RE: [Declude.JunkMail] No one at Declude?
Hi David, Would you mind explaining your hosts trick? Not how a host file works but why this will circumvent licensing Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: David Barker david.bar...@mailsbestfriend.com Sent: Thursday, April 18, 2013 1:11 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? If internal SNF is still ON then it can conflict with external Message Sniffer by grabbing the port which SNF uses. By using our fix will ensure internal SNF is turned OFF. If using the bypass key has everything OFF then that is fine too. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? So - is there any advantage of using the hosts file trick (to invalidate the license server IP address) http://mailsbestfriend.com/declude-fix vs. using the special bypass license code? Does one enable more functions that the other? -Original Message- From: David Barker [mailto:david.bar...@mailsbestfriend.com] Sent: Thursday, April 18, 2013 12:31 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Yes Internal Sniffer is no longer a valid option. Need to switch to external. -Original Message- From: Andy Schmidt [mailto:andy_schm...@hm-software.com] Sent: Thursday, April 18, 2013 12:06 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Uh - but with that code, the internal SNF is turned off? So one has to configure Sniffer has an external test with a separate Sniffer license code? -Original Message- From: Stephan Chayer [mailto:scha...@intrasoft.net] Sent: Wednesday, April 17, 2013 5:37 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Use this key: CODE 28607230-BF21-4CDE-A59B-A451CC7C9CA0 -Message d'origine- De : SM Admin [mailto:imailad...@bcwebhost.net] Envoyé : 17 avril, 2013 2:43 À : Declude.JunkMail@declude.com Objet : Re: [Declude.JunkMail] No one at Declude? Apparently I was too quick on the draw as this line has since been added to the diag file: 04/16/2013 22:24:21.947[BB86F9-606322-C04138-958B5A-AB7343-94F75B] IS INVALID KEY Did someone say something about new keys? -Original Message- From: SM Admin Sent: Tuesday, April 16, 2013 10:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? I noticed today that Declude wasn't processing. I checked the diag file and it has the usual entries at the top plus an entry at the bottom saying that the Sniffer license is invalid. How is that? So then I restarted the Declud service and now the diag file only shows this: Declude 4.12.02 Diagnostics Compilation Platform: SmarterMail Copyright (c) 2000-2013 Declude, Inc. Host Name mail1.bcwebhost.net Declude Key redacted So I have no idea what's going on. Anyone? -Original Message- From: Brian Baker Sent: Tuesday, April 16, 2013 7:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? Looks like tonight we better figure out a new approach. My declude diag file is now reading declude lic as invalid. Anyone else? - Original Message - From: Todd Richards to...@nnepa.com To: Declude.JunkMail@declude.com Sent: Monday, April 15, 2013 9:34 AM Subject: RE: [Declude.JunkMail] No one at Declude? What system is that? Our users are getting hammered with spam. Reminds me of the days, many years ago, before I happened upon Declude... Todd -Original Message- On Sunday, April 14, 2013 10:24 PM, John Doyle wrote: I have reverted to a system that works. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail
RE: [Declude.JunkMail] No one at Declude?
Thanks David for the vote of confidence. Who do we contact at Declude for customer support? They seem to be radio silent for now - at least on this list. Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, April 17, 2013 11:35 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Just my 2c - users do not need to abandon the Declude product. Declude still has tremendous value, hijack, routing email, rules etc all you need is a way to keep Declude running and support which MBF can help you do. The solution to this tragedy is Declude+Message Sniffer. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 11:11, John Doyle wrote: You also should go to message sniffer and email them for help on getting message sniffer to run standalone. Message Sniffer can run standalone on both IMail and SmarterMail. On IMail, use the MINIMI (minimal IMail Shim) plugin: http://www.armresearch.com/support/articles/installation/minimiImail.jsp On Smarter Mail run SNFClient as a command line scanner: http://www.armresearch.com/support/qa/integration/smarterMail.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] No one at Declude?
Well the only thing that has not gone away is this list for some reason. Even the site went dark for awhile. Why have the the site up, phones on, list work but kill the license server?David - do you have any insight? Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: Todd t...@smart-mail.net Sent: Wednesday, April 17, 2013 12:26 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Ours went down as well this morning. Declude stopped processing with a licensing error. I have left several phone messages. Todd From: Nick Hayer n...@madriveraccess.com Sent: Wednesday, April 17, 2013 10:47 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Thanks David for the vote of confidence. Who do we contact at Declude for customer support? They seem to be radio silent for now - at least on this list. Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: David Barker david.bar...@mailsbestfriend.com Sent: Wednesday, April 17, 2013 11:35 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] No one at Declude? Just my 2c - users do not need to abandon the Declude product. Declude still has tremendous value, hijack, routing email, rules etc all you need is a way to keep Declude running and support which MBF can help you do. The solution to this tragedy is Declude+Message Sniffer. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com -Original Message- From: Pete McNeil [mailto:madscient...@microneil.com] Sent: Wednesday, April 17, 2013 11:24 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 11:11, John Doyle wrote: You also should go to message sniffer and email them for help on getting message sniffer to run standalone. Message Sniffer can run standalone on both IMail and SmarterMail. On IMail, use the MINIMI (minimal IMail Shim) plugin: http://www.armresearch.com/support/articles/installation/minimiImail.jsp On Smarter Mail run SNFClient as a command line scanner: http://www.armresearch.com/support/qa/integration/smarterMail.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] No one at Declude? topic change - gbudb
Pete, Is the data in truncate.gbudb.net duplicated in Sniffer? Thank you -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: Pete McNeil madscient...@microneil.com Sent: Wednesday, April 17, 2013 1:26 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] No one at Declude? On 2013-04-17 13:06, Katie La Salle-Lowery wrote: X-MessageSniffer-Scan-Result: 20 X-MessageSniffer-Rules: 20-0-0--1-f By the way: We have seen a LOT of this lately. For some reason there appear to be many Declude configurations out there that do not account for the truncate result code from SNF. I highly recommend that if you are using Declude, and especially if you have seen an increase in spam leakage, you should check your configuration and make sure that you weight result code 20 higher than other nonzero Message Sniffer result codes. On most systems that use SNF + Declude, not counting for the truncate result code can result in leaking more than 10% of spam/malware that would have been caught. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 twitter/codedweller --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] why have spam scores jumped?
Thank you Andrew. Every time you write something its an education. Much appreciated. -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm From: Colbeck, Andrew acolb...@bentallkennedy.com Sent: Monday, March 11, 2013 9:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Per point 3. Once URIBL starts rejected the requests then every request gets scored as bad Read the URIBL.com site News, and Implementation sections. This is because a rejection isn't quiet, it returns the value 127.0.0.1, so I'll assume that SM is triggering on a result of * instead of 127.0.0.2 and you'll want to go back to SmarterMail to figure out how to be specific about that acceptable response. Perhaps you'll want to use specific tests like the Black test or the Red test instead of the Multi test. Per point 5. I'm not really sure how URIBL even knows which DNS server I use ...last year, I had my SM server configured to use the Comcast national DNS servers Well, that's pretty clear, a lot of people use ComCast, so ComCast has been flagged as a heavy hitter and queries through their servers to URIBL will cause URIBL to respond to Comcast with the 127.0.0.1 value. URIBL doesn't care about your-server-asking-via-Comcast, they care about which server asked URIBL, which was ComCast. Per point 6. I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why. Ok, it's plausible that URIBL tests your DNS server to see if it can be abused by bad guys, but I actually doubt that they do this, and it's a red herring. You know that your mail volume is small enough to not be a heavy hitter but you are diagnosed as a heavy hitter anyway. Therefore, someone gave you this advice while trying to diagnose why you are getting heavy hitter results, i.e. that your DNS server is being abused. The big idea here is that your mail server needs to ask a DNS server to resolve stuff for it, including URIBL. However, random people on the Internet should not be able to use your DNS server, because they will certainly abuse it to throw bandwidth at someone they don't like. That's called an open resolver, see here for why that's bad http://dns.measurement-factory.com/surveys/openresolvers.html It's extremely common to use a DNS server right on your email server, and point your antispam queries at that DNS server. Some DNS servers allow you to specify the IP/subnet of allowed clients; Windows 2008 does not, it happily resolves for anyone. So instead of using client ACLs on the DNS server, make sure you're not telling your firewall to allow inbound DNS as a service on that particular IP address; because of course have a wonderful stateful firewall, it will happily allow outbound DNS and the corresponding inbound replies. For your email server to resolve DNS, you don't want to use forwarders, and you do want to use recursion. Per point 7. I tried writing to the URIBL abuse administrator but got no response Your case is pretty straightforward; perhaps they think you want too much help while they've provided what's necessary on their website already. Perhaps they're busy working on their golf swing and not reading email. If you can't reach them from your own domain, write to them from a freemail account instead of the domain that is in trouble, and cite your IP/domain. Be concise. Be polite. Don't use HTML formatting if you can help it. And don't use a legal disclaimer in your footer, because antispam/security admins are notoriously allergic to what they interpret as your attempt to legally bind their communication, and as a result they simply ignore such email. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, March 07, 2013 4:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Andrew and thanks! The problem isn't Declude but it is spam related so I'd be interested to see if anyone else has ideas. I spent some time on the SmarterMail forums and this is what it looks like: 1. SM uses a series of built-in tests as well as external tests such as Declude. Among these are a pair of URIBL tests that are based on links embedded in the messages. 2. SM scores a hit for each bad link reported by URIBL and applies the weight score to each hit. With the default weight of 4, a message with five links rejected by URIBL would give a total score of 4 x 5 = 20. 3. Starting some time late 2012, URIBL started rejected some requests based on high volume of calls from a particular server. Various people have experienced this problem at various
RE: [Declude.JunkMail] invisible attachments? - change topic
Hi Linda, What are the plans for newer versions of Declude? -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Linda Pagillo lpagi...@declude.com Sent: Tuesday, March 13, 2012 7:40 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invisible attachments? Hi Ben. I do not believe this is a Declude issue because I have never seen Declude actually strip an attachment. However, you may want to test to be sure by disabling Declude for a minute and having someone send a test through. Linda Pagillo Declude Technical Support Engineer 866-332-5833 Ext. 2 lpagi...@declude.com From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Monday, March 12, 2012 10:05 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] invisible attachments? Thanks Steve. That's the kind of solution I'd already found which doesn't help. In fact, in the discussion on that link there are some whose problems were apparently not resolved and others where they were solved. Ben - Original Message - From: Steve Cirivello To: Declude.JunkMail@declude.com Sent: Monday, March 12, 2012 6:44 PM Subject: Re: [Declude.JunkMail] invisible attachments? Perhaps this issue: http://www.tomshardware.com/forum/236687-49-outlook-express-attachments along with Microsoft Support Article ID 197066 Steve - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Monday, March 12, 2012 6:10 PM Subject: [Declude.JunkMail] invisible attachments? Hi, I have a problem with invisible attachments and I'm wondering if it's an IMail problem, a Declude problem, or something else. A law firm that I've dealt with for a long time recently has a problem that messages send to us with attachments sometimes don't display the attachments. They leave the sender with an attachment, but they arrive with no clue that there is an attachment. If I forward them on to a gmail account I use for testing, then the attachments are visible there. I've tested this with both Outlook Express and Mail Live on the receiving end and see nothing about the attachments. I check on an Android phone using K-9 and it doesn't show the attachments but does show the mail.dat file usually associated with Outlook and the formatting of messages (and these senders are using Outlook with MS Exchange). However, the usual fix (use Plain Text Only) doesn't seem to help. My first thought was that the attachments were getting stripped (by Declude?) at our server. But since they still seem to be there once I forward to the gmail account, that excludes that idea. I haven't had any problems receiving test JPG files as attachments and sometimes their PDF files get through just fine. So any idea what's going on here? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] invisible attachments? - change topic
Thanks David, -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Tuesday, March 13, 2012 11:13 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invisible attachments? - change topic Besides minor releases and fixes the next major release will be Declude 5.0 which will have improved performance, less disk i/o and automated updates for the Decludeproc engine, all_list.dat, filters etc. What gets updated will be decided by the mail admin. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Tuesday, March 13, 2012 8:46 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invisible attachments? - change topic Hi Linda, What are the plans for newer versions of Declude? -Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Linda Pagillo lpagi...@declude.com Sent: Tuesday, March 13, 2012 7:40 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] invisible attachments? Hi Ben. I do not believe this is a Declude issue because I have never seen Declude actually strip an attachment. However, you may want to test to be sure by disabling Declude for a minute and having someone send a test through. Linda Pagillo Declude Technical Support Engineer 866-332-5833 Ext. 2 lpagi...@declude.com From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Monday, March 12, 2012 10:05 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] invisible attachments? Thanks Steve. That's the kind of solution I'd already found which doesn't help. In fact, in the discussion on that link there are some whose problems were apparently not resolved and others where they were solved. Ben - Original Message - From: Steve Cirivello To: Declude.JunkMail@declude.com Sent: Monday, March 12, 2012 6:44 PM Subject: Re: [Declude.JunkMail] invisible attachments? Perhaps this issue: http://www.tomshardware.com/forum/236687-49-outlook-express-attachments along with Microsoft Support Article ID 197066 Steve - Original Message - From: Imail Admin To: Declude.JunkMail@declude.com Sent: Monday, March 12, 2012 6:10 PM Subject: [Declude.JunkMail] invisible attachments? Hi, I have a problem with invisible attachments and I'm wondering if it's an IMail problem, a Declude problem, or something else. A law firm that I've dealt with for a long time recently has a problem that messages send to us with attachments sometimes don't display the attachments. They leave the sender with an attachment, but they arrive with no clue that there is an attachment. If I forward them on to a gmail account I use for testing, then the attachments are visible there. I've tested this with both Outlook Express and Mail Live on the receiving end and see nothing about the attachments. I check on an Android phone using K-9 and it doesn't show the attachments but does show the mail.dat file usually associated with Outlook and the formatting of messages (and these senders are using Outlook with MS Exchange). However, the usual fix (use Plain Text Only) doesn't seem to help. My first thought was that the attachments were getting stripped (by Declude?) at our server. But since they still seem to be there once I forward to the gmail account, that excludes that idea. I haven't had any problems receiving test JPG files as attachments and sometimes their PDF files get through just fine. So any idea what's going on here? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail
Re: [Declude.JunkMail] Performance issues with SM 8.2 w Declude
I have it on a VM - vmware 4.1 - no issues at all. Why not just PTV it now - give it more ram and processors in the migration and see what happens? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Scott Fosseen [Prairie Lakes AEA] sfoss...@aea8.k12.ia.us Sent: Monday, September 26, 2011 3:08 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Performance issues with SM 8.2 w Declude Running Win 2003 Standard on 32 bit hardware. I am going to bump the RAM up to 4 Gb tonight to see if that helps. I should say what I am seeing is that the SM Web interface becomes unresponsive at times. I have been unable to correlate the unresponsive interface with specific high CPU or Memory use though. I have been planning on installing a new Win 2K8 64 bit OS to migrate SM to. Is there any issues or suggestions on setting this up as a Virtual machine in a VMware environment? -- From: Randy A ra...@globalweb.us Sent: Monday, September 26, 2011 1:47 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Performance issues with SM 8.2 w Declude Which version of Windows server are you running? That will be important also as, for example, WIN Server 2003 Standard only allows a max of 4GB RAM, while WIN Server 2003 Enterprise has a 64GB limit -Original Message- From: Scott Fosseen [Prairie Lakes AEA] [mailto:sfoss...@aea8.k12.ia.us] Sent: Monday, September 26, 2011 11:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Performance issues with SM 8.2 w Declude I am starting to have some serious performance issues since I upgraded to SM 8.2. Although I can not be for sure that is it due to the upgrade as usage has also increased with added clients and the start of school. The big issue is that the web interface becomes unresponsive for up to about 5 minutes. The machine has 2 Gig of RAM, and a swap file of 5.5 Gig. In Windows task manager I see my peak memory usage is now 10 gig. Right now I am not sure if the performance issues are being caused by RAM, too much traffic, Smartermail, or Declude. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] regular expressions and IS
BODY. CONTAINS. Bla bla Is that what you are looking for? -Nick On Aug 9, 2011, at 3:26 PM, David Barker dbar...@declude.com wrote: The expression is the IS Can you post a few examples of what you trying to catch ? -Original Message- From: Rick Davidson [mailto:rdavid...@nat.com] Sent: Tuesday, August 09, 2011 2:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] regular expressions and IS I am working on a combo filter to catch the aol/hotmail/yahoo url spam is there a way to use a regular expression with IS body 0 IS/PCRE (?i:^http\:\/\/.*\.(html|htm|php)$) any suggestions welcome -- Rick CONFIDENTIALITY NOTICE This e-mail message and any attachments contain confidential and/or privileged information for the sole use of the intended recipient. If you are not the intended recipient, you may not read, disseminate, distribute or copy this e-mail message or any attachments. Please notify the sender immediately by reply e-mail if you received this e-mail message by mistake and delete this e-mail message and any attachments from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this e-mail message or any attachments, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. -. .- - You have received this e-mail due to a past or current transaction or as a result of our efforts to keep you in touch with current developments affecting your industry. If you wish to unsubscribe from any future general information mailings, please click the 'Reply' button and add the word 'UNSUBSCRIBE' to the subject of your response. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] white list or positive weight for a specific To address?
An easy way to whitelist these in your global.cfg WHITELISTFROM@declude.com -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Saturday, June 18, 2011 1:36 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address? Can you give me the line you used in the config file? From: Randy A Sent: Saturday, June 18, 2011 12:18 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] white list or positive weight for a specific To address?On my declude config, I set up a GoodMailList test text file, added a negative point value to this test, and then I add any of my customer's email lists that were getting flagged by decludeSincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 option 1 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Friday, June 17, 2011 6:31 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] white list or positive weight for a specific To address? Hi, The emails I receive from this list have various From lines but always have one To line: Declude.JunkMail@declude.com. I would like to white list or, better yet, add a positive weight for emails I receive addressed to Declude.JunkMail@declude.com. How do I do this? Thanks, Ben -- This message has been scanned for viruses and dangerous content by the ipengines.net MailScanner and is believed to be clean. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] white list or positive weight for a specific To address?
yup there is some sort of cap in global.cfg the around that is with a whitelist file that would contain entries like: MAILFROMWHITELISTCONTAINS@declude.com and clearly implementation technique is a personal thing :) We use compensatory filters to add/subtract weights as needed, and whitelist filters for whitelisting - which I am not suggesting is a better way. Its just our way.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Randy A ra...@globalweb.us Sent: Saturday, June 18, 2011 2:23 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] white list or positive weight for a specific To address? Yes but if I remember correctly there is a limit on the number of whitelist entries you can have in the cfg file (200 I think - please correct me if I am wrong) so depending on the number of domains you are hosting email for, this could fill up at some point. We use the whitelist technique for our company needs, and the text file format for customer needs so everything is in one location for easier management. Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 option 1 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: Nick Hayer [mailto:n...@madriveraccess.com] Sent: Saturday, June 18, 2011 2:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address? An easy way to whitelist these in your global.cfg WHITELISTFROM@declude.com -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Saturday, June 18, 2011 1:36 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] white list or positive weight for a specific To address?Can you give me the line you used in the config file? From: Randy ASent: Saturday, June 18, 2011 12:18 AM To: Declude.JunkMail@declude.comSubject: RE: [Declude.JunkMail] white list or positive weight for a specific To address? On my declude config, I set up a GoodMailList test text file, added a negative point value to this test, and then I add any of my customer's email lists that were getting flagged by decludeSincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 option 1 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Friday, June 17, 2011 6:31 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] white list or positive weight for a specific To address? Hi, The emails I receive from this list have various From lines but always have one To line: Declude.JunkMail@declude.com. I would like to white list or, better yet, add a positive weight for emails I receive addressed to Declude.JunkMail@declude.com. How do I do this? Thanks, Ben -- This message has been scanned for viruses and dangerous content by the ipengines.net MailScanner and is believed to be clean. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com
re: [Declude.JunkMail] Time to upgrade and to what?
I have the latest versions of both; I bought SM to dump Imail but found that some customers are simply resistant to change. So rather than risk losing them I am keeping Imail up to date. Privately Imail maybe receptive to price matching SM [give them a call?] - so that is a 3rd option. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Wednesday, June 01, 2011 10:10 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Time to upgrade and to what? ? I've been musing over whether it's time to upgrade or replace my mail system. I've got IMail (unlimited users) v 2006.23 on an old server runing Win2k Advanced Server with Declude v.?? (not current, whatever it is). On the one hand, I only have a small number of domains and mail boxes any more and on the other hand, my old server is looking pretty long in the tooth. I started out looking at boxes to build a new server, but they're not that expensive any more. Then I got caughter up in the software. Ipswitch wants $2300 or some such for a software upgrade (unlimited users). That's way more than I can justify spending. I don't really need unlimited users any more, but I hate to give it up. On the other hand, I recall a few years ago when people were switching en masse to SmaterMail so I looked at them and their prices are a lot nice. Anyone care to say how the current versions of either software compared with my old IMail? I assume that I'll have to upgrade to the current version of Declude, but otherwise that will work the same as before? Any suggestions or pointers would be appreciated. Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] FROMNOMATCH returning high scores
I haven't seen it on FROMNOMATCH but have seen it elsewhere; specifically when an external app throws an exception. Bottom line somewhere declude or some other app threw an exception - the wacko score is the result. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Jim Comerford jcomerf...@sbsnet.com Sent: Wednesday, May 18, 2011 1:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] FROMNOMATCH returning high scores Has anyone else seen the FROMNOMATCH test returning ridiculously high scores (like 1027774676) event though its not configured to do so... and yet Declude does not act on the cumulative score, so for example a message with score 1027774676 would not get deleted like it is configured to at a score of 30? Curious if anyone else is seeing this and if they know the cause. -Jim --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] error 0xC0000142 smtp.exe
With declude.cfg you can allocate the # of threads - but what do your logs show? Are sending out a lot of email? Maybe there are other issues like the box needs more physical ram/processing power - does task mgr say all ik kool? Dunno the answer here - just giving you some ideas for things to check.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Thursday, May 05, 2011 2:24 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe HI Pete, Thanks for the links. After reading all of those, and everything they link to, I have a better idea of what's happening. What Declude originally called the mystery heap is apparently the desktop heap, which had a system wide limit of 48 mb (Win2k and Win2k3), allocated between interactive and non-interactive desktops. Presumably, too many processes are launched, exhausting this heap. Setting a smaller value for the per-process allocation (512 kb by default) should allow more processes to run. So all of this makes sense but doesn't explain why my server should have this problem. My business is so small any more than I could imagine using my smart phone to run the mail server. If it's the smtp32.exe process causing the crash, then that would imply to me that I've got a lot of outbound messages all at once. I just don't see how this could happen. I'm guessing that we've got no more than a couple hundred mailboxes spread over 30 domains, and no lists larger than 200. So how do I find out where all this outbound stuff is coming from? And is there a setting I could use to limit the number of outbound messages sent (or processed) at one time? Any suggestions are appreciated. Thanks, Ben P.S. I wonder what would happen if I moved my software (Imail 2006.23) to a Win 7 PC or a Windows 2010 server? Just thinking out loud. From: Pete McNeil Sent: Wednesday, May 04, 2011 8:34 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] error 0xC142 smtp.exe On 5/4/2011 11:08 PM, Imail Admin wrote: Hi,  I recall a while back about errors where you get Error #0xC142 (The application failed to initialize) for smtp32.exe, somehow related to Declude. We started getting these recently for no particular reason that I can think of. Is there a setting in Declude that helps with this? IIRC, this is the mystery heap problem and solving it will mostly have to do with the setting you're using. http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=686 There is a particular chunk of memory that runs out if too many applications/processes are started at once as children of other processes. In your case, for example, too many concurrent instances of SMTP32.exe along with a number of other factors. If I'm guessing correctly, you could suddenly experience this problem due to allowing enough SMTP32 processes (usually controlled by the number of processing threads you allow) and also having enough mail running through your system to exhaust the mystery heap. This search might help you find what you're looking for in previous discussions. Hope this helps, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] OT: Web analytics
This will do what you want, does not require any code on the pages, and its free: http://www.mrunix.net/webalizer/ You just set up a config file and run the app with Windows scheduler. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Monday, April 11, 2011 3:45 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] OT: Web analytics I know this is way off topic, but I'd love to hear if anybody wants to throw out an opinion. We've been using HitList Commerce 4.0 since, I don't know, maybe 2000? to generate web statics reports for our clients' domains. It was a simple system that produced decent reports emails in a single .RTF file. Recently, however, it broke and I can't seem to repair it. The makers of HitList, Marketwave, have undergone many changes of ownership over the years and focus now only on very expensive products and services (it was a few hundred dollars when we bought it). So I'm looking at getting something modern. The truth is that I only have a handful of domains who care about this, so I'm looking for something free or very cheap. I'd prefer it to read our IIS logs and then send out emails, but I guess we could adapt to something that just displays a web page. The question is: what's cheap or free, suitable for hosters (as opposed to end-users) and simple? I'm looking right now at something called JawStats (open source) and also Google Analytics, but I don't know what's involved. Any old-timers here with suggestions? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
It crashed - through an exception and either Declude was unsure of what to do with it or that was the score it returned.I have seen this happen when I was developing my own app. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 1:23 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? I added in a weight for the grey listings, but it hasn't had much impact. A review of the log files shows only a few messages failing due to grey and since I give it a small weight, I'm not worried about false positives. In the meanwhile, something Very Strange happened this morning. An extreme spam (high score under Declude) showed up in my inbox today. It got there thanks to inv-uribl. Here are the relevant lines from the header: X-RBL-Warning: INV-URIBL: Message failed INV-URIBL: -1066598274. X-Declude-Sender: neomaanastaci...@keci.com [201.50.140.132] X-Declude-Spoolname: D1c67025c4807.smd X-Declude-Note: Scanned by Declude 4.2.20 for spam. http://www.declude.com/x-note.htm; X-Declude-Scan: Incoming Score [-1066598201] at 07:33:30 on 08 Apr 2011 X-Declude-Fail-WithWeight: NOLEGITCONTENT [0], IPNOTINMX [0], CBL [6], FIVETEN-SRC [7], ZEN [7], SORBS-DUHL [6], SPAMCOP [8], UCEPROTECT-1 [6], UCEPROTECT-2 [5], UCEPROTECT-3 [2], BARRACUDA [4], CMDSPACE [8], SPFUNKNOWN [1], SUBSPACE-12 [1], SUBSPACE-15 [1], SUBCHARS-50 [1], SUBCHARS-55 [1], SUBCHARS-60 [1], SNIFFER [8], INV-URIBL [-1066598274], ZEROHOUR [0] This result was also confirmed by the line in the Declude log file: 04/08/2011 07:33:30.046 q1c67025c4807.smd Tests failed [weight=-1066598201]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=WARN[0] IPNOTINMX=WARN[0] CBL=WARN[6] FIVETEN-SRC=WARN[7] ZEN=IGNORE[7] SORBS-DUHL=WARN[6] SPAMCOP=WARN[8] UCEPROTECT-1=WARN[6] UCEPROTECT-2=WARN[5] UCEPROTECT-3=WARN[2] BARRACUDA=IGNORE[4] CMDSPACE=WARN[8] SPFUNKNOWN=WARN[1] SUBSPACE-12=WARN[1] SUBSPACE-15=WARN[1] SUBCHARS-50=WARN[1] SUBCHARS-55=WARN[1] SUBCHARS-60=WARN[1] SNIFFER=WARN[8] INV-URIBL=WARN[-1066598274] Now how the heck did inv-urible generate a scored of -1 billion??? I checked and there's nothing like that in the config file. So then I checked the inv-uribl log file and this message does not show up in the log file. Inv-uribl apparently didn't process this message but did manage to give it an outrageous score. Has anyone seen something like this and is it cause for concern? Thanks, Ben From: IMail Admin Sent: Wednesday, April 06, 2011 10:23 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you read the Inv-Uribl log file? HI Scott, It looks to me like you only score the black and not the grey or red listings. The config I have, which would have come from someone else or the default because I've never tried tweaking inv-uribl, scores black and red but not grey. I'm thinking of scoring grey with a small score but I was waiting to see response on the list such as yours. Thanks, Ben From: Scott Fisher Sent: Wednesday, April 06, 2011 6:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] How do you read the Inv-Uribl log file? The 127.0.0.4 is a gray listing for the uribl. I personally don't score the gray result because of too many false positives. !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=75 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / -Original Message- From: Imail Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, April 05, 2011 7:34 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd
re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
the defs are in the junkmail manual https://www.declude.com/searchresults.asp?Cat=109 IPNOTINMX - The IPNOTINMX test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The IPNOTINMX should NOT be used to detect spam! It will be triggered when an email is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mail server than they use to receive mail). NOLEGITCONTENT - Like the IPNOTINMX test, the NOLEGITCONTENT test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The NOLEGITCONTENT test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an email. NOTE: Some legitimate email will fail this test, but almost all spam will fail it. The best 'test' is a 'combo' test where it takes several unrelated tests to fail before you wack the email w/a penalty. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 1:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX In all this work on inv-uribl, I realized that my system scores 0 for NOLEGITCONTENT and IPNOTINMX. I would just be following the default, so that leads to the question: what is the purpose of these tests and do other people assign them scores? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
I would suggest combo-ing sniffer with other tests - and make the penalty very small at first until you gain confidence in the results. -Nick Here is a old sample combo-sniffer.txt file - use it as a guide - not in production.. SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.SNIFFER TESTSFAILED2CONTAINSF5SPAMMONKEY TESTSFAILED2CONTAINS10SPAMMONKEY HEADERS5CONTAINSX-Alligate-AddrSpace: Failed TESTSFAILED2CONTAINSFILTER.ALLIGATE TESTSFAILED4CONTAINSFILTER.STATICSPAMMER_MAILFROM COUNTRIES6CONTAINSCN COUNTRIES6CONTAINSKR COUNTRIES6CONTAINSCH TESTSFAILED6CONTAINSFILTER.BADCOUNTRYNORVDNS TESTSFAILED2CONTAINSFILTER.COMBO.SUSPECIOUS TESTSFAILED5CONTAINSFILTER.DYNA TESTSFAILED8CONTAINSFILTER.INVESTMENT TESTSFAILED5CONTAINSFILTER.LOTTERY TESTSFAILED3CONTAINSFILTER.MORTGAGE TESTSFAILED5CONTAINSFILTER.HEALTH_INS TESTSFAILED5CONTAINSFILTER.NIGERIAN.SCAM TESTSFAILED2CONTAINSFILTER.REV_DNS TESTSFAILED3CONTAINSIP4R.SBL TESTSFAILED2CONTAINSIP4R.SPAMCOP TESTSFAILED2CONTAINSIP4R.XBL TESTSFAILED3CONTAINSIPFILE.HOSTS TESTSFAILED9CONTAINSIPFILE.KILL TESTSFAILED3CONTAINSIPFILE.NETWORKS TESTSFAILED6CONTAINSIPFILE.SUSPICIOUS.HOST TESTSFAILED2CONTAINSIPFILE.SUSPICIOUS.NETWRK TESTSFAILED3CONTAINSXBL( TESTSFAILED3CONTAINSTEST.DYNHELO TESTSFAILED3CONTAINSTEST.ROUTING TESTSFAILED1CONTAINSTEST.SPAMHEADERS TESTSFAILED3CONTAINSTEST.BADHEADERS TESTSFAILED3CONTAINSTEST.REVDNS TESTSFAILED3CONTAINSIP4R.ZENSPAMHAUS MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 3:51 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX Thanks. Now that you've posted this I have to apologize because I recall reading this years ago. The problem I'm struggling with is that I get a lot of spam that fail many tests and ends up being deleted, but I also get a lot of true spam that fails only one test, usually Sniffer, and I'd like to find test(s) that would incrementally confirm the spam and push it to the next threshold. For example, I weight Sniffer at 8, so I get a lot of spam that score 8. They're true spam, but the other tests don't confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). Any suggestions welcome. Thanks, Ben From: Nick Hayer Sent: Friday, April 08, 2011 12:23 PM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX the defs are in the junkmail manual https://www.declude.com/searchresults.asp?Cat=109 IPNOTINMX - The IPNOTINMX test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The IPNOTINMX should NOT be used to detect spam! It will be triggered when an email is sent from an IP address that is not in its MX record. Although this test will catch a lot of spam (perhaps 80%), it will also catch a lot of legitimate mail (as quite a few larger mailers will send their mail through a different mail server than they use to receive mail). NOLEGITCONTENT - Like the IPNOTINMX test, the NOLEGITCONTENT test is good for helping reduce false positives. By default, Declude JunkMail will subtract several points from the weighting system when an email does not fail this test (which is very different from the way a spam test normally works). WARNING: The NOLEGITCONTENT test should NOT be used to detect spam! It will be triggered Declude JunkMail does not detect any legitimate content in an email. NOTE: Some legitimate email will fail this test, but almost all spam will fail it. The best 'test' is a 'combo' test where it takes several unrelated tests to fail before you wack the email w/a penalty. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, April 08, 2011 1:38 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX
try jackie99 MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Pete McNeil madscient...@microneil.com Sent: Friday, April 08, 2011 5:26 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How do you use NOLEGITCONTENT and IPNOTINMX On 4/8/2011 3:49 PM, IMail Admin wrote: Theyâ?Tre true spam, but the other tests donâ?Tt confirm it and my delete threshold is 12 (although I would be happy to get just to 10 on these spams). If you're not already using truncate.gbudb.net DNSBL then that might also allow you to add some weight. http://www.gbudb.com/truncate/index.jsp _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] How do you read the Inv-Uribl log file?
maybe it scores bitmask results and 127.0.0.4 response is not tagged? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Tuesday, April 05, 2011 8:36 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How do you read the Inv-Uribl log file? So I'm still looking at ways to make Inv-Uribl more effective. I'm getting a lot of spam that gets through my system with relatively marginal score so I'm looking at the Inv-Uribl log. Here are the lines for a message that I would consider to be obviously spam, yet came through Inv-Uribl as Clean: 2011-03-31 02:53:09.343 2011-03-31 02:53:12.484 D:\IMail\spool\proc\work\D5d0b028c100f.smd netcontentinc.com 127.0.0.4 URI from message body found in multi.uribl.com [4] [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved netcontentinc.com to 207.65.119.238 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved avantresources.com to 216.139.251.42 [Total Weight=0] 2011-03-31 02:53:09.343 2011-03-31 02:53:12.953 D:\IMail\spool\proc\work\D5d0b028c100f.smd Resolved bcwebhost.net to 173.164.65.196 [Total Weight=0] Did I miss something here that should have triggered a score (additional spam weight in Declude)? Thanks, Ben --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] How effective should Inv-Uribl be?
What uribl tests are you using and are you getting hits on them - check your logs.. I'm suggesting you may need different tests - the one you are using may have blacklisted you or are dead even... -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, March 18, 2011 2:13 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] How effective should Inv-Uribl be? I'm still having trouble with more spam seepage, so I've been looking at my various tests. I noticed that in the past, the Inv-uribl test caught 63-70% of messages, but recently it's only catching 56%. When I look at a lot of the low value spam (messages that barely get classified as spam), they always have an Inv-uribl result of score 0 range clean. Is it just that this test is less effective now? Or have I somehow messed up my configuration? As an aside: I use DL Analyzer to check these results. One this it always does is give the average weight/message and average weight/failed message. Typically, these are scores such as 45 and 46. Just lately I started get results like -131,000 and -136,000. I don't know if this is another sign of something broken in my configuration or if the analyzer program has somehow broken. Thanks. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How effective should Inv-Uribl be?
Well this all looks good. if this invuribl app makes a log check it to see if you are getting hits; if you aren't that is a problem... Additionally add dbl.spamhaus.org as an additional uribl test -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: IMail Admin imailad...@bcwebhost.net Sent: Friday, March 18, 2011 2:46 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] How effective should Inv-Uribl be? I'm not quite sure what you mean. In the Declude global.cfg file the only reference to inv-uribl is INV-URIBL external weight D:\imail\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 In the invUribl.exe.config file there is (in part): *** !-- This is the URI Blacklist That The URI Will Be Checked Against -- add key=URIBL_List1 value=multi.surbl.org / !-- Weight added to the result code or custom bitmask total. -- add key=URIBL_Weight_List1 value=0 / !--Allows you to override the normal values for bitmasks for a custom return weight-- add key=Enable_Custom_Bitmask_Values_URIBL_List1 value=true / !--If using multi.surbl.org see http://www.surbl.org/lists.html#multi for which lists correspond -- !--to which bitmask values -- !-- BitValue_2 = comes from sc.surbl.org -- !-- BitValue_4 = comes from ws.surbl.org -- !-- BitValue_8 = comes from phishing data source (labelled as [ph] in multi) -- !-- BitValue_16 = comes from ob.surbl.org -- !-- BitValue_32 = comes from ab.surbl.org -- !-- BitValue_64 = comes from jp data source (labelled as [jp] in multi) -- add key=URI_Bitmask_BitValue_1_Weight_URIBL_List1 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List1 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List1 value=2 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List1 value=5 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List1 value=3 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List1 value=7 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List1 value=10 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List1 value=0 / !--URI LIST 2-- add key=URIBL_List2 value=multi.uribl.com / add key=URIBL_Weight_List2 value=0 / !-- BitValue_2 = comes from black.uribl.org -- !-- BitValue_4 = comes from grey.uribl.org -- !-- BitValue_8 = comes from red.uribl.org -- add key=Enable_Custom_Bitmask_Values_URIBL_List2 value=true / add key=URI_Bitmask_BitValue_1_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_2_Weight_URIBL_List2 value=7 / add key=URI_Bitmask_BitValue_4_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List2 value=2 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List2 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List2 value=0 / !--Enables the checking of the URI's name servers against an RBL. -- !--If the name servers are listed in the RBL the defined weight will be added-- !--Max_Name_servers_To_Check - Sets the number of name servers to check. -- !--If set to zero all name servers returned from the DNS query will be checked-- !--Bitmask_Skip_Options_Name_Server_RBLx - Bitmask value that allows you to skip -- !--the associated Namerserver check if the URI is listed in the URI list. -- !--Values: 0 - no skipping will occur. 1 - Skip Nameserver check if URI was listed-- !--in a URI list. 2 - Skip if the URI's name server was already found in he given -- !--blacklist. This prevents double scoring. These are bitmask values and would -- !--be added together based on the options you want.-- add key=Enable_URI_Name_Server_Check value=true / add key=Max_Name_Servers_To_Check value=3 / add key=Name_Server_RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_Name_Server_RBL1 value=2 / add key=Name_Server_Return_Code_RBL1 value=* / add key=Name_Server_Weight_RBL1 value=5 / *** In the inv-uribl log file I find references to multi.surbl.org, sbl.spamhaus.org, multi.uribl.com, and xx.countries.nerd.dk (where xx is a country code such as ru). All the lines that end in Total Weight = 0 don't list any tests at all - they just resolve the IP. Thanks. From: Nick Hayer Sent: Friday, March 18, 2011 11:21 AM To: Declude.JunkMail@declude.com Subject: re: [Declude.JunkMail] How effective should Inv-Uribl be? What uribl tests are you using and are you getting hits on them - check your logs.. I'm suggesting you may need different tests - the one you are using may have blacklisted you or are dead even... -Nick MadRiverAccess.com|Skywaves.com Tech Support
re: [Declude.JunkMail] Sniffer settings
I suggest monitoring the sniffer hits and increase/decrease the scoring accordingly depending on the false positives you see. Ideally you should be combo'ing a sniffer hit w/other tests to maximize sniffers effectiveness. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Dodell da...@stat.com Sent: Friday, March 18, 2011 4:05 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Sniffer settings I am using the built-in version of Sniffer and the recommended Declude setting. However, lately I'm seeing lots of spam get through that is failing some of the sniffer tests. I'd like to increase the weight on some of these failures. Recommendations? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] SSD vs HDD
Dunno what you are using for a controller but if you couple these drives as a controller cache with an adaptec 5805 for example the system will be wicked fast almost regardless of the hdd drives used - as long as they are enterprise class.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Stephan Chayer scha...@intrasoft.net Sent: Friday, March 04, 2011 10:44 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] SSD vs HDD Hello Everyone, I think the question may have been already discussed but I would like to receive some advices for my spool directory. My hard disk access is suffering. Should we use SSD drives or regular HDD. I have heard numerous reliability problems with SSD and I am not sure if we should do it. We have 2 Intel X25-M series handy, should we use them or something else? (SSDSA2MH080G2C1 and G2K5) Thanks Stephan IntraSoft --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] weird processing of lists
Ben, No idea how to fix it - all I can suggest though is to run your log in debug mode and duplicate the problem. Then the logs may give you a clue as to what is going on. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Imail Admin imailad...@bcwebhost.net Sent: Wednesday, December 29, 2010 5:26 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists What surprises me is that I haven't found anywhere where this problem has been discussed before. Granted that IMail's list server is primitive and that seriously list services use a separate list server, still a lot of IMail admin use the built-in list service for basic list services. So I would assume that all of these users would have them same problem with JM and the IMail list service. For that matter, I don't really understand why I'm having this problem just now, after using of using both products. Ben - Original Message - From: Dean Lawrence To: declude.junkmail@declude.com Sent: Wednesday, December 29, 2010 12:52 PM Subject: Re: [Declude.JunkMail] weird processing of lists Ben, Maybe you could right a rule that evaluates the sender and originating IP. So that if the email is from listn...@domain.com and the IP matches the server's IP (since it is being generated from your server), that it assigns a negative weight to the message? Dean P.S. This is off the top of my head without looking at the docs, so I may be off base. On Wed, Dec 29, 2010 at 3:07 PM, IMail Admin imailad...@bcwebhost.net wrote: But you're the man who knows everything about Declude. Surely you know the answer to my original question? Ben -Original Message- From: David Barker Sent: Wednesday, December 29, 2010 5:21 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] weird processing of lists Most likely ;) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of IMail Admin Sent: Tuesday, December 28, 2010 3:24 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] weird processing of lists Everyone gone on vacation? -Original Message- From: IMail Admin Sent: Friday, December 24, 2010 11:23 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] weird processing of lists Hi, I've run into a small problem between Declude and lists. I have a domain with a list on it such as listn...@domain.com. You have to be on the posters' list to send messages to that list. One of the posters sends messages to the list and is authorized for the list, but gets this error message: Invalid final delivery userid: listname-spam...@domain.com. SpamLow is the folder into which messages are normally dropped when their score is between 5 and 10. It appears that Declude is assigning this message a score between 5 and 10 and then trying to put the message into the SpamLow folder for this user. Except that it's not a user, it's a list. So why does this happen and how do I handle it? Thanks, Ben P.S. We've been using Declude JM/AV with Imail for a long time. The current versions are Imail 2006.23 and Declude 1.63. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type
RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers
fyi - the 'X-Originating-IP as well as 'X-AOL-IP are the senders ip - they have no relation to yahoo or aol. What you can do with these ip's - which is what I do - is look up 'um up in blacklists.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Colbeck, Andrew acolb...@bentallkennedy.com Sent: Wednesday, December 08, 2010 5:52 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers Thanks, Pete and Scott. As always, Pete, that change worked as advertised. I've put in a slight tweak as well as Scott's AOL suggestion, I pre-pended a period to qualify the domains tighter (I also left in the examples, that's my own practice for self-documentation) source !-- header name='X-Use-This-Source:' received='mixedsource.com [' ordinal='0' / -- !-- header name='X-Originating-IP:' received='hotmail.com [' ordinal='0' / -- header name='X-Originating-IP:' received='.hotmail.com [' ordinal='0' / header name='X-AOL-IP:' received='.aol.com [' ordinal='0' / /source I sent myself three messages from my own Hotmail account, and then checked my own firewall's IP address in my local GBU: CD \messagesniffer SNFClient.exe -test 1.2.3.4 GBUdb Record for 1.2.3.4 Type Flag: ugly Bad Count: 0 Good Count: 3 Probability: -1 Confidence: 0.113212 Range: normal Code: 0 Hopefully, others will choose to also pay in to the system, and regardless, I'll see less Hotmail and AOL spam from known zombie IP addresses! Andrew 8) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Monday, December 06, 2010 1:18 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers I made this change immediately. Like Andrew I've always wondered why the Hotmail header hasn't been targeted by someone. -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Monday, December 06, 2010 2:31 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Large amount of hotmail, msn, aol, yahoo and other free account blacklisted servers On 12/6/2010 2:47 PM, Colbeck, Andrew wrote: I have the same position as Scott. I find that the MessageSniffer product from ARM Research is the most reliable test snip/ Hotmail in particular would be less effective for the bad guys if I had an antispam tool that would determine from the headers that the sender was from Hotmail (or others) and then check the X-Originating-IP: [111.222.333.444] snip/ I've suggested it before but vendors are, quite reasonably, leery of building into their product a feature that is specific to a few providers while being prone to false positives. Actually, if I may, Message Sniffer has precisely that feature built into GBUdb training. Specifically, you can tell Message Sniffer to identify the source IP for the message based on the presence of a specific header. This feature was designed specifically for hotmail and other systems that provide a source IP for one reason or another -- (perhaps complex internal routing). For configuration information see: http://www.armresearch.com/support/articles/software/snfServer/config/no de/g budb/training/source.jsp http://www.armresearch.com/support/articles/software/snfServer/config/no de/g budb/training/source-header.jsp If you configure this training mechanism for GBUdb in your Message Sniffer engine then GBUdb will become much more accurate for messages coming through that source. Best, _M -- Pete McNeil, President MicroNeil Research Corporation www.microneil.com 703.779.4909 x7010 --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. We are pleased to announce that Bentall LP and Kennedy Associates Real Estate Counsel, LP joined forces on December 1, 2010. To learn more, visit: www.bentallkennedy.com Nous avons le plaisir de vous annoncer que Bentall LP et Kennedy Associates Real Estate Counsel LP se sont associees le 1er decembre 2010. Pour en savoir plus, rendez-vous a www.bentallkennedy.com This message (and any associated files) may contain confidential, proprietary and/or
re: [Declude.JunkMail] Good filter?
Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120 ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Good filter?
Dunno - I just grepped my logs to find the FP. You will have to get some complete examples to test on. Maybe do a COPYTO on any emails that fail your regex and then fine tune out the false positives. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 12:05 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Does the source have a space or different character after the end of the string ? we could look for a space. or a or (?i:(http://|www).+\.(com|info|net)/[a-f0-9]{30,40}(\s|[])) David From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 11:50 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Hi David, I think it will FP though - Here is an example: http://eimages.ratepoint.com/7cb5f36dd6464c05d417963e3efc4386/2010-06/02b120ed17cc24cd3567fd4396424914.gif with some tweaking I think it could be very effective though We have been wacking the guy w/sniffer General and dnsbl tests. I cannot tell you which ones of the latter as they are not shown in my logs. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: David Barker dbar...@declude.com Sent: Monday, October 18, 2010 10:17 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? Provided the prefix to these is either www or http:// the regex will trigger on these From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Monday, October 18, 2010 10:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Good filter? ude23.protectionist.info/687beaa6678a69ca344212a6ed48f80ba6bca1 cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Monday, October 18, 2010 8:53 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] Good filter? Post a few of his/her base domains - just to be sure we will be taking about the same guy.. Thanks -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Dave Beckstrom db...@atving.com Sent: Monday, October 18, 2010 9:38 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Good filter? There is pervasive spammer who's uri pattern for the linked spam site is pretty consistent. They all have a / followed by some kind of home-grown obfuscation which his server recognizes: http://cja244.larickcoppas.com/6878d778dcffdc763118115082cc190a3c0343 Anyone come up with a clever filter for this? Also, these spammers are using domainsite.com as their registrar for their spamvertized domains. Has anyone worked on a solution where the URI can be checked against the registrar and if its registered with domainsite.com then weight can be added or it can be blocked? --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail
re: [Declude.JunkMail] Declude queue alert
Hi Harry, Below is a script I copied from the list long ago - edit as applicable for your setup, save it as a .vbs file and run it every 15 min or so -Nick fHold1 = \\192.168.254.23\goofy\imail\spool fHold2 = \\192.168.254.23\goofy\imail\spool\proc aMail = e:\imail\imail1.exe mFrom = -u 'spamstar2.moni...@madriveraccess.com' mTo = -t 'n...@madriveraccess.com' if GetFileCount(fHold1) 300 then MailNotice Imail Spool, GetFileCount(fHold1), mTo end if if GetFileCount(fHold2) 300 then MailNotice Imail\spool\proc, GetFileCount(fHold2), mTo end if Function GetFileCount(folderspec) Dim fso, f, f1, fc Set fso = CreateObject(Scripting.FileSystemObject) Set f = fso.GetFolder(folderspec) Set fc = f.Files GetFileCount = fc.count End Function Function MailNotice(fname, fcount, mTo) Dim mCmd, mSubj, WshShell set WshShell = WScript.CreateObject(WScript.Shell) mSubj = -s 'SPAMSTAR2(192.168.254.23) Mail held in fname : fcount ' mCmd = aMail mFrom mTo mSubj -f Return = WshShell.Run(mCmd , 1, TRUE) End Function MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Harry Vanderzand ha...@intown.net Sent: Wednesday, August 25, 2010 9:52 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude queue alert Is there any way that the system can give me an alert when the Declude queue fills up past a certain point? There have been a couple of cases recently that have caused Declude to stop processing. The mail backs up in the queue and I only realize it when someone complains or I notice that no mail has come in for a while. I then restart the service and processing starts up again. If I were to get an alert that say, 500 items were in the queue then I would know there is a problem. Thank you Please note our new Address Harry Vanderzand Intown Internet 740 Erbsville Road Waterloo, On, N2J 3Z4 519-741-1222 DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying,or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Thank you. --- [This E-mail was checked by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Fine tuning Declude
Hi Michael, I guess this is best said - let it go,,,Alligate is the the way to go in front of Declude - Contact them again - they probaby will be glad to set you up with at trial even of some sort, -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Wednesday, May 12, 2010 10:25 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Fine tuning Declude I actually paid for Alligate a couple of years ago, but then had to repurpose the hardware for a casualty before I could install it and trial it. I never got around to putting it together after that (I'm not a big company, and I don't have a huge budget). It expired, and now every year Alligate contacts me asking me if I want to renew, and I write them back asking them if I simply lost my money, and they never respond again until the following year. It's like a bad game now. I don't have a lot of confidence in them. Which is sad. I hear it's a fine product. -- Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Scott Fisher Sent: Wednesday, May 12, 2010 9:54 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Fine tuning Declude I put an alligate server in front of Declude. It kills about 95% of incoming connections. Declude Intercepter incorporates this Sent via BlackBerry by ATT From: Michael Cummins mich...@i-magery.com Date: Wed, 12 May 2010 09:25:57 -0400 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Fine tuning Declude So this past week has been fairly hellish for me, buried in the thick of Botnet Spam storms. (Quite a number of people seem to be experiencing them, at least as reported over on the [SNIFFER] list) My implementation of Declude seems to be pressed to its limits to handle the volume. 1) Dedicated SmarterMail 6.8 2) Declude, Invaluement RBLs added, running off a SimpleDNSPlus install on another local machine 3) INVURIBL with Invaluement and SpamEatingMonkey added 4) SNIFFER, integrated with Declude This is the root of my volume issues: this box is a dedicated Incoming Gateway for several dozen Exchange servers for SMBs, which means it accepts ALL mail for those domains. It's not like my other mail server that rejects bad addresses right off the bat. When the spam storms hit, it's like a hurricane. My usual Sniffer-measured rate of about 150-200k messages per day kick up as high as 850k. I don't really handle that much mail, but that's the rate when it storms. My regular SmarterMail server that dishes out POP/IMAP handles a more appropriate level of 50k messages per day. 1) If I keep WAITBETWEENTHREADS too low, DecludeProc will race up to the top of THREADS and crash when the storms hit. I currently find that 45 is the bleeding edge of sanity (for my config) with INVURIBL and SNIFFER running, but in a bad storm, even that is too low, and sometimes I have to drop it back to 60 or 65; but then it's just keeping up with things, and it's difficult to reduce the backlog that swelled during the crash. 2) If I keep WAITBETWEENTHREADS too high, like around 100, Declude is stable as a rock, but can't keep up with the mail load when times get tough. 3) When things get bad, I go into GLOBAL.CFG and comment out INVURIBL and/or the many SNIFFER tests. Does anyone have any useful advice for beefing up or streamlining this process? What hardware choices have the biggest impact on Declude? As an aside, I imagine that you could prevent a lot of Declude crashes if WAITBETWEENTRHEADS was a dynamic setting, derived from the mail rate. Yes? No? On a related note, I've been building a Declude Management interface in ColdFusion that makes excellent use of Mark Russinovich's Sysinternals suite of tools, most specifically PsList and PsKill, so I can keep a careful eye on DecludeProc on my two machines, and using the Microsoft FSO to keep an eye on file counts. Sysinternals http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx FSO http://msdn.microsoft.com/en-us/library/z9ty6h50(VS.85).aspx I really recommend those tools. FSO is really responsive when inspecting large file counts, for keeping an eye on /spool/ /proc/ and /review/. You can write a parse the results of PsList to keep an eye on the number of Threads that Declude is spawning, and even detect a crash. Oh, and I have to compliment Linda and David for their relentless and professional service. They are a fantastic and responsive team. BZ! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
here ya go IP4R.GBUBD ip4r truncate.gbudb.net 127.0.0.1 9 0 Above scores a 9 on a hit.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Friday, April 30, 2010 9:36 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net I don't think I set it up properly as an ip4r test in Declude. What would the line look like, if written properly? Thanks for your time and effort. -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 5:06 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] We have opened up truncate.gbudb.net
you can test the bl directly with nslookup, to see what Declude is doing turn on debug log level. MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Friday, April 30, 2010 11:20 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net That's odd. This is what I already configured it for on my first guess: TRUNCATE-GBUDB IP4R truncate.gbudb.net127.0.0.120 But I haven't gotten any hits yet. Is there any way to test this from a command prompt, like you can with the invaluement RBLs and nslookup? - Michael Cummins From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Nick Hayer Sent: Friday, April 30, 2010 11:00 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net here ya go IP4R.GBUBD ip4r truncate.gbudb.net 127.0.0.1 9 0 Above scores a 9 on a hit.. -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Michael Cummins mich...@i-magery.com Sent: Friday, April 30, 2010 9:36 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] We have opened up truncate.gbudb.net I don't think I set it up properly as an ip4r test in Declude. What would the line look like, if written properly? Thanks for your time and effort. -- Michael Cummins -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 5:06 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] We have opened up truncate.gbudb.net
Hi Pete, Question - is this blacklist info already contained withing any Sniffer test? I am wondering about double dipping so to speak - if the info is within Sniffer which rulebase? -Nick MadRiverAccess.com|Skywaves.com Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: https://www.skywaves.com/content/secure/support_ticket.htm From: Pete McNeil madscient...@microneil.com Sent: Thursday, April 29, 2010 5:15 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] We have opened up truncate.gbudb.net Hi Declude folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] Missing Messages
maybe hijack is grabbing them? Look in the /spam2 dir -Nick From: Scott Fosseen [Prairie Lakes AEA] sfoss...@aea8.k12.ia.us Sent: Wednesday, August 26, 2009 2:46 PM To: decludejunkmail declude.junkmail@declude.com Subject: [Declude.JunkMail] Missing Messages I am running SmarterMail 5 with declude. My mail server has been a little odd for the last few days. I have people complaining about not getting mail, but yet some mail is getting through. One particular problem. I can send an email from outside the problem mail server. I see the message in the SMTP log file, but it never shows in the Virus or Junkmail log. I don't seem to have any folders that are growing in size, I just don't see where the message went, or why it was not processed by Declude. I am running a tail on the log files, and there are messages going through just fine as well. _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ Upper Case: The luggage on the top of the pile. Caps Lock: A fastening to keep your hat on your head. Keyboard: The row of hooks where you keep your keys. Space Bar: A sleazy joint where Martians like to hang out. _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Imail 11
SmarterMail. Its the way to go. Ver 6 will support ActiveSync [ as an addon] and the web interface is excellent. I have one remaining Imail server - 9x version - to convert.. -Nick From: Chuck Schick cha...@warp8.com Sent: Tuesday, August 11, 2009 1:07 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 Sorry William I did not catch your sarcasm. I don't see those problems with Imail and we have people with 1000s of messages in their inbox but that is version 8.22, I know they had a lot of web mail problems with later versions.. I think roundcube is better than squirrel mail but I don't know if it will work on a windows machine - have never tried to do that. That being said, I am still looking for recommendations on a Mail Serveranyone have thoughts. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of William Stillwell Sent: Tuesday, August 11, 2009 10:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Imail 11 You didn't understand my sarcasm did you? I gave up w/Imail on fixing my imail webmail issues, on my servers, if there is more than 1000 messages in a mail box, users get Access Denied when going to different pages in there preview window. If they have less then 500 messages it works fine for them.. It's by no means OWA . William Stillwell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
re: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX
Was it not working? yawn. Never noticed. On my end AVG is superfluous behind Alligate. We just do not see a virii leakage. We run ClamD for phishing and I do not see in its logs any virus captures. -Nick From: David Barker dbar...@declude.com Sent: Monday, June 01, 2009 3:50 PM To: declude.junkmail@declude.com, declude.vi...@declude.com Subject: [Declude.JunkMail] Upgrade 4.6.35 AVG not scanning - FIX If your AVG is not scanning emails, please upgrade immediately to 4.6.35 which is available from the Declude website. If you are unsure whether this means you, we suggest you upgrade, if you need any assistance in this matter please contact supp...@declude.com David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] BackScatter
Todd - I will second David on this - Alligate is the best gateway - no question about it - and it does integrate perfectly with Declude. -Nick David Barker wrote: Hi Todd, Alligate has way better greylisting capabilities than SmarterMail. SmarterMails implementation is somewhat dangerous. You need to be able to accurately qualify which messages should be greylisted. Alligate is the only greylisting implementation that does this. I don't believe you would have this problem if you were running Interceptor or the Alligate/Declude combination, and I am sure other Alligate/Declude users would agree with me. If you are interested, I can work with you to give you an upgrade path to Declude Interceptor from your current license. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com mailto:dbar...@declude.com *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Todd Richards *Sent:* Saturday, May 16, 2009 6:11 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] BackScatter Thanks Craig. From all indications our server is tightened down pretty good right now. We moved from Imail to SM at the start of April, and I implemented grey listing at the start of May. So we did have a fair amount of backscatter in between until I really understood what greylisting could do. Unfortunately, I can't talk the bosses into dropping another $800 or so to try and fix the problem. I know others have used ASSP with success, so I might look at that. SmarterMail's greylisting seems to be a lot better than what the rules in Declude offer. I might look at implementing ASSP in front of SM. I've heard a lot of people talk about the advantages of running something in front of your mail server. So it might be time. Todd *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Craig Edmonds *Sent:* Saturday, May 16, 2009 1:53 PM *To:* declude.junkmail@declude.com *Subject:* RE: [Declude.JunkMail] BackScatter Hi Todd, I think grey listing prevents backscatter coming INTO your mail server, it does not prevent you getting on blacklists. If you are on a blacklist then I think you need to figure out how your smtp server is configured because it would indicate an issue somewhere. Since using Alligate (www.alligate.com http://www.alligate.com) as the first line of defence in front of declude, we have had zero black listings and all the backscatter has disappeared. The backscatter rules in declude really blow which is why I would highly recommend looking at Alligate as your smtp gateway. Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com/ E : cr...@123marbella.com mailto:cr...@123marbella.com *From:* supp...@declude.com [mailto:supp...@declude.com] *On Behalf Of *Michael Graveen *Sent:* 16 May 2009 13:54 *To:* declude.junkmail@declude.com *Subject:* re: [Declude.JunkMail] BackScatter I think Greylisting reduces backscatter. Greylisting stops the majority of the SPAM from ever reaching our mail server, so it never has a chance to get bounced back because of a non existent user, etc. Mike Hi Everyone - We've been having a few issues with mail servers refusing our mail. Today I ran a test on DNSStuff and found that our IP is on BackScatter.org. They are referencing an event on 4/27, and supposedly we will be removed after 4 weeks if they haven't had any other issues. Of course we can pay to have it removed sooner. I'm not sure if being listed in their DB is the main culprit to the server refusals that I've seen? We switched over to SmarterMail in mid-April. Since 4/27, we have implemented grey listing. Is grey listing a good first line of defense? Is there anything else I should be doing to prevent back scatter? Thanks for your thoughts on this. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This
Re: [Declude.JunkMail] Blacklist Based on TO Address?
Not sure if this is what you are asking - you could do something like this for a particular recip subject pairing: ALLRECIPS END NOTCONTAINS x SUBJECT END NOTCONTAINS xx REVDNS delete weight CONTAINS . -Nick David Barker wrote: No there is not. If you want to blacklist I would suggest using your mail server functionality to do this as the earlier you can stop a message the better. Secondly if you really want Declude to do this you can see the section Your own sender blacklists in the online manual http://www.declude.com/searchresults.asp?Cat=109 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Stillwell Sent: Thursday, October 30, 2008 8:45 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Blacklist Based on TO Address? Is there a way to Blacklist based on TO/SUBJECT (Just like WHITELIST) William Stillwell Systems Architect --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] country chain
Hi David, David Barker wrote: We may want to create a new test which would trigger if multiple countries are in the routing. Any thoughts would be welcome. I do not think it would add much value For example I have a Russian company that send all their email via Hong Kong. I suspect there are many other instances where it is normal for email to pass through multiple countries.. -Nick David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Wednesday, October 08, 2008 7:03 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain Anybody have any idea why the ROUTING test is not adding to my weight. Here is another sample of where the ROUTING test should have added to the score X-Country-Chain: UNITED STATES-EL SALVADOR-CANADA-destination X-Spam-Tests-Failed: UCEPROTECT-LEVEL2-, NOABUSE, NOPOSTMASTER, FILTER-COUNTRY [6] Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Monday, October 06, 2008 11:24 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] country chain I am still trying to figure this out I have the following command in my global.cfg: ROUTING spamrouting x x 6 0 Yet the following sample did not trigger it: X-Country-Chain: NIGERIA-UNITED STATES-CANADA-destination X-Spam-Tests-Failed: FILTER-COUNTRY, WEIGHT10, WEIGHT11 [11] Should there not have been another 6 points added for the path the mail took? Thank you Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Steiner Sent: Thursday, October 02, 2008 11:21 AM To: declude.junkmail@declude.com Subject: re: [Declude.JunkMail] country chain The ROUTING test was meant for this. It checks for spam that was sent through multiple countries. Another way is to add weight to individual countries using a filter and the COUNTRIES test which will fail based on a country code: COUNTRIES 10 CONTAINS CN If you wanted to get really complicated, you could create an IP4R test for each country using the blacklist at http://countries.nerd.dk/ Original Message From: Harry vanderzand [EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 11:35 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] country chain When spam goes through several countries as in: X-Country-Chain: UNITED ARAB EMIRATES-POLAND-CANADA-destination Is there a way to add weight to mail that would have travelled this way? Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] doprewhitelist
Hi David, Are there any new features, etc for Declude, soon to be released or planned? If so would you elaborate? -Nick David Barker wrote: Part of the interim release debug logging it will be removed for the actual release. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -declude -dnsstuff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry vanderzand Sent: Monday, October 06, 2008 1:11 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] doprewhitelist I see the following in my logs for each e-mail. What is this about? 10/06/2008 13:10:14.390 q46710345f479.smd Start: doprewhitelist 10/06/2008 13:10:14.390 q46710345f479.smd END: doprewhitelist Harry Vanderzand NEW ADDRESS Effective Jan 24, 2008 Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] version 4.4.20
Thanks David! -Nick David Barker wrote: Actually having checked the file the notes for the changes are already there. But for you convenience here is the list of changes. PRE-RELEASE NOTES --- 4.4.20 Fixed Declude leaving an open socket during avg update. Also fixed for possibility of an early terminating thread in the transfer file function. 4.4.19 Temporary fix for CATCHALLMAIL not holding the e-mail when the e-mail is whitelisted and when COPYFILEACTIONWITHHEADER = ON 4.4.18 WHITELIST TO Removed the restriction of abuse@, noc@, postmaster@ and updated ROUTING the foreign IP address list 4.4.17 In fullmsg the header part of the message was being stored and printed twice. 4.4.16 Changed critical section to when accessing the Address book for autowhitelisting to resolve a thread hanging issue with Imail. 4.4.14 Added critical section before opening the Imail MS Access Database to prevent crashes 4.4.13 Changed the CommTouch Temp Directory from the default (the machine default tempdir) to ...\Declude\scanners\commTouch\Temp 4.4.12 Updated GP1 files to be amended rather than overwritten. Information will be appended with the system Date and time. Fixed a crash issue, due to decoding of the subject line. Fixed issue of TXT files being left in the work directory. Requires replacement of the avgsdk.dll. 4.4.11 Update Declude encoding of winmail.data (TNEF) and storing the attachment file and its corresponding file name. Improved detection of the Invalid zip vulnerability. 4.4.10 Added error message in logs for additional information as to why txt file could not be moved back to virus directory 4.4.8 Invalid zip vulnerability; updated Declude to be compatible with '7z' file archived compressor 4.4.7 Updated Declude to report on ODBC access issues in Imail. 4.4.6 Updated PCRE to better handle pcre .dll exceptions 4.4.5 If ZEROHOUR weight value cannot be converted to an integer it will be ignored. This is a fix for a bug reported when ZEROHOUR test action was set, ZEROHOUR was scoring a value of zero. 4.4.4 Updated FROMNOMATCH test failing when e-mail is sent as an NDR 4.4.3 Updated FROMNOMATCH test failing. According RFC-822 the angle bracket is not a requirement for FROM: in the header part of the email. Changed to handle the angle bracket and without. 4.4.2 Fixed CATCHALLMAIL to be triggered on whitelisted e-mail 4.4.1 Removed references to previous Versions (PRO/STD/LITE). 4.4.0 Release David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Monday, September 29, 2008 11:49 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] version 4.4.20 The readme.txt which is available at the interim site provides the updates (release notes). As we have just put out the 4.4.20 I have not as of yet updated the .txt file, which I will do later today. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Sunday, September 28, 2008 1:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] version 4.4.20 Hi - Are there any release notes as to how this version differs from 4.4.18? Are these release notes posted on the Declude site? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] version 4.4.20
Hi - Are there any release notes as to how this version differs from 4.4.18? Are these release notes posted on the Declude site? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Re:Declude vs Perry
Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 *The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. * Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as Declude Virus, Declude Junkmail, and Declude Hijack. The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase agreement in 2000, and had again sold some of the same code to the Plaintiff in the new product he had launched. The Plaintiff has sued the individual Defendant for copyright infringement, breach of contract, fraud, conversion, unjust enrichment, and unfair and deceptive acts and practices. Dozier Internet Law Cross-Reference Number 1190. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Re:Declude vs Perry (ES)
Hi Craig, Craig Edmonds wrote: I am not a lawyer so dont understand 100%. So Scott Perry agreed to sell the code but kept a copy anyway and when the new owners of Declude went to raise capital they found out that Scott Perry had already developed an additional product with the code they had bought. I dont see the problem myself? My point was really that I am disappointed that this situation has developed between all parties. Period. Regarding the allegations of the suit - that is what they are. Simply one side of the story ala Roger Clemons [http://dickipedia.org/dick.php?title=Roger_Clemens] suit against Brian McNamee. If the Declude suit ever goes to trial the facts will be revealed. Problem is I would say getting to trial is expensive - which may or may not be part of the suit intention. -Nick The new owners of declude are just protecting their interests no? Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.com http://www.123marbella.net/ E : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Nick Hayer *Sent:* 09 September 2008 16:16 *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] Re:Declude vs Perry Hi David - Below was forwarded to me - as a long time Decluder I am very disappointed in seeing something like this - -Nick http://dozierinternetlawpc.cybertriallawyer.com/computer-lawyer DECLUDE, INC. AND DNSSTUFF, LLC. v. R. SCOTT PERRY DISTRICT OF MASSACHUSETTS (BOSTON) 1:08-cv-11072 FILED: 06/25/08 *The ownership of source code and the ownership of the code in general used to build a website is often an overlooked issue. Make sure that you have spelled out not only the ownership of the code but also the requirements relating to what code can be retrieved from the public domain. If you are using a web developer who retains ownership of source code then you risk having that developer use the code with future competitors at much lower costs and with the benefit of your intellectual capital in developing the architecture, engineering, and business processes. * Declude purchased the Defendant's anti-virus, anti-spam and anti-hijacking software in September, 2000, and sold the products as Declude Virus, Declude Junkmail, and Declude Hijack. The Defendant, R. Scott Perry, allegedly used the same source code in developing an additional product, and when the Plaintiff went to venture capitalists to raise capital, the detailed due diligence revealed that Defendant had retained a copy of the source code contrary to the provisions of the purchase agreement in 2000, and had again sold some of the same code to the Plaintiff in the new product he had launched. The Plaintiff has sued the individual Defendant for copyright infringement, breach of contract, fraud, conversion, unjust enrichment, and unfair and deceptive acts and practices. Dozier Internet Law Cross-Reference Number 1190. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Alligate Problems (ES)
fyi - Alligate has started its own maillist - to join: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] The mailing list address is [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Nick Dave Marchette wrote: Always copy and paste, and always don't allow a trailing space at the end of the domain name to also be pasted because if you do, Alligate will ignore it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Edmonds Sent: Friday, August 29, 2008 7:53 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] OT: Alligate Problems (ES) Yeah. Glad to hear that it all works for you. ALWAYS copy and paste domain names and email addresses!!! Kindest Regards Craig Edmonds 123 Marbella Internet Services W: www.123marbella.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fosseen Sent: 29 August 2008 16:03 To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] OT: Alligate Problems Thanks everyone for your input. It looks like my install is now working as it should be. The slow delivery times was caused by performance problems on a remote mail server and a MX record that should have been reconfigured. The simple story was that 5+ years ago I was running backup smtp servers for some of my clients. The problem was that I still had one of these clients setup with me running a backup to their mailserver. What looks to have happened is that the recent increase in mail caused their mail server beyond capacity which caused an assortment of problems from not responding, to starting to accept mail and then stall. So when their mail server was choking mail started to come into my Alligate server. When my Alligate tried to verify users it would contact the sick mail server which for all practical purposes tar-pitted the requests. Eventually Alligate was using all it's resources to establish connections to a mail server that could not complete requests, and email simply backed up. Once AGSupport reconfigured my AG box to not accept mail for the problem domain the problem went away (after is cleared it's backlog). The 2nd issue was a new domain I added I misspelled the domain name. Even after I had checked the spelling on not less than 5 occasions I missed the typo each time. Once that was corrected AG worked as expected. -- From: Scott Fosseen [EMAIL PROTECTED] Sent: Monday, August 25, 2008 5:19 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] OT: Alligate Problems | From the recommendations from this list I am currently evaling alligate. I | have to say my installation has been plagued with problems. I installed on | a fresh HP DL360 G3 with dual 2.8 Ghz Xeon processors, 4 gig of ram, and | mirrored Ultra320 SCSI 72 Gig drives. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Alligate Problems
Hi Scott, Scott Fosseen wrote: I guess I am looking for a word of encouragement from the alligate supporters out there that I should stay diligent or if there are any tips you can share. Alligate is unbelievable with what it does and with what little resource it uses. It is the way to go - be patient and support at Alligate will assist. Regarding delays - where are the emails being queued? What do the logs say? -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Mail Pre-Processor recommendations
Colbeck, Andrew wrote: I use Alligate from Solid Oak Software, and I like it a lot. as do I. The really slick part is how it reduces bandwidth - it *very* accurately distinguishes spam etal before the DATA command thereby preventing the unwanted emails from ever being received.. Shameless plug - I have a small utility that will allow Declude (for Imail) to run on an Alligate box without Imail being present. If anyone is interested email me off list and I will send you a copy. -Nick On my primary gateway, I received just shy of 500,000 connections in the last 24 hours, and my Declude only had to see 4% of that traffic. Yes, 4%. I'm spending less time doing clever things in Declude, because Alligate is pre-filtering so well for me. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fosseen Sent: Wednesday, May 28, 2008 1:29 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Mail Pre-Processor recommendations I believe I have seen some replies to this already, but I though I would put this out again. I am hosting about 30 domains worth of email and filtering for an additional 10 domains. My current configuration is all mail is pre-filtered through a Barracuda 400 box, then forwarded to a Smartermail 4.x server running Declude with Sniffer, Zero Hour, invURIBL. The Smartermail/Declude box is a Dual Quad Core HP server with 2 Gig of RAM. I am currently receiving about 600k email messages a day on the Barracuda box, and it is seeing performance issues. Before I purchase a 2nd Barracuda box I though I would check to see if anyone has a better solution. Declude still catches 40-60% SPAM after the Barracuda box. Thanks _ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Your are asked to notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Prairie Lakes Area Education Agency. Prairie Lakes Area Education Agency accepts no liability for any damage caused by any virus transmitted by this email. - _ Scott Fosseen - Systems Engineer - Prairie Lakes AEA - http://www.aea8.k12.ia.us/tech _ We live in a world today where lemonade is made from artificial flavors and furniture polish is made from real lemons. - Alfred E.Neumann MAD magazine _ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude on Alligate
Fellow Declude users - . I have a small application that will allow Declude for Imail to run - without Imail - on an Alligate server. The result is Declude functionality on an Alligate gateway! The app is in production but before any formal release I am looking for a few folks to help me with testing. If anyone is interested kindly email me off list and I will send you a copy. Thanks -Nick ps. Sandy - please do not consider this spam :) I am only offering additional functionality for Declude... --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 4.4.00 Released
Andre - Colbeck, Andrew wrote: David Barker said: DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log I thinks its the recording to the blklst.txt file that lives in the \spool dir. I have forgotten the files purpose... -Nick Dave, the what log? Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, March 27, 2008 7:30 AM To: declude.junkmail@declude.com; [EMAIL PROTECTED] Subject: [Declude.JunkMail] 4.4.00 Released 4.4.00 Released we will be sending a notification to all customers. EVA ADD Updated AVG (avgsdk.dll 1.3.511) EVA ADD BANEXT EZIP for encrypted files .RAR can encrypt at the file name level requiring a password. EVA ADD ALLOWVULNERABILITIESFROM example.com can be used with just domain EVA FIX BANEZIPEXT ON blocking any encrypted file names EVA FIX ALLOWVULNERABILITIESFROM error when non sender EVA FIX Fix Header Vulnerability to accommodate Opera mail Client header format JM ADD Updated PCRE (pcre3.dll 7.0) JM ADD Updated CommTouch ZEROHOUR (asapskd.dll 5.05.8) JM ADD Check the SmarterMail Domain Level for Trusted Sender in the domainconfig.xml JM FIX PCRE on a match was writing additional information not pertaining to the match in the LOG JM FIX PCRE found a match and the size of the match was than the buffer size. JM FIX Declude produced an error when reading the envelope file (SM and IM), the HELO line can only be 512 according to RFC-821 we now truncate after 512 characters. JM FIX HELO information was reported incorrectly when IPBYPASS is set JM FIX Incoming and Outgoing messages being reported incorrectly DEC ADD Can use for 4 digit year on log file names in the format ddmm DEC ADD Added date, Time, Email, Spool name, Weight and Tests failed to the BLKLST log DEC FIX SmarterMail CMDSPACE test. This test was not triggered in the SmarterMail envelope as token was changed from cmdspc instead of cmdspace we now check for both. David Barker VP Operations Declude Your Email security is our business 978.499.2933 x 7007 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com list
Hi Rick, Having a bad day? -Nick Rick Klinge wrote: Will you morons please remove me from your spam list? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *Sent:* Monday, February 04, 2008 10:33 PM *To:* declude.junkmail@declude.com *Subject:* [Declude.JunkMail] re: [384-0F3A4F35-96D8] You do not have permission to post to the declude.junkmail@declude.com list Thank you for submitting a ticket to support. Your ticket number is [384-0F3A4F35-96D8]. Please keep this ticket number for your records and include it in the subject (including brackets) of all future emails regarding this issue. The response time during business hours is usually within 24 hours, if you have had no response in this time please do not hesitate to call our support number 1-866-332-5833 Thank You. Declude Technical Support view this ticket online http://support.declude.com/customer/viewticket.aspx?email=declude.junkmail%40declude.comticketnum=384-0F3A4F35-96D8 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE
David, Do not take all these suggestions personal. You are our pinata - remember? :) -Nick David Barker wrote: - Pulled out the bad package Did this. - Rolled a new package (with an incremented version number) with the missing DLL, tested the package successfully and posted it to the website for downloaded Did this although no need for an incremented version number as it was not related to declude but rather the installer and it effected only Imail users who had not upgraded to the last declude build - Checked my shopping cart or web logs and found out which customers had downloaded the bad version of the package Ok I could have done this. - Contacted only those customers by phone and email; when there is an email problem, email is a lousy communications channel So far it's only John and Dave I would have updated the Whats New web page. We had updated the Release notes. Where is the what's new page ? I *may* then also notify both support mailing lists. Anyone who was the JM list only should not have been effected as they were not notified of a release. I think Matt made a good point that Declude should start without the .dll and write an error message to the log, I have added this to the dev list. David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, April 17, 2007 1:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE My only two cents on this: If I were David Barker I would have: - Pulled out the bad package - Rolled a new package (with an incremented version number) with the missing DLL, tested the package succesfully and posted it to the website for downloaded - Checked my shopping cart or web logs and found out which customers had downloaded the bad version of the package - Contacted only those customers by phone and email; when there is an email problem, email is a lousy communications channel I would have updated the Whats New web page. I *may* then also notify both support mailing lists. The rest is so much sturm und drang. Andrew. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Tuesday, April 17, 2007 9:02 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE So far this issue has effected 2 people. John and Dave. If there were 10's of others I can see your point however I am not emailing 4500 users when this is no longer an issue. It is because of people on these lists that provide us with good feedback, input and their 2 cents, that helps us provide a better service to the majority of users. In short thanks too John we did not have to send a second email. David From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy Armbrecht Sent: Tuesday, April 17, 2007 11:48 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE David, I normally do not put in my 2 cents worth to general discussions, but would like to this time just to help clarify the intent, as I see it, of the original request. Although I am a pretty avid (sp?) user of the forums/groups, I cannot imagine EVERYONE that is on the email distribition list is a frequent visitor to such. Those that are not will not learn of the mistakenly left out DLL file unless another email blast goes out. Randy Armbrecht Global Web Solutions, Inc. 804-442-5300 From: David Barker [EMAIL PROTECTED] Sent: Tuesday, April 17, 2007 10:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE The issue was corrected prior to notifying all customers, and therefore we did not need to send out a secondary email. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Tuesday, April 17, 2007 10:18 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Warning re: DECLUDE - CRITICAL VIRUS SCANNING UPDATE Hi David, Thank you for addressing the AVG problem as quickly as you did. I also think Declude is doing a good stuff on the Virus and Spam lists and I have no problem how yesterday's communication was handled on the virus list. However, I thought I had received a direct HTML formatted customer notice, with logos as such (not just via the regular virus list) urging the install of the new version (but I no longer have those emails). So I had understood Dave that he was expecting the warning - bad install email to be sent through that same distribution. I only hope that I don't remember wrong and wasn't looking at some older notice. Best Regards, Andy -Original
Re: [Declude.JunkMail] Spam gateway/proxy...
Hi Chuck, I use Alligate. It does some very fancy stuff prior to the 'data' command [among other things afterward] that on my system block 95% of incoming traffic prior to receiving the email. And this is not done with ip blacklists.. -Nick Chuck Schick wrote: Anyone using a spam gateway (Like IMGATE) or proxy (like ASSP) in front of declude. I am intrigued by the idea of using something that will reject the messages before accepting it for delivery and then scanning it. I would only want to use the gateway/proxy to perform graylisting, Sender Validation, tar pitting. According to Len Conrad this could result in a 70 to 90 percent reduction in spam. Ultimately I would like our spam filtering to be where we reject the message before the data command and messages that we do accept for delivery we scan with declude and if it is identified as spam it will be delivered to a junkmail folder in the users mailbox - which they can check via webmail or configure their mail clients to download it. I want to get out of the business of holding or deleting spam. Any thoughts, comments, ...? what have others done. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Image spam
Hi Scott, Scott Fisher wrote: Are there any end users who are using the VAMSOFT IMAGE SPAM AGENT tht would like to comment on it's effectiveness / processor utilization? it seems to not use much cpu; its effectiveness is ok. In case you are unaware it does not ocr the email, it just works on probability - like a combo filter eg: It returns a value based on its confidence level and I score accordingly. Below is how I have it config'ed [I hold on 10 and delete on 30] -Nick EXTERNAL.ORF.IMAGE_80 external80 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_81 external81 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_82 external82 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_83 external83 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_84 external84 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_85 external85 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_86 external86 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_87 external87 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_88 external88 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_89 external89 e:\IMail\declude\orf\imgspamagent.exe -check 10 EXTERNAL.ORF.IMAGE_90 external90 e:\IMail\declude\orf\imgspamagent.exe -check 40 EXTERNAL.ORF.IMAGE_91 external91 e:\IMail\declude\orf\imgspamagent.exe -check 40 EXTERNAL.ORF.IMAGE_92 external92 e:\IMail\declude\orf\imgspamagent.exe -check 40 EXTERNAL.ORF.IMAGE_93 external93 e:\IMail\declude\orf\imgspamagent.exe -check 40 EXTERNAL.ORF.IMAGE_94 external94 e:\IMail\declude\orf\imgspamagent.exe -check 40 EXTERNAL.ORF.IMAGE_95 external95 e:\IMail\declude\orf\imgspamagent.exe -check 50 EXTERNAL.ORF.IMAGE_96 external96 e:\IMail\declude\orf\imgspamagent.exe -check 50 EXTERNAL.ORF.IMAGE_97 external97 e:\IMail\declude\orf\imgspamagent.exe -check 50 EXTERNAL.ORF.IMAGE_98 external98 e:\IMail\declude\orf\imgspamagent.exe -check 60 EXTERNAL.ORF.IMAGE_99 external99 e:\IMail\declude\orf\imgspamagent.exe -check 70 EXTERNAL.ORF.IMAGE_100 external100 e:\IMail\declude\orf\imgspamagent.exe -check 80 - Original Message - *From:* David Barker mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, February 21, 2007 12:08 PM *Subject:* RE: [Declude.JunkMail] Image spam *_Declude and Image based spam - 4 methods _1. COMMTOUCH* Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to exact-match recurrent patterns across similar but not-identical messages. However in the case of images, the minute the spammer makes even the smallest changes to an image, the image-encoded data appears completely different. Commtouch identified this trend in the earliest days of image-based spam, and made the necessary enhancements to its detection engine in order to defend against this new threat with a sophisticated protection shield. Commtouch invested significant resources into developing a method for decoding the images and then sampling them using the proven RPD approach. The result is a significantly improved spam detection rate, while maintaining the same low false-positive rate. *2. CLAMWIN* Using ClamAV as a virus scanner with Declude you can download the MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which contains signatures created from images contained within spam emails. http://www.msrbl.com/site/msrblimagesdownload *3. FILTER-CID* Identifies emails which contains images increasing the weight suffeciently on spam messages to reach the spam threshold. #EXCEPTIONS BODYENDNOTCONTAINScid: BODYENDNOTCONTAINSContent-Type: image/ #IMAGES BODY3CONTAINSsrc=3Dcid: BODY3CONTAINSsrc=cid: BODY3CONTAINSsrc='cid: BODY3CONTAINSimg src=cid: BODY3CONTAINSimg src=3Dcid: BODY3CONTAINS/cid: #IMAGE TYPES BODY2CONTAINSContent-Type: image/gif; BODY2CONTAINSContent-Type: image/jpeg; *4. VAMSOFT IMAGE SPAM AGENT* This tool is an External Agent for ORF 2.1 and newer versions that improves ORF by image spam detection capabilities, but can be used by Declude. http://www.vamsoft.com/vsimagespam/vsimagespam.zip VSIMAGE externalnonzero [path]\Declude\VSIMAGE\imgspamagent.exe -check 40 David Barker
[Declude.JunkMail] dns attacks today
fyi - http://www.darkreading.com/document.asp?doc_id=116685WT.svl=news2_1 -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interesting ORF stats
Hi John, John T (Lists) wrote: I have 3 gateway servers running IIS with ORF. These are my MX records for all my domains. ORF has identified and blocked 71% of incoming email on my primary gateway. ORF has identified and blocked 81% of incoming email on my secondary gateway. I see the secondaries get more traffic as well - although I am not sure its deliberate or its the zombies do not know better - [Regretfully I have abandoned ORF for the Alligate gateway. I am in the high nineties 96%+ with Brian's product...] -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Reporting Tool
Thanks for sharing Karl, nice work! -Nick IS - Systems Eng. (Karl Drugge) wrote: The newest PERL script. Slices, dices, etc ... Throw it in a directory, edit a few environment variables at the top of the script, dump in a few Declude logs, run it, enjoy. Requires PERL, of course. Added two command line switches : 'day' and 'week' . Day does the previous day, week does the previous week. No command line switch, and you do all the logs in the directory. This can be memory intensive... You have been warned ! My own server, with 11-13k log files, consumes 700+ megs of memory when doing an entire month. Folks with larger files might want to think about doing this many files at once. Karl Drugge --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Undocumented Directive 4.x
Any other undocumented's that you can share? :) -Nick David Barker wrote: Just an FYI you may find it useful, in the global.cfg: BLKLST ON Writes a text file to the \spool\blklst.txt containing the IP and weight of emails eg. 1.1.1.1 23 2.2.2.2 7 David Barker Director of Product Management Your Email security is our business 978.499.2933 office 978.988.1311 fax [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New pattern
- Return-Path: [EMAIL PROTECTED] Wed Nov 15 12:23:17 2006 Received: from MX1 [216.0.167.247] by mail4.skywaves.net with SMTP; Wed, 15 Nov 2006 12:23:17 -0500 Received: from gadreel-24.cablenet.com.ni [165.98.168.24] by mx1.skywaves.net (Alligate(TM) SMTP Gateway v2.6.10.15) with ESMPT id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Wed, 15 Nov 2006 12:22:10 -0500 Return-Path: [EMAIL PROTECTED] Received: from 128.121.94.110 (HELO bodysage.com) by skywaves.com with esmtp (4HUN2,+)6A3 X6C4L+) id ,KX'C+--Z9RGC-6I for [EMAIL PROTECTED]; Thu, 16 Nov 2006 09:19:42 -0060 From: Ronald Valenzuela [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Ronald Date: Thu, 16 Nov 2006 09:19:42 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6Q/37Q5RUM=L4E4H9)/GHI5/EX6== X-Antivirus: avast! (VPS 0649-0, 15/11/2006), Outbound message X-Antivirus-Status: Clean X-MXRate-Prob: 0 X-MXRate-Country: NI X-MXRate-Action: NONE X-Alligate-ReceivingIP: [216.0.167.247] X-Alligate-Grey: Skipped X-Alligate-REVDNS: gadreel-24.cablenet.com.ni X-Alligate-ID: 184997 Return-Path: [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [165.98.168.24] X-Declude-Spoolname: 46087435.eml X-Declude-Skywaves-Note: Inbound Scan by Declude v4.2.12 for spam. http://www.declude.com/x-note.htm; X-Declude-Skywaves-Scan: Weight [0] at 12:23:46 on 15 Nov 2006 X-Declude-Skywaves-Fail: None X-Declude-Skywaves-Country-Chain: UNITED STATES-NICARAGUA-UNITED STATES-destination X-Declude-Skywaves-REVDNS: This message was sent from gadreel-24.cablenet.com.ni ([165.98.168.24]) X-Declude-Skywaves-Code: e X-Declude-Skywaves-Recipcount: 1 -Dave Doherty Skywaves, Inc. 97 Webster Street Worcester, MA 01603 508-425-7176 [EMAIL PROTECTED] - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 5:38 PM Subject: Re: [Declude.JunkMail] New pattern can you post the headers from samples that were delivered on different days? Then we can help I betcha -Nick Dave Doherty wrote: Yes, it is similar. For some reason, sniffer doesn't seem to getting all of them. I wonder if something like FROM 10 CONTAINS %SUBJECT% might work -Dave Doherty Skywaves, Inc. 97 Webster Street Worcester, MA 01603 508-425-7176 [EMAIL PROTECTED] - Original Message - From: Herb Guenther [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 12:57 PM Subject: Re: [Declude.JunkMail] New pattern If this is the one you mean, we are getting lots but message sniffer is catching them all. From: Clara Meier [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Probable SPAM:Clara Date: Wed, 15 Nov 2006 14:36:18 +0180 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: Aca6Q783T3'TOP6*:T7V=0B3-U1(E9== X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.59.207.181; X-RBL-Warning: SNIFFER: Message failed SNIFFER: 57. X-Declude-Sender: [EMAIL PROTECTED] [200.59.207.181] X-Declude-Spoolname: -2041198825958.eml X-Declude-RefID: X-Declude-Scan: Incoming Score [20] at 08:36:30 on 15 Nov 2006 X-Declude-Fail: SPAMCOP [5], SNIFFER [15], WEIGHT10 [10], WEIGHT15 [15] X-Country-Chain: ARGENTINA-destination X-Declude-Code: f X-Declude-Recipcount: 1 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New pattern
can you post the headers from samples that were delivered on different days? Then we can help I betcha -Nick Dave Doherty wrote: Yes, it is similar. For some reason, sniffer doesn't seem to getting all of them. I wonder if something like FROM 10 CONTAINS %SUBJECT% might work -Dave Doherty Skywaves, Inc. 97 Webster Street Worcester, MA 01603 508-425-7176 [EMAIL PROTECTED] - Original Message - From: Herb Guenther [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Wednesday, November 15, 2006 12:57 PM Subject: Re: [Declude.JunkMail] New pattern If this is the one you mean, we are getting lots but message sniffer is catching them all. From: Clara Meier [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Probable SPAM:Clara Date: Wed, 15 Nov 2006 14:36:18 +0180 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: Aca6Q783T3'TOP6*:T7V=0B3-U1(E9== X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?200.59.207.181; X-RBL-Warning: SNIFFER: Message failed SNIFFER: 57. X-Declude-Sender: [EMAIL PROTECTED] [200.59.207.181] X-Declude-Spoolname: -2041198825958.eml X-Declude-RefID: X-Declude-Scan: Incoming Score [20] at 08:36:30 on 15 Nov 2006 X-Declude-Fail: SPAMCOP [5], SNIFFER [15], WEIGHT10 [10], WEIGHT15 [15] X-Country-Chain: ARGENTINA-destination X-Declude-Code: f X-Declude-Recipcount: 1 Members, are you tired of your investments bringing you only a few percent return each year? Sick of those bloated blue chips? This week we are bringing you a company which is just the thing for an investor looking for big returns! Dave Doherty wrote: Hi, all- The last day or two, I've been getting a lot of spam with a first name for the subject, and the same name in the from display address. Some of this is geting caught, but a lot is leaking through. Can anyone think of a way to check whether the subject is contained in the from address? -Dave Doherty Skywaves, Inc. 97 Webster Street Worcester, MA 01603 508-425-7176 [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spamhaus
nothing - Matt with his trickery is adding more weight to a last hop that fails the test... -Nick Darin Cox wrote: Then what was wrong with my example? Darin. - Original Message - *From:* Matt mailto:[EMAIL PROTECTED] *To:* declude.junkmail@declude.com mailto:declude.junkmail@declude.com *Sent:* Wednesday, November 15, 2006 7:19 PM *Subject:* Re: [Declude.JunkMail] Spamhaus Andy, What you posted will work exactly the same way and there is no advantage either way except that your example is more normalized. I use the variables for a purpose that isn't necessary for most. Matt Andy Schmidt wrote: Hi Matt: Are you saying there is an advantage of the dnsbl syntax over using the standard ip4r syntax: SPAMHAUS ip4rsbl-xbl.spamhaus.org127.0.0.2 120 XBLip4rsbl-xbl.spamhaus.org127.0.0.460 BLITZEDALL ip4rsbl-xbl.spamhaus.org127.0.0.650 As long as the test type and test subject is the same (e.g., ip4r sbl-xbl.spamhaus.org), it should do a single lookup an only evaluate the result several times!? I've only used the DNSBL syntax when looking up Reverse DNS names, e.g.: RDNSBL dnsbl%REVDNS%.rdns.mydomain.com * 20 0 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, November 15, 2006 05:35 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spamhaus This is how to do it properly. Declude will do the lookup once when configured like this. SPAMHAUS dnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.2 120 XBLdnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.460 BLITZEDALL dnsbl%IP4R%.sbl-xbl.spamhaus.org 127.0.0.650 Matt David Sullivan wrote: Hello Darin, Wednesday, November 15, 2006, 4:12:49 PM, you wrote: DC SBL ip4rsbl.spamhaus.org * 55 0 DC XBL ip4rxbl.spamhaus.org * 55 0 I was using 127.0.0.2 for SBL and 127.0.0.4 for XBL but Spamhaus lists .2-4 for SBL and .2-6 for XBL but I guess * would work for each and capture all return codes. Right? DC SBL-XBL ip4rsbl-xbl.spamhaus.org * 55 0 This doesn't discriminate between the two then, right? Thanks --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] declude not modifying subject line
Hi David F, David Franco-Rocha [ Declude ] wrote: The broken line terminators are not necessarily of the same type in a given message. In addition, they are not necessarily adjacent to each other (with leading whitespace or unprintable characters on a line).What may appear obvious to the eye is often not at all what exists behind the scene. You may look at a message and be certain where the headers end and the body begins (the separating blank line). However, that message may not necessarily contain two consecutive EOL sequences of any type anywhere. Would it be possible for you to post to the list samples of emails that are problematic? Lets all have a look and maybe the solution will be found right off - Heck maybe even Scott who I just saw post may chime in on this one. Regards, -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
Hi Karl, Post a sample with full headers so we can see what the scofflaw is sending you -Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, November 06, 2006 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam not being caught This filter will work for targeting CMDSPACE with a gif attachment. You might want to SKIPIFWEIGHT 315 STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS CMDSPACE BODY 100 CONTAINS img src="" BODY 100 CONTAINS src="" class="moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS src=""moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS src="">= cid: - Original Message - From: "Karl Hentschel" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, November 06, 2006 12:58 PM Subject: [Declude.JunkMail] Spam not being caught We have been getting quite a bit of SPAM, usually about stocks that is not being caught by Declude. I have the newest version of Declude, updated filter files from Imail, invURIBL, trial version of Sniffer. These emails are typically only failing cmdspace and helobogus, not enough to get blocked. Has anyone had any success blocking these recent floods of emails? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam not being caught
So far - and I have been hammered as well is they all contain 2 "$$" and end with @debora I have a regex that hits these - [EMAIL PROTECTED] -Nick Karl Hentschel wrote: Here are a headers from a few of the messages, with our email address removed, that we have been receiving. We have beenreceiving tons of these from different domains, IP's..I have been using IMail filters to catch some of them because Declude hasn't been doing a very good job. This one didn't fail any Declude tests. from [EMAIL PROTECTED] Wed Nov 08 12:53:17 2006 Received: from host33-74.birch.net [216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800 Return-Path: [EMAIL PROTECTED] Received: from 208.65.145.2 (HELO buckeyenissan.com.inbound15.mxlogicmx.net) by pcfcu.org with esmtp (D70MB482Y 8LJH6) id IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49 +0360 From: "Mamie Cabrera" [EMAIL PROTECTED] To: xxx@ourdomain.com Subject: X-IMail-SPAM-Phrase Mamie wrote: Date: Wed, 8 Nov 2006 20:52:49 +0360 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: Aca6Q3OW2X20X4MXS950OD9TUPU55Z== X-Declude-Sender: [EMAIL PROTECTED] [216.212.33.74] X-Declude-Spoolname: D43a700fb00e8c9be.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [0] at 12:53:16 on 08 Nov 2006 X-Declude-Fail: None X-Country-Chain: UNITED STATES-destination X-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the first rule of investing) X-RCPT-TO: xxx@ourdomain.com Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE MAMIE WRO X-UIDL: 463003429 This failed a few. from [EMAIL PROTECTED] Thu Nov 09 12:03:16 2006 Received: from APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006 12:02:46 -0800 Return-Path: [EMAIL PROTECTED] Received: from 207.236.26.82 (HELO mail.cableteksystems.com) by pcfcu.org with esmtp (DEIL1D7SO3 S7E59) id V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42 -0060 From: "Bud Mora" [EMAIL PROTECTED] To: xxx@ourdomain.com Subject: X-IMail-SPAM-Phrase It's Bud :) Date: Thu, 9 Nov 2006 20:02:42 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Thread-Index: Aca6QIH9S2BNQ98OSCRZRQUO3YHU09== X-RBL-Warning: FIVETEN-SRC: 68.87.205.86.blackholes.five-ten-sg.com. X-RBL-Warning: DYNHELO: Dynamic HELO found. X-Declude-Sender: [EMAIL PROTECTED] [86.205.87.68] X-Declude-Spoolname: D8965064d00d0eb56.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [9] at 12:03:15 on 09 Nov 2006 X-Declude-Fail: FIVETEN-SRC [4], DYNHELO [5] X-Country-Chain: CANADA-FRANCE-destination X-IMAIL-SPAM-PHRASE: (8965064d00d0eb56, our hottest pick) X-RCPT-TO: xxx@ourdomain.com Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Thursday, November 09, 2006 11:31 AM To: declude.junkmail@declude.com Subject: X-IMail-SPAM-Phrase Re: [Declude.JunkMail] Spam not being caught Hi Karl, Post a sample with full headers so we can see what the scofflaw is sending you -Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed that they are coming from out of the country. How is everyone dealing with these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, November 06, 2006 11:27 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Spam not being caught This filter will work for targeting CMDSPACE with a gif attachment. You might want to SKIPIFWEIGHT 315 STOPATFIRSTHIT BODY END NOTCONTAINS Content-Type: image/gif TESTSFAILED END NOTCONTAINS CMDSPACE BODY 100 CONTAINS img src="" BODY 100 CONTAINS src="" class="moz-txt-link-rfc2396E" href="">"cid: BODY 100 CONTAINS
Re: [Declude.JunkMail] Spam not being caught
Hi Scott I know it will morph -but that is all I see for now . Do you have a pattern that will persist for this spammer? -Nick Scott Fisher wrote: The @debora will change... I get over a 1000 spam a day from this spammer. I don't think you'll be able to target his zombies effectively with any IP4r list. - Original Message - From: Nick Hayer To: declude.junkmail@declude.com Sent: Thursday, November 09, 2006 4:51 PM Subject: Re: [Declude.JunkMail] Spam not being caught So far - and I have been hammered as well is they all contain 2 "$$" and end with @debora I have a regex that hits these - [EMAIL PROTECTED] -Nick Karl Hentschel wrote: Here are a headers from a few of the messages, with our email address removed, that we have been receiving. We have beenreceiving tons of these from different domains, IP's..I have been using IMail filters to catch some of them because Declude hasn't been doing a very good job. This one didn't fail any Declude tests. from [EMAIL PROTECTED] Wed Nov 08 12:53:17 2006 Received: from host33-74.birch.net [216.212.33.74] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A3A7FB00E8; Wed, 08 Nov 2006 12:52:55 -0800 Return-Path: [EMAIL PROTECTED] Received: from 208.65.145.2 (HELO buckeyenissan.com.inbound15.mxlogicmx.net) by pcfcu.org with esmtp (D70MB482Y 8LJH6) id IFLT4O-RHJVV5-3H for xxx@ourdomain.com; Wed, 8 Nov 2006 20:52:49 +0360 From: "Mamie Cabrera" [EMAIL PROTECTED] To: xxx@ourdomain.com Subject: X-IMail-SPAM-Phrase Mamie wrote: Date: Wed, 8 Nov 2006 20:52:49 +0360 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Thread-Index: Aca6Q3OW2X20X4MXS950OD9TUPU55Z== X-Declude-Sender: [EMAIL PROTECTED] [216.212.33.74] X-Declude-Spoolname: D43a700fb00e8c9be.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [0] at 12:53:16 on 08 Nov 2006 X-Declude-Fail: None X-Country-Chain: UNITED STATES-destination X-IMAIL-SPAM-PHRASE: (43a700fb00e8c9be, whats the first rule of investing) X-RCPT-TO: xxx@ourdomain.com Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE MAMIE WRO X-UIDL: 463003429 This failed a few. from [EMAIL PROTECTED] Thu Nov 09 12:03:16 2006 Received: from APuteaux-152-1-90-68.w86-205.abo.wanadoo.fr [86.205.87.68] by mail.pcfcu.org with ESMTP (SMTPD32-8.15) id A96664D00D0; Thu, 09 Nov 2006 12:02:46 -0800 Return-Path: [EMAIL PROTECTED] Received: from 207.236.26.82 (HELO mail.cableteksystems.com) by pcfcu.org with esmtp (DEIL1D7SO3 S7E59) id V714O9-TFHDJZ-CD for xxx@ourdomain.com; Thu, 9 Nov 2006 20:02:42 -0060 From: "Bud Mora" [EMAIL PROTECTED] To: xxx@ourdomain.com Subject: X-IMail-SPAM-Phrase It's Bud :) Date: Thu, 9 Nov 2006 20:02:42 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Thread-Index: Aca6QIH9S2BNQ98OSCRZRQUO3YHU09== X-RBL-Warning: FIVETEN-SRC: 68.87.205.86.blackholes.five-ten-sg.com. X-RBL-Warning: DYNHELO: Dynamic HELO found. X-Declude-Sender: [EMAIL PROTECTED] [86.205.87.68] X-Declude-Spoolname: D8965064d00d0eb56.smd X-Declude-Note: Scanned by Declude 3.1.1 for spam. "http://www.declude.com/x-note.htm" X-Declude-Scan: Incoming Score [9] at 12:03:15 on 09 Nov 2006 X-Declude-Fail: FIVETEN-SRC [4], DYNHELO [5] X-Country-Chain: CANADA-FRANCE-destination X-IMAIL-SPAM-PHRASE: (8965064d00d0eb56, our hottest pick) X-RCPT-TO: xxx@ourdomain.com Status: U X-IMail-Rule: H~x-imail-spam:xxx@ourdomain.comData- X-IMAIL-SPAM-PHRASE IT'S BUD X-UIDL: 463095290 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Hayer Sent: Thursday, November 09, 2006 11:31 AM To: declude.junkmail@declude.com Subject: X-IMail-SPAM-Phrase Re: [Declude.JunkMail] Spam not being caught Hi Karl, Post a sample with full headers so we can see what the scofflaw is sending you -Nick Karl Hentschel wrote: Thanks for the tip, but unfortunately I am not using the Pro version of Declude so I cannot create my own filters. Are others being slammed with stock spam recently? Declude is blocking several hundred of them a day, but many are still slipping through without failing any or very few tests. Is it possible to block with the country chain? I noticed
Re: [Declude.JunkMail] Spam not being caught
Scott Fisher wrote: I get over a 1000 spam a day from this spammer. If you don't have a pattern would you mind sending me off list a few of the ones you do receive from different days? I do not recognize this gut so I would like to see more of his product. -Nick ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Clam AV Updates
Hi Mark, I just sent you off list my \share\clamav dir zipped up... -Nick Mark Reimer wrote: My daily.inc folder is missing from the clam directory. Could anyone please help me? Mark Reimer IT System Admin American CareSource 972-308-6887 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Reimer Sent: Thursday, November 09, 2006 4:53 PM To: Declude JunkMail Subject: [Declude.JunkMail] Clam AV Updates Today I noticed that my daily.inc folder was gone and when I ran freshclam it gave me a mirror is not synchronized error. Anyone else see this? Mark Reimer IT System Admin American CareSource 972-308-6887 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] whitelisting based on rev dns
Craig Edmonds wrote: How can I whitelist based on Reverse DNS? REMOTEIP WHITELIST CIDR 64.4.240.0/20 REVDNS WHITELIST ENDSWITH .paypal.com etc... -Nick Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Help with Configuration
Todd Richards wrote: Thanks Kevin. This is what I was wondering about, so I will look into how to implement. something like this: WEIGHTRANGE.SPAM.LOW weightrange x x 10 12 triggered on a weight of 10 to 12 inclusive WEIGHTRANGE.SPAM.MID weightrange x x 13 15 WEIGHTRANGE.SPAM.HIGH weightrange x x 16 18 WEIGHTRANGE.SPAM.VHIGH weightrange x x 19 26 etc and then subject tag on the hits WEIGHTRANGE.SPAM.LOW SUBJECT [Possible Spam(low)]- WEIGHTRANGE.SPAM.MID SUBJECT [Possible Spam(mid)]- WEIGHTRANGE.SPAM.HIGH SUBJECT [Possible Spam(high)]- WEIGHTRANGE.SPAM.VHIGH SUBJECT [Possible Spam(vhigh)]- WEIGHTRANGE.SPAM.XVHIGH SUBJECT [Possible Spam(Xvhigh)]- etc -Nick Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin Bilbee Sent: Tuesday, November 07, 2006 2:58 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Help with Configuration Look at using "weightrange" instead of weight to define your weighted tests. It simplifies the weighting and makes it clear on what will happen to the message. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Richards Sent: Tuesday, November 07, 2006 11:19 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Help with Configuration Hey Everyone - We are just getting things tuned to the point where we are truly happy with the results we are seeing. What I am trying to do now is help myself monitor the "close calls". I was sending everything between "caught" and "delete" to a spam mailbox so that I could check for any false positives. However, with my new success, that is getting out of hand. So what I would like to do is set up a new account to help with the overflow and allow me to really monitor the close ones. Here is my weights in my global.cfg file: WEIGHT10 WARN WEIGHT15 WARN WEIGHT19 HOLD WEIGHT32 HOLD WEIGHT60 DELETE Here is the corresponding actions that I have in my $default$.junkmail file: WEIGHT10 WARN WEIGHT15 SUBJECT **SPAM** WEIGHT19 ROUTETO [EMAIL PROTECTED] WEIGHT19a SUBJECT [%WEIGHT%] WEIGHT32 ROUTETO [EMAIL PROTECTED] WEIGHT32a SUBJECT [%WEIGHT%] WEIGHT60 DELETE My plan with the above is to send everything with a weight of 19-31 to [EMAIL PROTECTED], and everything from 32-59 to [EMAIL PROTECTED]. What I am hoping to accomplish by this is to keep a closer eye on those email that might accidentally be caught. Right now, 95% of the messages are ending up in the [EMAIL PROTECTED] mailbox even if they are above the WEIGHT32 (which should then go to "spam2"). However, it does appear that everything over 60 is being deleted. I've checked all of the config files to make sure I have things set up right, and it does appear that way. Am I missing something, or is there something diferent that I should be doing? Thanks! Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] How long is each test taking?
Chris Anton wrote: Hello... We are using declude 2.somethign... we are pegged at 100% processor usage and are wondering what is the best way to determine how long each test takes. Do you have filter 'optimizers' in your filters eg - SKIPIFWEIGHT and STOPATFIRSTHIT in your filter files? -Nick I am nervous to change the log level because we handle 100k per day. Please advise. Thanks! -Chris --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] picture spam
Matt wrote: Let me jump in here for a moment. You guys should have made a deal with Pete instead of CommTouch. Sniffer blows it out of the water and he has no licensing restrictions. IMO of course. mine too! Sniffer does a very good job.. -Nick ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7
Harry, Please post to the list the details - Thanks -Nick chris wrote: Harry Contact me off the list if you can, I would like to help Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833toll free 978.499.2933office 978.477.8930 e-fax [EMAIL PROTECTED] www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Harry Vanderzand Sent: Friday, September 29, 2006 9:15 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Crisis after upgrade to 4.3.14 from 4.3.7 Last night at 8:11PM I upgraded from 4.3.7 to 4.3.14 From that point on we stopped catching all spam for these clients that have their own mail server. We just filter their mail for spam and pass it on. I just reverted back to 4.3.7 and now we are catching spam again for them We catch over 4000 spam messages per dayfor one of these clients alone so you can imagine their complaint this morning. Anyone know what would have caused this? Thank you Harry Vanderzand inTown Internet Computer Services 11 Belmont Ave. W., Kitchener, ON,N2M 1L2 519-741-1222 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Newest version
This regex works \b(PHA)+([a-zA-Z]+(RMA))\b as well as this one for the other morph \b(PHA)+([a-zA-Z]+(RMACY))\b -Nick Ferrell Ard wrote: We are seeing a lot of email with the Subject line Subject: X-IMail-SPAM PHAujyRMA The KEY to the subject line is (1) 1st 3 letters are always PHA (2) letters 4-6 are random and lower case (3) letters 7 - 9 are always RMA Does anyone know of a way to TRASH these emails? Thanks very much Ferrell --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPBYPASS Broke?
To David at Declude - or anyone else... I have these lines in my global config Declude 4.3.7: IPBYPASS12.152.254.14 XINHEADER X-Note: Sent from: [Revdns: %REVDNS%] [RemoteHostDomain: %REMOTEHOST%] [RemoteIP: %REMOTEIP%] [SenderHost: %SENDERHOST%] I received this email below where it appears that the IPBYPASS directive was ignored: Received: from mx2.madriveraccess.com [12.152.254.14] by mx1.vtbass.com with ESMTP (SMTPD32-8.15) id AE68A3F30188; Tue, 29 Aug 2006 19:31:52 -0400 Received: from 211.35.128.115 [211.35.128.115] by mx2.madriveraccess.com (Alligate(TM) SMTP Gateway v2.6.6.15) with ESMPT id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 29 Aug 2006 19:31:49 -0500 Received: from mailcluster.globat.com (port=3118 helo=s5ppf56pw4rf) by 211.35.128.115 with smtp id piM4-83K1bgYkp-6P for [EMAIL PROTECTED]; Wed, 30 Aug 2006 08:31:55 +0900 snip X-Note: Sent from: [Revdns: ] [RemoteHostDomain: madriveraccess.com] [RemoteIP: 12.152.254.14] [SenderHost: madriveraccess.com] Why does the RemoteIP point to 12.152.254.14 and SenderHost point madriveraccess.com? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS Broke?
Matt wrote: Nick, Do you buy any chance have have this IP also covered by a whitelist entry of any type in your Global.cfg? Nope. No where is it listed except on the IPBYPASS line - -Nick Matt Nick Hayer wrote: To David at Declude - or anyone else... I have these lines in my global config Declude 4.3.7: IPBYPASS12.152.254.14 XINHEADERX-Note: Sent from: [Revdns: %REVDNS%] [RemoteHostDomain: %REMOTEHOST%] [RemoteIP: %REMOTEIP%] [SenderHost: %SENDERHOST%] I received this email below where it appears that the IPBYPASS directive was ignored: Received: from mx2.madriveraccess.com [12.152.254.14] by mx1.vtbass.com with ESMTP (SMTPD32-8.15) id AE68A3F30188; Tue, 29 Aug 2006 19:31:52 -0400 Received: from 211.35.128.115 [211.35.128.115] by mx2.madriveraccess.com (Alligate(TM) SMTP Gateway v2.6.6.15) with ESMPT id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 29 Aug 2006 19:31:49 -0500 Received: from mailcluster.globat.com (port=3118 helo=s5ppf56pw4rf) by 211.35.128.115 with smtp id piM4-83K1bgYkp-6P for [EMAIL PROTECTED]; Wed, 30 Aug 2006 08:31:55 +0900 snip X-Note: Sent from: [Revdns: ] [RemoteHostDomain: madriveraccess.com] [RemoteIP: 12.152.254.14] [SenderHost: madriveraccess.com] Why does the RemoteIP point to 12.152.254.14 and SenderHost point madriveraccess.com? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPBYPASS Broke?
Done! Thanks -Nick chris asaro wrote: Nick, Please contact me at the mail address below. Please run a quick debug and send me that log. I believe I understand whats happening here but I would like to verify this before I put my foot in my mouth...Thanks Chris Asaro Technical Support Engineer Declude Your Email security is our business 866.332.5833 office 978.499.2933 Alt office 978.477.8930 fax [EMAIL PROTECTED] www.declude.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Wednesday, August 30, 2006 10:23 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] IPBYPASS Broke? Nick, Do you buy any chance have have this IP also covered by a whitelist entry of any type in your Global.cfg? Matt Nick Hayer wrote: To David at Declude - or anyone else... I have these lines in my global config Declude 4.3.7: IPBYPASS12.152.254.14 XINHEADERX-Note: Sent from: [Revdns: %REVDNS%] [RemoteHostDomain: %REMOTEHOST%] [RemoteIP: %REMOTEIP%] [SenderHost: %SENDERHOST%] I received this email below where it appears that the IPBYPASS directive was ignored: Received: from mx2.madriveraccess.com [12.152.254.14] by mx1.vtbass.com with ESMTP (SMTPD32-8.15) id AE68A3F30188; Tue, 29 Aug 2006 19:31:52 -0400 Received: from 211.35.128.115 [211.35.128.115] by mx2.madriveraccess.com (Alligate(TM) SMTP Gateway v2.6.6.15) with ESMPT id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 29 Aug 2006 19:31:49 -0500 Received: from mailcluster.globat.com (port=3118 helo=s5ppf56pw4rf) by 211.35.128.115 with smtp id piM4-83K1bgYkp-6P for [EMAIL PROTECTED]; Wed, 30 Aug 2006 08:31:55 +0900 snip X-Note: Sent from: [Revdns: ] [RemoteHostDomain: madriveraccess.com] [RemoteIP: 12.152.254.14] [SenderHost: madriveraccess.com] Why does the RemoteIP point to 12.152.254.14 and SenderHost point madriveraccess.com? Thanks -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] manual install of 4x
Is there a way to do this without the wizard? Thanks for any info -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: New ClamAV scam database
Thanks much Bill, -Nick Bill Landry wrote: For anyone that is possibly running ClamAV for virus scanning, and is already taking advantage of the added phish detection provided by Steve Basford's phish.ndb, he has put together another database geared to tagging scam e-mails, including those pesky image spams. The new scam database is working great here, lots of catches so far and no FPs yet. If you want to give it a run, please do heed Steve's request at the end of this message about scripting the downloads for the new scam.ndb, at least for now... Thanks, Bill - Original Message - From: Steve Basford [EMAIL PROTECTED] To: Bill Landry [EMAIL PROTECTED] Sent: Monday, August 07, 2006 12:51 PM Subject: Re: scam database Hi Bill, Just to let you know I've done a big update to the scam database, which isn't publicily known about yet but it's working a treat this end, with a lot of those image spams :) If you want to give a manual trial run: http://www.sanesecurity.com/clamav/scam.ndb.gz Cheers, Steve Bill Landry wrote: Wow, Steve, this is working very well! Nice work. Do you mind if I let others know about the availability of this new scam database? That's great! It's working too, for me at work... and two other brave test sites :) Yep, you can let people know but... Please could you ask people to only *manually* download the file for the time being, no scripts, it'll only get updated once a day at the moment, when I see a big new image spam run: Main Site: http://www.sanesecurity.com/clamav/ Scam Database: http://www.sanesecurity.com/clamav/scam.ndb.gz Phishing Database: http://www.sanesecurity.com/clamav/phish.ndb.gz Glad it's helping :) Cheers, Steve --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SNMP Monitor Program
we use http://www.jffnms.org/ -Nick dfn Systems wrote: Quiet times are good for off topic subjects Right? I need a Monitoring program that will show me bandwidth utilization of my dsl customers to help track down compromised/infected machines. Regular sniffer programs won't work because the customers connect through ATM PVC and go out to the Internet through another PVC without ever leaving the router. Something that will read and graph from a cisco MIB on SNMP is what I'm seeking. It doesn't have to be robust or even incredibly stable. Cheap would be good. Free (Open Source) would be even better. Any leads would be greatly appreciated. Bill Green dfn Systems --- [This E-mail scanned for viruses by Declude EVA] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Commtouch, etc
David, You have asked for some constructive feedback here regarding this new offering - I will not ask for a show of hands here :) but I bet a lot of folks are rolling their eyes simply because of the core Declude product and its outstanding bugs., inability to release a stable product, service contracts that cost $$ with no benefit, etal cloud the issue so much. I think once Declude gets back on track and provides what is promised new offerings will be generally better accepted within the community. Your participation within this list now is great - hopefully Declude JunkMail will get fixed an be improved spam tool. As for Commtouch - I am quite skeptical of it being any where near as good as you allude to. Competition is tough here especially from MessageSniffer where the product is very good and the support is even better... -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Commtouch, etc
Hi David, David Barker wrote: Nick, With regards to outstanding bugs I have a list which we are working on, and as you know I have committed to get these fixed as well That you have, and your participation on this list is greatly appreciated. I was only trying to suggest that the past couple of years issues are making it a little difficult to embrace a new offering at this time- at least in my camp. Not to say I will not change my mind in the future. Regardless lets drop all this and move on - I do not want to lose my pinata! -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Speaking of Decludes AVG scanner
Chris Asaro wrote: Try opening the diags.txt file in your \mailserver\declude directory. Check to see if you are receiving an invalid key code error. When I went to 4.20 I had no such error code however the evidently there was a one hence Declude ceased to function without warning. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.3
David - at Declude - Would you kindly comment on this? Also on what is Declude 4.3? -Nick John T (Lists) wrote: I guess we all missed the following paragraph in the license agreement: 3.2.6 sub-license, rent, sell, lease, distribute, or otherwise transfer the Licensed Program save as provided under this End-User License Agreement unless You obtain a separate License from Declude, Inc. for such purposes (for example, You may not embed the Licensed Program into another application and then distribute such to third parties unless You first acquire an OEM License from Declude, Inc.). As of June 1, 2006, ISP's and other service providers are not permitted to use Declude software to clean and forward mail to customers unless a separate revenue share agreement has been established with Declude. http://www.declude.com/Articles.asp?ID=121 Is Declude trying to put us out of business? We pay for the software and now have to pay them some of your meager profits? John T eServices For You "Seek, and ye shall find!" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gary Steiner Sent: Tuesday, July 18, 2006 11:24 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Declude 4.3 I guess someone is going to make an official announcement today about Declude 4.3? I see that its downloadable in my account, but it would be nice to know what I'm getting before I install it, especially the new Commtouch stuff. The "Restrictions" listed next to the Add Commtouch section are especially confusing. https://www.declude.com/articles.asp?ID=205 Who would use Declude and not fit the definitions of the restrictions? Based on my reading of the Restrictions, nobody who uses Declude will ever be able to use Commtouch. If I am misreading this, would someone please explain it to me? Gary --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude 4.3
Current Service Providers (ie. Before 1 June 06) are under no restrictions for using Declude; only the CommTouch add-in component. Excellent! Thanks for the reply - -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] [Fwd: [0A6-0C4E22B9-4D5B] ZEROHOUR]
David of Declude- Do you know how to remove ZEROHOUR from the headers? I obviously do not have this test in my config and HIDETESTS does not work. -Nick Original Message Subject: [0A6-0C4E22B9-4D5B] ZEROHOUR Date: Mon, 17 Jul 2006 10:37:02 -0500 From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Nick: Comment out the test in your global.cfg and default.junkmail file. Thanks! If you have any further questions, please do not hesitate to contact me either by email or call Toll free 1-866-332-5833 Ext.7008 Linda Pagillo Technical Support Engineer Declude - Your Email security is our businessT 978.499.2933 office 978.477.8930 efax [EMAIL PROTECTED] www.declude.com From: Nick Hayer [EMAIL PROTECTED] Sent: Mon, 17 Jul 2006 10:28:09 -0500 To: [EMAIL PROTECTED] Subject: ZEROHOUR How can this me eliminated from the headers? -Nick ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Licensing
David Barker wrote: Declude has this process and functionality built in to the Declude product which enables customers to use a command line scanners like ClamWin snip Brian Burns port called ClamAV supports clamd which is wicked fast [and free]. This is a different product from ClamWin. I had done some comparison on the scanners - and had sent this to the Declude Virus list: I just switched to 4x and noticed in the logs that scan times are recorded - here are some sample scan times against the same email - 2062ms Clamscan 468ms Mcafee scan.exe 171ms fprot These relative scan time proportional differences appear to remain the same against other emails. Switching from clamscan.exe to clamdscan.exe ClamAV averages 15ms against all emails it sees. That is like a factor of 10 faster than fprot its closest performance competitor. Since its free and w/Sanesecurity phish sigs I give it an editors choice :) It would be nice to see [feature request?] the ms response time for AVG - -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Licensing
Don Brown wrote: What is the URL to Brian Burns' port? http://www.sosdg.org/clamav-win32/ -Nick Monday, July 17, 2006, 2:05:34 PM, Nick Hayer [EMAIL PROTECTED] wrote: NH David Barker wrote: Declude has this process and functionality built in to the Declude product which enables customers to use a command line scanners like ClamWin NH snip NH Brian Burns port called ClamAV supports clamd which is wicked fast [and NH free]. This is a different product from ClamWin. NH I had done some comparison on the scanners - and had sent this to the NH Declude Virus list: NH "I just switched to 4x and noticed in the logs that scan times are NH recorded - NH here are some sample scan times against the same email - NH 2062ms Clamscan NH 468ms Mcafee scan.exe NH 171ms fprot NH These relative scan time proportional differences appear to remain the NH same against other emails. NH Switching from clamscan.exe to clamdscan.exe ClamAV averages 15ms NH against all emails it sees. That is like a factor of 10 faster than NH fprot its closest performance competitor. Since its free and NH w/Sanesecurity phish sigs I give it an editors choice :) NH It would be nice to see [feature request?] the ms response time for AVG - " NH -Nick NH --- NH This E-mail came from the Declude.JunkMail mailing list. To NH unsubscribe, just send an E-mail to [EMAIL PROTECTED], and NH type "unsubscribe Declude.JunkMail". The archives can be found NH at http://www.mail-archive.com. Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net (972) 788-2364Fax: (972) 788-5049 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] F-Prot Licensing
Sorry but I have not been keeping up w/this thread - we no longer can use the desktop fpcmd.exe as we have been w/Declude without paying alot more $$? Can we use the version we have and still get defs? -Nick Matt wrote: F-Prot doesn't care. They don't do volume as a plug-in to mail servers, they do it through desktop software. F-Prot now has a software product for Exchange and their own spam and virus blocking gateway service offering. Considering how cheap the client is, losing those sales is insubstantial to them. It is true that they could have charged something more reasonable, especially considering that none of us are getting rich doing this stuff and every extra penny spent comes out of our pockets and not that of our clients, but so be it. Most probably wouldn't have paid anything more than a couple of hundred dollars for their product regardless, so $500 or $5,000 is all the same in effect. Matt Dave Beckstrom wrote: I think everyone on this list should email them telling them that you are not renewing. I dont think they have any idea of how much business they will lose. If 100 people email them it may wake them up. I wouldnt hold my breath on that, but it cant hurt to try. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of GlobalWeb.net Webmaster Sent: Monday, July 17, 2006 1:37 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] F-Prot Licensing we're looking into changing now also - there's no way we can afford to keep F-Prot at those rates.. I just do not understand why greed always has to set in when a product comes out that works great and is hassle free. We've never had to contact them in the 5-6 years of using them for any issues at all. Sincerely, Randy Armbrecht Global Web Solutions, Inc. 804-346-5300 x112 877-800-GLOBAL (4562) x112 http://globalweb.net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Monday, July 17, 2006 2:22 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] F-Prot Licensing I sent an email to F-Prot telling them that I am not renewing because of their price change. They replied back basically saying they didnt care and audios. They are going to lose a lot of customers. I guess they would rather not have a little money from a lot of customers instead of no money from a few customers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Scott Fisher Sent: Monday, July 17, 2006 9:25 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] F-Prot Licensing Clamav with the runclamd service. Free. Fast.and the Sanesecurity anti-phish signatures. - Original Message - From: Markus Gufler To: declude.junkmail@declude.com Sent: Friday, July 14, 2006 5:33 PM Subject: RE: [Declude.JunkMail] F-Prot Licensing This pricing is just another way of saying "Go Away". Suggestions? Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED],
Re: [Declude.JunkMail] Trying to install Declude 3.1.20 anew
Andy Schmidt wrote: Hi Dave, Sorry everyone -- my mistake. no biggie. That is what David, our pinada, is for. :) -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Latest All_LIst.dat file
There is a much more recent avail you can download from 'my account' on the declude site. If you cannot find it let me know and I will send it to you. -Nick Darrell ([EMAIL PROTECTED]) wrote: What is the latest all_list.dat file. Mine is dated 9/28/2005. I am seeing an issue with 67.111.134.133 which is in Reston, VA. Howeverm Declude thinks its in Korea. Darrell --- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Country tests
Hi Mike, Here is my understanding of the 2 tests: If an email originates from a country it will fail the COUNTRY test If an email passes through a country it will fail the COUNTRIES test -Nick Mike N wrote: I looked in the 4.x Junkmail manual, and couldn't find an authoritative definition of the Country tests. I have found a number of archived messages, but it is tricky to know if the reason that things are documented is that they are being deprecated or whatever. Is there a Kbase article or Manual page on COUNTR*.* tests, variables, and filter options? Thanks, --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] upgrade to 4x
Hi Sandy, Sanford Whiteman wrote: I have been running 2.0.16 however it has a bug that external tests will double-dip; eg fail the same external test multiple times... I reported it to tech support with no resolution - so my only recourse is to run the latest ver. Is it established that this is fixed in 3.x or 4.x? dunno. That would be a question for Declude - I know you reported it to me vis--vis SPAMC32, and I wonder if you were able to discover whether the exe was being forked twice, or whether the result of one of one fork was being duped completely within Declude? Of the several messages I tested running spamc32 from command line I saw no anomalies - What kind of log data ended up showing up at DEBUG level? I cannot run that log level for extended times - and since this is such an isolated occurance that would be necessary to capture this event. And did you isolate circumstances other than generic "high load" that trigger this behavior? nope! No idea what would cause it. So the simplest solution for me is to try the latest ver and see if the issue re-occurs. If it does then maybe Declude will help. If they don't and the bug persists I will revert to 2x. -Nick --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
[Declude.JunkMail] upgrade to 4x
I have been running 2.0.16 however it has a bug that external tests will double-dip; eg fail the same external test multiple times... I reported it to tech support with no resolution - so my only recourse is to run the latest ver. I am licensed for declude virus, hijack and JMPro - so I downloaded 4.2.20 (Is this the latests ver?) . Do I have to run the install? And where is the 'key' that now needs to be in Declude.cfg? Any other advice appreciated - I have a bad feeling about doing this :) -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] compatibility question
Hi David [Barker], Is there a list, or would you kindly post one of the known issues with Declude? I'm still on 2x because of all the problems reported and what I perceive as them not being resolved. Thanks! -Nick John Doyle wrote: Robert I"m running 8.22 hf2 and Declude 4.1. I would not suggest going to 4.2 as I was getting some "leakage" of mail that seemingly had not been scanned by declude. I could not find any record in either the declude, or the virus log files. I found that the headers had no declude entries. That was version 4.2 Build 12. I reverted back to 4.09 and the problem resolved itself, I later moved back to 4.1 and things still are working well. I'd stay away from 4.2 until there is a fix. This was reported as not being an Imail problem, only smartermail, but I had the same thing happen with Ipswitch. (this is my opinion, I could be wrong) I have a firewall blocking "broken" and non compliant addresses, but still got maybe 4 or 5 per day out of 200 for my address. So I'm not sure of the root cause. I was most worried about no record of the email in the virus log. I still can't figure out how they got delivered if Declude didn't process the mail. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Shubert Sent: Monday, June 19, 2006 8:45 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] compatibility question Sorry if this is waste of time, but I want to be absolutely sure before I do anything to my server. Is Declude 4.2 fully compatible with iMail 8.22? Thanks, Robert --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] compatibility question
Thanks David ! -Nick David Barker wrote: Nick, Here is a list of what the development team are currently working on. Remember in each case these issues have been experienced by a relatively small percentage of our customers and are NOT known issues, as one has to take into account the environment and how Declude is used and configured. SPAM Weights - (hold, delete actions not working under certain conditions) Decludeproc crashing/hanging (GP1 GP 2 errors) Broken Images (e-mail is not scanned) XOUTHEADER / XINHEADER incorrectly reported * ALLOWVULNERABILITIESFROM works with user only not domain (fixed) David B www.declude.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer Sent: Monday, June 19, 2006 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] compatibility question Hi David [Barker], Is there a list, or would you kindly post one of the known issues with Declude? I'm still on 2x because of all the problems reported and what I perceive as them not being resolved. Thanks! -Nick John Doyle wrote: Robert Im running 8.22 hf2 and Declude 4.1. I would not suggest going to 4.2 as I was getting some leakage of mail that seemingly had not been scanned by declude. I could not find any record in either the declude, or the virus log files. I found that the headers had no declude entries. That was version 4.2 Build 12. I reverted back to 4.09 and the problem resolved itself, I later moved back to 4.1 and things still are working well. I'd stay away from 4.2 until there is a fix. This was reported as not being an Imail problem, only smartermail, but I had the same thing happen with Ipswitch. (this is my opinion, I could be wrong) I have a firewall blocking broken and non compliant addresses, but still got maybe 4 or 5 per day out of 200 for my address. So I'm not sure of the root cause. I was most worried about no record of the email in the virus log. I still can't figure out how they got delivered if Declude didn't process the mail. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Shubert Sent: Monday, June 19, 2006 8:45 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] compatibility question Sorry if this is waste of time, but I want to be absolutely sure before I do anything to my server. Is Declude 4.2 fully compatible with iMail 8.22? Thanks, Robert --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Experience with 4.x
Hi Matt, So you see any substantive performance improvement over 2x? -Nick Matt wrote: Jay, It's not about moving along, it's about limiting the CPU to only 100%, or at least not piling it on when it gets there. I could be wrong in assuming that 1 thread = 1 message (hopefully I will be corrected if so), but 30 average messages being processed at once will most definitely peg my processors, and adding more threads when you are at 100% will actually slow down performance. Another note, not all systems are configured equally. A vanilla install of Declude would likely handle 4 times the number of messages that mine does since I run 4 external filters, two virus scanners, and something like 100 Declude filters (though they mostly get skipped with SKIPIFWEIGHT and END statements as they are targeted). Running a single virus scanner and RBL's is just a fraction of the load. With my pre-scanning gateways blocking more than 90% of all traffic (about half of that is dictionary attacks and most of the rest is done with 'selective greylisting'), I can scale one server to handle over 20,000 addresses, possibly as many as 40,000 (doesn't host the accounts though), so despite the heavy config, it is optimized. But back to the real topic...I'm just guessing that 30 messages/threads is the limit for my box, but I'm sure that it isn't as high as 80, though setting it at 80 would be of no consequence outside of a prolonged heavy load caused by something like a backup of my spool. It would be a bigger mistake to set it too low. Matt Jay Sudowski - Handy Networks LLC wrote: 30 threads seems awfully low. We set ours to 80 on a dual xeon box with a separate drive for spool/logging and we move right along without any issues. Thanks! - Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Tuesday, May 23, 2006 3:25 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Experience with 4.x Andrew, Thanks for your notes and their history. I'm using the following settings right now: THREADS30 WAITFORMAIL500 WAITFORTHREADS200 WAITBETWEENTHREADS100 WINSOCKCLEANUPOFF INVITEFIXON AUTOREVIEWON There are a few reasons for trying these values. THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID can only handle 30 threads with average messages. In reality, one single message can spike the system to 100%, but these are uncommon. I figure that if I open this up too wide and I am dealing with a backup or something, launching more threads when at 100% CPU utilization will actually slow the system down. This was the same with 2.x and before. There is added overhead to managing threads and you don't want that to happen on top of 100% CPU utilization. I am going to back up my server later tonight to see if I can't find what the magic number is since I don't want to be below that magic number, and it would probably be best to be a little above it. WAITFORMAIL 500 - On my server, this never kicks in, but if it did, it wouldn't make sense to delay for too long because I could build up messages. A half second seems good. WAITFORTHREADS 200 - This apparently kicks in only when I reach my thread limit; sort of like a throttle. I don't want it to be too long because this should only happen when I am hammered, but it is wise not to keep hammering when you are at 100%. Sort of a mixed bag choice here. WAITBETWEENTHREADS 100 - I see this setting as being the biggest issue with sizing a server. Setting it at 100 ms means that I can only handle 10 messages per second, and this establishes an upper limit for what the server can do. I currently average about 5 messages per second coming from my gateways at peak hours, so I figured that to be safe, I should double that value. INVITEFIX ON - I have it on because it comes on by default and I don't know any better. I know nothing about the cause for needing this outside of brief comments. It seems strange that my Declude setup could ruin an invitation unless I was using footers. If this is only triggered by footer use, I would like to know so that I could turn it off. I would imagine that this causes extra load to do the check. AUTOREVIEW ON - I have this on for the same reason that Andrew pointed out. When I restart Decludeproc, messages land in my review folder, and I don't wish to keep manually fishing things out. If there is an issue with looping, it would be wise for Declude to make this only trigger say every 15 minutes instead of more regularly. Feel free to add to this if you want. Matt Colbeck, Andrew wrote: I'd second that... on
Re: [Declude.JunkMail] What happened to the logging since 2.x????, it's HUGE
Hi Matt, Matt wrote: I'm trying an upgrade from the 2.x release for the first time, Why on earth would you want to do that? Was 2x too bug free and you need some excitement? -Nick
[Declude.JunkMail] ClamAV Sanesecurity phish files
fyi - Sanesecurity phish downloads have changed as of 5/10. The download file is gzip'ed and called phish.ndb.gz -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] image spam
Sanford Whiteman wrote: In keeping with the increased CPU demands of such tests, the new version of SPAMC32 will contain the ability to send the request to two (maybe more than two in future) tiered SPAMD daemons. The second daemon -- listening on a different port, or on a different machine -- will be consulted only if the results from the first daemon are within configured thresholds. great idea. tag team to distribute the load as needed. P.S. This gives me the idea of having different max-size switches for messages with and without image attachments. What do you think, SPAMC32 users? good idea again. Otherwise blatant spam is possibly bypassed.. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] image spam
fyi - I just found these 2 plugins for spamassassin http://wiki.apache.org/spamassassin/OcrPlugin http://antispam.imp.ch/patches/patch-ocrtext That will ocr the gifs, etc. These should help SA be even more effective within Declude.. -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.