Hi Fred and Matt, The received headers showed that the mail went through the following hosts:
ads.tcbinc.net mail.tcbinc.net dns2.tcbinc.net bks.tcbinc.com It seems like two of those hosts were running Imail/declude (or one was a multi-homed machine running Imail/declude that was given the email twice). Fred probably isn't explaining his setup because it works well in all other cases and he doesn't think the configuration is relevant to this problem - but it is confusing for the outsider who is analyzing the problem. It also looks to me like the email routing may be relevant to the problem. If the problem is reproducible in an environment without the extra routing, then it should be investigated and fixed. I'm not able to test this at the moment however. Even if it occurs only in a set up with the extra routing it should still be investigated to determine if it is a bug in declude or in something else - but only those with multiple decludes would be able to test that. Sorry I can't help more. Best Regards Mike Higgins H&M Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x14 (Business) Fax: +1 201 934-9206 http://www.HM-Software.com/ ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Wednesday, April 13, 2005 2:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The line that you commented out looked fine to me, so that is strange. What concerns me is that the message is being processed twice by Declude. I would hate to see this happen with other things as that is a waste of resources. As long as we're still guessing and thinking out loud, maybe 2.0.5 wasn't double-processing the E-mail and now 2.0.6 is, and that might have uncovered a bug with the XINHEADER insertion that may have existed before...or maybe a new %TESTSFAILEDWITHWEIGHTS% bug. I recall in a more recent version of IMail that the behavior in IMail had changed and Scott had to code a fix into Declude so that it wouldn't double process forwarded messages. Maybe that code is broken or lost due to recent tweaking. I would imagine that over the years there were a lot of small things that Scott programmed into the product that resolved quirks with IMail but could be overlooked or lost in recoding for new features and fixes. Another very strange thing is that the following headers I don't believe get added to an E-mail until it lands in an account, but they appeared before the second set of Declude headers in the message: X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 411698213 I can't tell however if IMail inserted them after the first time through or after the second time through. If they were added the first time through that might be odd behavior that Declude wasn't expecting to see...but then again it may be equally plausible that space aliens have hijacked your server and are just having their laughs :) I guess that's it for my speculation. Matt Frederick Samarelli wrote: We have incoming email scanned by Symantec Gateway Antivirus then have to sent to the imail server. For some of my tests I bypassed the Symantec server and the problem remained. Only removing the line listed fixed the problem. ----- Original Message ----- From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 1:43 PM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, The example that you sent earlier was being processed twice and it was passing through IMail to Symantec and back to IMail with some other forwarding mechanism as well, and the headers were written 30 seconds apart. I think that understanding what is happening there might be beneficial to uncovering the issue at hand, and maybe there are steps in that chain that are unnecessary or out of place. I don't doubt that 2.0.6 might have introduced a bug that is reacting to this condition, but the path the E-mail is taking doesn't seem normal and that could be affecting it, and probably is why others aren't reporting this. Knowing what is going on within your system might also help Declude diagnose the issue better also. Your config looks just fine, but the path the E-mail is taking looks abnormal to me. Matt Frederick Samarelli wrote: This is not the case. I sent a test from my Yahoo account to my imail account. If I look at it in Imail it is ok. If I do the test again having a forward in on my imail account to an AOL account the header info get placed in the top of the BODY when I received it at my AOL account. See below from the TEXT of the BODY. X-Spam-Tests-Failed Weight: SNIFFERZERO [0] X-Spam-Time:12:53:55 X-Note: Total spam weight of this E-mail is 0 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO X-Weight: 0 X-Mailfrom: samarelli.yahoo.com X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: web51803.mail.yahoo.com ([206.190.38.234]) X-Hello: web51803.mail.yahoo.com X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination X-AOL-IP: 64.124.116.40 X-AOL-SCOLL-SCORE:0:0:0: X-AOL-SCOLL-URL_COUNT:0 ----- Original Message ----- From: Matt To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 11:49 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 Fred, It looks like two full sets of Declude's XINHEADER's, and something caused a double line break in it. I am also having a problem understanding the path that this E-mail took, and maybe that will give you some clues. There is something forwarding the message and that might partially explain why it has two sets of headers, but the double line break shouldn't appear there. Maybe you could explain the path that this took: 64.124.116.10 (IMail) -> SMTP32-FWD (Probably also IMail) -> 64.124.116.40 (SMSSMTP, Symantec???) -> 64.124.116.30 (IMail again). I am going to guess that it is possible that Declude is getting confused based on the body being in a format similar to a header where there is a word followed by a colon, and in the process, it might be inserting the headers in the wrong location when it is adding them the second time. Total guess there of course. I suspect that the path is causing some form of double-processing, possibly the Symantec SMSSMTP piece, and that if you could resolve that, the problem might go away. Also note that the headers show a 30 second difference between the headers, so it's going somewhere. So to summarize, it looks like it's being double-processed due to some mechanism involving SMSSMTP, and Declude is maybe parsing the message incorrectly for where to insert the second set of headers, and if you could get it to only process it once (remove forwarding/looping possible issue), the symptom might go away. If so, Declude might also want to look at the parsing code for where to insert the headers and account for the condition in future releases as I'm sure that isn't intentional. Matt Frederick Samarelli wrote: See attached config. The problem only started after the update from 2.0.5 to 2.0.6 ----- Original Message ----- From: Darin Cox To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:39 AM Subject: Re: [Declude.JunkMail] Something new with v 2.0.6 I think we're going to have to see the Global.CFG to figure out if there's a misconfiguration. I certainly looks like your entire XINHEADER config is duplicated. Darin. ----- Original Message ----- From: Frederick Samarelli To: Declude.JunkMail@declude.com Sent: Wednesday, April 13, 2005 10:34 AM Subject: [Declude.JunkMail] Something new with v 2.0.6 HEADER Received: from dns2.tcbinc.net [64.124.116.30] by bks.tcbinc.com (SMTPD32-8.15) id A5E13540470; Wed, 13 Apr 2005 03:10:25 -0400 Received: from mail.tcbinc.net ([64.124.116.40]) by dns2.tcbinc.net (SMSSMTP 4.1.0.19) with SMTP id M2005041303105928414 for <[EMAIL PROTECTED]>; Wed, 13 Apr 2005 03:10:59 -0400 Received: from SMTP32-FWD by mail.tcbinc.net (SMTP32) id AC601002507EA4CF6; Wed, 13 Apr 2005 03:10:59 -0400 Received: from ADS [64.124.116.10] by mail.tcbinc.net (SMTPD32-8.15) id A6012507EA; Wed, 13 Apr 2005 03:10:57 -0400 SUBJECT: Virus Found Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c200000]. X-RBL-Warning: WEIGHT10: Total weight between 10 and 14. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC601002507EA4CF6.SMD X-RBL-Warning: SNIFFERZERO: Message failed SNIFFERZERO: 0. X-RBL-Warning: SPFPASS: SPF returned PASS for this E-mail. X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c200000]. X-RBL-Warning: HELOBOGUS: Domain ADS has no MX or A records [0301]. X-Declude-Sender: [EMAIL PROTECTED] [64.124.116.10] X-Declude-Spoolname: DC5E1035404704CAF.SMD X-Note: Total spam weight of this E-mail is 3. X-RBL-Warning: Total weight: 3 X-Note: This E-mail was scanned & filtered by TCB [2.0.6] for SPAM & virus. X-Spam-Tests-Failed: SNIFFERZERO, SPFPASS, BADHEADERS, HELOBOGUS X-Spam-Tests-Failed Weight: SNIFFERZERO [0], SPFPASS [0], BADHEADERS [2], HELOBOGUS [1] X-Spam-Time:03:10:29 X-Weight: 3 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination From: [EMAIL PROTECTED] Date: Wed, 13 Apr 2005 03:10:29 -0400 X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 411698213 BODY: X-Spam-Tests-Failed Weight: SNIFFERZERO [0], CMDSPACE [8], SPFPASS [0], BADHEADERS [2], WEIGHT10 [10] X-Spam-Time:03:10:59 X-Note: Total spam weight of this E-mail is 10 X-Note: This E-mail was scanned & filtered by Declude [2.0.6] for SPAM & virus X-Spam-Tests-Failed: SNIFFERZERO, CMDSPACE, SPFPASS, BADHEADERS, WEIGHT10 X-Weight: 10 X-Mailfrom: fred.tcbinc.net X-Note: Sent from: [EMAIL PROTECTED] X-Note: Sent from Reverse DNS: ads.tcbinc.net ([64.124.116.10]) X-Hello: ADS X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES->destination Date: Wed, 13 Apr 2005 03:10:59 -0400 Virus:[EMAIL PROTECTED] Alert: Virus Found Computer: DNS2 Date: 04/13/2005 Time: 03:10:54 AM Severity: Critical Source: Norton AntiVirus Corporate Edition -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.