A couple of weeks ago I post a strange anomaly where log entries show up in
the JunkMail log but the no Declude headers show up in the actual message.
Now I have the opposite effect where Declude headers will show up in the
message but nothing is entered into the JunkMail log.
Here is the scenario. Cron notification message is delivered from one of my
gateway servers to IMail/Declude. No whitelist entry in Global.cfg file for
this message:
=====
Received: from gw2.pointshare.com [204.189.38.3] by
intramail01.pointshare.net with ESMTP
(SMTPD32-8.02) id A42F2A580054; Sun, 21 Sep 2003 17:37:03 -0700
Received: by gw2.pointshare.com (Mail Gateway)
id 34FCCADDF3; Sun, 21 Sep 2003 17:37:04 -0700 (PDT)
Delivered-To: [EMAIL PROTECTED]
From: root (Cron Daemon)
To: root
Subject: Cron <[EMAIL PROTECTED]> run-parts /etc/cron.hourly
Message-Id: <[EMAIL PROTECTED]>
Date: Sun, 21 Sep 2003 17:37:03 -0700 (PDT)
X-Alligate-In: IGNORED - WhiteListed IP Address: (204.189.38.3)
X-Alligate-Tracking: D86E20E437BEB0B2
X-Alligate-Signature: 0
X-Alligate-SpoolFile: D442f2a5800548e2f.SMD
X-Alligate-Sender: root [204.189.38.3]
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
detected.
X-RBL-Warning: HEADERS-FILTER: Message failed HEADERS-FILTER test (58)
X-RBL-Warning: SUBJECT-FILTER: Message failed SUBJECT-FILTER test (70)
X-Declude-Sender: root []
X-Queue-File: D442f2a5800548e2f.SMD - outgoing
X-Note: Total spam test weight: -6
---
Log file entry:
M:\IMail\Declude\Unix-Tools>grep "Q442f2a5800548e2f"
m:\imail\spool\spam\log\dec0921.log
09/21/2003 17:37:06 Q442f2a5800548e2f HEADERS-FILTER:9 SUBJECT-FILTER:-15 .
Total weight = -6
09/21/2003 17:37:06 Q442f2a5800548e2f Msg failed IPNOTINMX (). Action=WARN.
09/21/2003 17:37:06 Q442f2a5800548e2f Msg failed NOLEGITCONTENT (No content
unique to legitimate E-mail detected.). Action=WARN.
09/21/2003 17:37:06 Q442f2a5800548e2f Msg failed SUBJECT-FILTER (Message
failed SUBJECT-FILTER test (70)). Action=WARN.
09/21/2003 17:37:06 Q442f2a5800548e2f L1 Message OK
09/21/2003 17:37:06 Q442f2a5800548e2f Subject: Cron <[EMAIL PROTECTED]> run-parts
/etc/cron.hourly
09/21/2003 17:37:06 Q442f2a5800548e2f From: root To: [EMAIL PROTECTED]
IP: ID:
=====
Note that Declude is not able to determine the IP address of the sending
server in the message above, probably due to the first received header,
which does not contain one.
So I decided to whitelist the message using:
WHITELIST FROM root
in the Global.cfg file. When the next cron message got delivered:
=====
Received: from gw2.pointshare.com [204.189.38.3] by
intramail01.pointshare.net with ESMTP
(SMTPD32-8.02) id A23F36750056; Sun, 21 Sep 2003 18:37:03 -0700
Received: by gw2.pointshare.com (Mail Gateway)
id 4E37EADDF3; Sun, 21 Sep 2003 18:37:04 -0700 (PDT)
Delivered-To: [EMAIL PROTECTED]
From: root (Cron Daemon)
To: root
Subject: Cron <[EMAIL PROTECTED]> run-parts /etc/cron.hourly
Message-Id: <[EMAIL PROTECTED]>
Date: Sun, 21 Sep 2003 18:37:03 -0700 (PDT)
X-Declude-Sender: root [204.189.38.3]
X-Queue-File: D523f367500567d1d.SMD - outgoing
X-Note: Total spam test weight: 0
---
Log file entry:
M:\IMail\Declude\Unix-Tools>grep "Q523f367500567d1d"
m:\imail\spool\spam\log\dec0921.log
NO LOG ENTRY FOUND
=====
Note that Declude was now able to determine the IP address of the sending
server (strange). But when the whitelist is enabled, there is an even
stranger side effect in that nothing for the message shows up in the
JunkMail log file. Remove the whitelist entry, and Declude again cannot
determine the sending servers IP address, but the message once again shows
up in the logs.
I am running:
=====
Diagnostics ON (Declude v1.76i1).
Declude JunkMail: Config file found (m:\imail\Declude\global.CFG).
Declude Virus: Config file found (m:\imail\Declude\Virus.CFG).
Declude JunkMail Status: PRO version registered.
Declude Virus Status: Pro Version Registered.
=====
The reason I want to whitelist these servers is so that no specific test
entries will show up in the logs which could skew my reports. Thoughts?
Bill
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
