL PROTECTED] wrote: Hi Barry - A new incremental release (2.0.6.16) is now available for customers with a current service agreement. This release includes: . Virus scanner rules change option (EXITSCANONVIRUS) Excellent! Scott will be mad! He liked all those scanners running for no reason :) . Bitmasked External Test Results - JunkMail enhancement Very kool. Thanks Barry - for the enhancements, the beta program revived, and keeping us informed. Best, -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] legit newsletter services
Does anyone have a list of newsletter [revdns?] senders that are trusting to not send spam that they would be willing to share? I send quite a bit of time trying to figure out if some emails are actuall valid - for example stuff from roving.com, etc. Thanks! -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] legit newsletter services
Thanks Matt! What about Jaguar Technologies? http://www.senderbase.org/search?searchBy=organizationsearchString=Jaguar%20Technologies%20LLC Are they part of Topica? -Nick Matt wrote: Nick, Any list service of moderate or large size will leak spam, some more, some less, but it's fairly bad wherever you go because the spammers tend to have the larger lists, but probably only represent the minority of their customers. Roving.com (ConstantContact), bCentral, some of Topica, etc. all experience these issues. There is no magic bullet to solving this issue. You either block some legitimate E-mail or you allow through some spam. Since my first priority is to deliver the good E-mail, I choose to leak a bit of the spam. Content based filters are best for this type of thing. Sniffer will tag some payload domains that are separate from the provider (but you might have to remove some of the provider rules in your rule base if they false positive), and tools that do SURBL type lookups can be useful in separating the wheat from the chaff, though they also tend to false positive on the provider's domains on occasion. Using IP-based RBL's to differentiate between the good and the bad here is a losing battle, and the results are inconsistent because of things like SpamCop. This was a huge issue for me along with legitimate bulk-mail because there is hardly a resource out there that doesn't have false positive issues on this content. My solution was to identify all such companies by way of IP space and reverse DNS entries so that I could disable the IP4R tests (by giving credit back), and then just simply relying on content/payload filtering to take care of the spam that might come from them. This was a ton of work and there are new additions to my lists all the time, but it has paid off for me. Matt NIck Hayer wrote: Does anyone have a list of newsletter [revdns?] senders that are trusting to not send spam that they would be willing to share? I send quite a bit of time trying to figure out if some emails are actuall valid - for example stuff from roving.com, etc. Thanks! -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message not scanned
Hi Dan, Here are some thoughts - I still don't know why Hijack decided to flag my gateway and hold its messages (ALL messages in HOLD2 were verified to be destined for local users). Hijack cares about the senders - not the recipients I do believe I still don't know why it only held SOME messages (around 2500 messages were held out of a total volume of around 10,000 that went through the gateway yesterday). What do hijack the logs say? [They may explain just what happened. If not run on high so next time more info may be avail] Were all the held mail prefaced with the gateway ip? [Just to be sure they all came from the gateway] Do you have the line in hijack.cfg "ALLOWIP gateway ip ? ["An ALLOWIP line will let an IP address send unlimited E-mail"] Best, -Nick I still don't know why these messages were delivered without being scanned by Declude (unless that is a "feature" of Hijack, that it runs before AV or JM and doesn't rescan re-queued email; and if so it should be changed to at least run after AV). I have added an ALLOWIP for my gateway, since I don't want to turn Hijack off. BTW, I worked with Ralph Krausse at Declude and with Eric Shanbrom at Ipswitch and both were extremely helpful in diagnosing this problem. Thank you both very much. Dan Horne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, June 01, 2005 2:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Message not scanned Did you not see my response to your earlier post? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Dan Horne Sent: Wednesday, June 01, 2005 10:53 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Message not scanned I have received a couple of messages in the last two days in my inbox that were NOT scanned by Declude. I thought the headers below were strange, since they seem to have MIME segments in them. However, another message in my inbox that was spam (below my hold weight) also has similar MIME segments, but was scanned by Declude, evidenced by the Declude headers. The Declude headers are not present (I add several headers with Declude) in the email below. The line "X-Virus-Scanned: amavisd-new 2.3.0 (20050424) at taisweb.net" was added by my gateway postfix box that scans messages with clamav. When searching the Declude logs, the queue number 9F3B01A60A71 does not appear. Neither does a07e06888a82, though I wouldn't expect it to as that is the forward message, which should appear after Declude scans. Version info: Imail v8.2 HF2, Declude Junkmail Pro/Virus Standard/Hijack v2.0.6.10. For reference, I have attached a file with the headers of the other spam message I mentioned, so you can see what kind of headers I add that are missing below. IMAIL LOG SMTPD (9f3b01a60a71) [172.20.5.2] connect 68.118.154.7 port 60324 SMTPD (9f3b01a60a71) [68.118.154.7] EHLO mx2.rmslink.net SMTPD (9f3b01a60a71) [68.118.154.7] MAIL FROM:[EMAIL PROTECTED] SMTPD (9f3b01a60a71) [68.118.154.7] RCPT TO:[EMAIL PROTECTED] SMTPD (9f3b01a60a71) [x] looking up taisweb.net in HOSTS SMTPD (9f3b01a60a71) [68.118.154.7] DATA SMTPD (9f3b01a60a71) [68.118.154.7] S:\imail\spool\D9f3b01a60a71.SMD 4808 SMTP () Info - Adding Queue file S:\imail\spool\Q9F3B01A60A71.SMD SMTP (9f3b01a60a71) processing S:\imail\spool\Q9F3B01A60A71.SMD SMTP (9f3b01a60a71) ldeliver mail.taisweb.net copyall-main (1) [EMAIL PROTECTED] 4808 SMTP (9f3b01a60a71) forwarded message to [EMAIL PROTECTED] using new file: a07e06888a82 SMTP (9f3b01a60a71) finished S:\imail\spool\Q9F3B01A60A71.SMD status=1 HEADERS-- Microsoft Mail Internet Headers Version 2.0 Received: from mail.taisweb.net ([68.118.153.2]) by ex1.wilcoxent.net with Microsoft SMTPSVC(6.0.3790.211); Wed, 1 Jun 2005 07:48:14 -0400 Received: from SMTP32-FWD by mail.taisweb.net (SMTP32) id A9F3B01A60A71; Wed, 1 Jun 2005 07:48:14 Received: from mx2.rmslink.net [68.118.154.7] by mail.taisweb.net with ESMTP (SMTPD-8.20) id AF3C0298; Wed, 01 Jun 2005 07:42:52 -0400 Received: from localhost (localhost [127.0.0.1]) by mx2.rmslink.net (Postfix) with ESMTP id 2F58139863 for [EMAIL PROTECTED]; Wed, 1 Jun 2005 07:20:47 -0400 (EDT) Received: from gatesalbert.com (81-202-101-107.user.ono.com [81.202.101.107]) by mx2.rmslink.net (Postfix) with SMTP id 46D5B39845 for [EMAIL PROTECTED]; Wed, 1 Jun 2005 07:20:40 -0400 (EDT) From: "Feli Ridgeway" [EMAIL PROTECTED] To: "Napier Kincaid" [EMAIL PROTECTED] Subject: Re: Really Works GGood Date: Wed, 1 Jun 2005 06:42:20 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative;
