In a filter file: HEADERS (weight) CONTAINS X-IMAIL-SPAM-INVALIDFROM
Imail is checking to see if the sender exists and places that into the header. (If you have Imail configured to add headers.) HOWEVER, this does not work for @yahoo.com addresses. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela > Sent: Thursday, December 04, 2003 10:45 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] MAILFROM like Imail Test.. > > Here are the headers... How this can be caught with Declude ?? > > 12:05 00:32 SMTPD(06E400CC) [00000640] <mail.fanosa.com> VALIDATION: (MAIL > FROM) mail.fanosa.com FAILED to validate MAIL FROM address > [EMAIL PROTECTED] > 12:05 00:32 SMTPD(06E400CC) [00000640] <mail.fanosa.com> VALIDATION: (MAIL > FROM) <[EMAIL PROTECTED]> user does not exist on remote system > 12:05 00:33 SMTPD(06E500CC) [00002292] <mail.fanosa.com> VALIDATION: (MAIL > FROM) mail.fanosa.com FAILED to validate MAIL FROM address > [EMAIL PROTECTED] > 12:05 00:33 SMTPD(06E500CC) [00002292] <mail.fanosa.com> VALIDATION: (MAIL > FROM) <[EMAIL PROTECTED]> user does not exist on remote system > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro > Valenzuela > Sent: Thursday, December 04, 2003 11:40 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] MAILFROM like Imail Test.. > > > Declude MAILFROM test check only the domain on the MAILFROM address > But we recive a lot of SPAM with mailfrom like this. > <[EMAIL PROTECTED]> > since hotmail.com is a valid Domain, then the message pass the test > > Is there a test like the "Mailfrom" of Imail that test that the > user really exists on the remote server ?? > > <[EMAIL PROTECTED]> (In Imail this will fail...) > > Thanks.. > > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry > Sent: Thursday, December 04, 2003 5:21 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] sniffer > > > FYI, I believe the demo consolidates everything into two separate tests: > General & Malware. However, it will still give you a very good idea of > the > overall effectiveness of running Sniffer with Declude. > > Bill > ----- Original Message ----- > From: "T. Bradley Dean" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, December 04, 2003 4:02 PM > Subject: RE: [Declude.JunkMail] sniffer > > > >Declude is optimized to run the external test only once > > That was going to be my next question, it looked terribly in-efficient at > first! > > Thanks for the responses guys. I just installed the demo. > > ~Brad > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil > Sent: Wednesday, December 03, 2003 8:10 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] sniffer > > > Brad, > > That's right. > :-) > > Heuristics for patterns are grouped by the spam that prompts us to > generate > them, or by how we created them. Most of the time they are at least close > to classifying the type of spam. Each system that uses Message Sniffer is > encouraged to specify adjustable weights for each rule group so that the > results from the pattern matching tests can be "tuned" for the greatest > accuracy on that system and according to it's unique mix of incoming spam > and the users being served. > > Declude is optimized to run the external test only once and allow the > result code to be evaluated for all of the tests that define that external > test... so in the example shown below sniffer would be called once and > it's > result code would be evaluated many times. > > Message Sniffer will typically match many patterns in a given spam. > Currently the voting system that decides the winning pattern match uses > the > following rule: Chose the first pattern match found with the lowest > symbol. > > Within the standard rulebase, rule groups are loosely grouped so that the > least specific patterns have the largest symbols. The combination of these > arrangements tends toward selecting the most specific pattern match > available for a given message. > > If anyone has other questions that are specific to sniffer then please > feel > free to contact us off list at our support@ sortmonster.com address. > > Thanks, > > _M > > At 10:20 PM 12/3/2003, you wrote: > >Brad, Sniffer does message based pattern matching (Pete, correct me if > >I am wrong). If you opt to separate the 20 or so tests that Sniffer > >currently supports, then you can set whatever weight you want to each > >individual test. Here is how I currently have the individual Sniffer > >tests defined in my global.cfg (License ID and Authentication Code > >obscured): > > > >SNIFFER-WHITELIST external 000 > >"M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" -5 0 > >SNIFFER-TRAVEL external 047 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 07 0 > >SNIFFER-INSURANCE external 048 > "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-AV-PUSH external 049 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 07 0 > >SNIFFER-WAREZ external 050 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-SPAMWARE external 051 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-SNAKEOIL external 052 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-SCAMS external 053 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-PORN external 054 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 12 0 > >SNIFFER-MALWARE external 055 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 12 0 > >SNIFFER-ADVERTISING external 056 > "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-SCHEMES external 057 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-CREDIT external 058 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-GAMBLING external 059 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 10 0 > >SNIFFER-GREYMAIL external 060 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 07 0 > >SNIFFER-OBFUSCATION external 061 > "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 12 0 > >SNIFFER-SPAM external 062 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 07 0 > >SNIFFER-GENERAL external 063 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe > >AuthenticationCode" 12 0 > > > >You would need to adjust the weights to fit your own needs. However, > >this will at least give you a starting point. > > > >Bill > > > >----- Original Message ----- > >From: "T. Bradley Dean" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Wednesday, December 03, 2003 6:43 PM > >Subject: RE: [Declude.JunkMail] sniffer > > > > > >How does Sniffer work? > > > >Their web page says: > > > >"In the best implementations allow you to assign a weight to each > >possible result code. Declude, mxGuard, and SpamAssassin are all good > >examples of systems that allow weights to be assigned to the result > >codes from Message Sniffer." > > > >So if Sniffer says an email is porn spam then it gets a weight of 10, > >but if it's web hosting spam then it's 8? Does the weight differ > >depending on how confident Sniffer is? > > > >What do these rules look like in Global.cfg on $Default$.junkmail? > > > >~Brad > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Mark Smith > >Sent: Tuesday, December 02, 2003 7:54 AM > >To: [EMAIL PROTECTED] > >Subject: RE: [Declude.JunkMail] sniffer > > > > > >Sniffer's well worth the $300.00 per year. > >That breaks down to less than $1.00 per day. > > > >It catches content that some RBLs don't catch. > > > >Mark > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Keith > > > Anderson > > > Sent: Tuesday, December 02, 2003 10:28 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [Declude.JunkMail] sniffer > > > > > > > > > It's not worth paying the subscription fee, in my opinion. I have a > > > client that's paying for it, and it doesn't catch very much that > > > isn't already caught somewhere else. > > > > > > > I am considering Maps too. But it's $1500/yr. Anyone using them? > > > > > > > > > > > > --- > > > [This E-mail was scanned for viruses by Declude Virus > > > (http://www.declude.com)] > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > > > "unsubscribe Declude.JunkMail". The archives can be found at > > > http://www.mail-archive.com. > > > > > > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > >"unsubscribe Declude.JunkMail". The archives can be found at > >http://www.mail-archive.com. > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > >"unsubscribe Declude.JunkMail". The archives can be found at > >http://www.mail-archive.com. > > > >--- > >[This E-mail was scanned for viruses by Declude Virus > >(http://www.declude.com)] > > > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > >"unsubscribe Declude.JunkMail". The archives can be found at > >http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.