Scott, sorry, but something IS wrong with the log and the weighting. No matter how you twist and turn <G>. Fortunately, with 1.29 it finally is apparent, even to the naked eye:
Look at this Imail SMTP conversation: 12:07 11:26 SMTPD(061103F8) [63.107.174.78] connect 128.121.122.40 port 3699 12:07 11:26 SMTPD(061103F8) [128.121.122.40] EHLO s0234.pm0.net 12:07 11:26 SMTPD(061103F8) [128.121.122.40] MAIL From:<[EMAIL PROTECTED]> 12:07 11:26 SMTPD(061103F8) [128.121.122.40] RCPT To:<[EMAIL PROTECTED]> NOTIFY=FAILURE 12:07 11:26 SMTPD(061103F8) [128.121.122.40] D:\IMAIL\spool\Deda33f8.SMD 3464 Now look at the Declude log for Qeda33f8: 12/07/2001 11:26:01 Qed8e31e . Total weight = 0 12/07/2001 11:26:24 Qeda33f8 OSSRC:7 SPAMCOP:7 . Total weight = 14 12/07/2001 11:26:43 Qedb73c4 OSRELAY:6 . Total weight = 6 12/07/2001 11:26:43 Qedb73c4 Msg failed OSRELAY (This E-mail came from 207.108.144.243, a potential spam source.). 12/07/2001 11:26:43 Qedb73c4 Subject: Dr. appt. 12/07/2001 11:26:43 Qedb73c4 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] There is NO reason why the mail had a total weight of 14, triggered OSSRC and SPAMCOP, came from an unknown third-party SMTP server and domain that is NOT whitelisted, is directed to a domain that does not have its own junkmail settings, and we do NOT use ignore, yet - it does NOT contain a lot entry detailing/proving the OSSRC/SPAMCOP, NOR does it apparently REJECT fail that mail. At a weight of 14, it should have definitely triggered WEIGHT10. To prove my point, here is the same SPAM sent to another one of our virtual domains (no per-domain settings EITHER) just 26 minutes prior. It's obviously failing the EXACT same tests - and look how nicely Declude CAN log and act: 12/07/2001 11:00:51 Qe7a6194 OSSRC:7 SPAMCOP:7 . Total weight = 14 12/07/2001 11:00:51 Qe7a6194 Msg failed OSSRC (pm0.net http://groups.google.com/groups?q=pm0.net&hl=en&meta=group%3Dnews.admin.net- abuse.*). 12/07/2001 11:00:51 Qe7a6194 Msg failed SPAMCOP (Blocked - see http://spamcop.net/bl.shtml?161.58.202.113). 12/07/2001 11:00:51 Qe7a6194 Msg failed SPAMCOPHDR (Blocked - see http://spamcop.net/bl.shtml?161.58.202.113). 12/07/2001 11:00:51 Qe7a6194 Msg failed WEIGHT10 (Weight of 14 exceeds the limit of 10.). 12/07/2001 11:00:51 Qe7a6194 Msg failed WEIGHT8 (Weight of 14 exceeds the limit of 8.). 12/07/2001 11:00:51 Qe7a6194 Subject: INVESTIGATE YOUR NEIGHBOR 12/07/2001 11:00:51 Qe7a6194 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Why would Declude act differently for the SAME tests! Best Regards Andy Schmidt H&M Systems Software, Inc. 600 East Crescent Avenue Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 http://www.hm-software.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry Sent: Friday, December 07, 2001 10:03 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude v1.29 beta - Errors >1. Many messages with WEIGHT=0 or other weights are logged with single line >entries!? No from/to/subject information > >12/07/2001 01:05:22 Q5bfc2fa . Total weight = 0 At LOGLEVEL MID or higher, Declude will log the total weight for every E-mail, spam or not. >12/07/2001 01:06:11 Q5c32194 HEUR10:4 . Total weight = 4 >12/07/2001 01:06:16 Q5c503aa HEUR9:4 . Total weight = 4 >12/07/2001 01:06:27 Q5c5b2fa HEUR8:3 . Total weight = 3 >12/07/2001 01:06:29 Q5c603aa HEUR8:3 . Total weight = 3 These failed the HEUR10/HEUR9/HEUR8 tests, with the appropriate weight. >2. Declude Crashed (DECLUDE.GP* file are attached) Thank you for pointing that out. We're investigating this. >3. Here is the problem with invalid arithmetic that carried over from 1.28. >Notice how it lists all kind of failed tests in the first log entry - but >then does NOT list any of these tests (other than SPAMROUTING) in the >subsequent lines. > >12/07/2001 01:11:15 Q5d582f0 OSRELAY:6 SPAMCOP:7 SPAMROUTING:4 HEUR8:3 . >Total weight = 20 I'm not a mathematician, but when I add 6+7+4+3, I get the same answer (20) as Declude. >12/07/2001 01:11:15 Q5d582f0 Msg failed SPAMROUTING (This E-mail was routed >in a poor manner consistent with spam [20000103].). >12/07/2001 01:11:15 Q5d582f0 Subject: Prescriptions Without Doctors >Appointment..... >12/07/2001 01:11:15 Q5d582f0 From: [EMAIL PROTECTED] To: >[EMAIL PROTECTED] If you have the action for OSRELAY, SPAMCOP, and HEUR8 set to IGNORE, then you may not see a log file entry when E-mail fails those tests. However, they will still be used towards the weighting. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
