Re: :Re: [Declude.JunkMail] example

[Matt]

Doug, I understand the method now. Regardless of what Declude might say, it is very simple to test. Just add IPBYPASS 127.0.0.1 and send an E-mail from an off-server account and see if Declude is showing the proper source IP. Right now Declude is showing the source IP as 127.0.0.1.  X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] Unfortunately if Declude does handle this properly, you might well end up leaking more spam than without FrontBridge. Some gateways will fix issues that would trip tests such as CMDSPACE, BADHEADERS and SPAMHEADERS. For the latter two, it wouldn't fix all issues, for instance this sample E-mail that you shared hit on both for something that originated in the spam and wasn't fixed by the forwarding situation. For instance, some gateways (such as IMail) will insert a Message-ID when none is found, and that would otherwise trip SPAMHEADERS in a default config. The possible loss of CMDSPACE will have a measurable detrimental affect to spam blocking if their gateway's don't replicate the bad data that they receive (a space after the RCPT TO command and before the address during the SMTP session). FrontBridge is pretty good as such services go, but they cost an arm and a leg, and a very well tuned Declude system can definitely outperform them. I would think that this would be hard to do without adding something like Sniffer to the mix however, and spending some time tweaking things including possibly custom filters. From my understanding, FrontBridge is no Postini, and they might be tops in the very large spam blocking companies, but they still can't lay a hand on some of us Declude users. I have no clue as to how effective your config might be, but it's not out of the realm of possibility that they wouldn't measurably outperform most Declude user's configs, especially if they lost the use of CMDSPACE and some BADHEADERS and SPAMHEADERS hits. Matt Doug Anderson wrote: Matt,  Per your question on what I'm trying to do. New management feels thatÂthey want "more" and declude isn't cutting it. The idea was to insert an x-header in, that way frontbridge gets some numbers on spam/not spam without blocking and allow declude to do it's thing which I get numbers from. We then compare them. Management feels we're missing 50% of the spam with declude. I disagree with them and was hoping this would show them that we're within only a few percent difference at a substantial price reduction (frontbridge+sprint=$$$$$$$)  Any declude people comment on Matt's email?..  ----- Original Message ----- From: Matt To: Declude.JunkMail@declude.com Sent: Tuesday, May 17, 2005 7:23 PM Subject: Spam-Junk-Ad:Re: [Declude.JunkMail] example Doug, Sprint resells FrontBridge, and bigfish.com is one of FrontBridge's servers. The problem is that there are two hops within their network, and while you are IPBYPASSing the connecting server, they have another hop in there with an address of 127.0.0.1 and that needs to be bypassed as well. Even though this is the loopback address, Declude is currently seeing this as the source IP because it is in the first non IPBYPASSed header. I'm not sure if Declude will handle this the way that you want it to despite the above modification because FrontBridge is also inserting their own headers before the original received header that contains the IP that you are after. I'm not sure if Declude will stop looking for IP's after finding non-Received headers or if it will continue. That all depends on how they handle the parsing and it may or may not be compatible. The following header is the connecting header when it reaches FrontBridge (note that Postfix splits it into a "by" and "from" part: Received: by mail39-res.bigfish.com (MessageSwitch) id 1116369083564041_21303; Tue, 17 May 2005 22:31:23 +0000 (UCT) Received: from OUTGOING58.postalmailhostings.com (unknown [69.1.199.58]) by mail39-res.bigfish.com (Postfix) with SMTP id 30BB45A86B1 for <[EMAIL PROTECTED]>; Tue, 17 May 2005 22:31:23 +0000 (UTC) Regardless of the above, I'm curious why you aren't filtering for their headers. This message contained a header that seems to indicate that they detected it as spam. x-sprint-detected-spam: This message appears to be spam. X-SpamScore: 45 X-CustomSpam: This message was filtered by custom spam filter option - Image links to remote sites You would need Declude Pro to set up a filter for the HEADERS, or also an external test could be created for this purpose, but it doesn't seem to make much sense to not block it. Maybe you can clarify what you are trying to do here and why you aren't tagging these headers as spam. Matt Doug Anderson wrote: Anything's possible with sprint. Below is a header. It seems to be the common theme. BADHEADERS, MAILFROM: SPAMHEADERS, and HELOBOGUS. Nothing more, nothing less. I've scaned my declude logs for the last 2 days. no IP4r or rhsbl test have run. I put a >>>> at the mark where sprint's headers end and what I want checked. Shouldn't IPBYPASS look at the 63.161.60.61 and say ignore this part? My understanding is IPBYPASS should say that's one of mine - don't check it, check the next hop. Received: from mail39-res-R.bigfish.com [63.161.60.61] by mail.ameripride.org with ESMTP (SMTPD32-8.15) id A16C43E01AE; Tue, 17 May 2005 17:34:20 -0500 Received: from mail39-res.bigfish.com (localhost.localdomain [127.0.0.1]) by mail39-res-R.bigfish.com (Postfix) with ESMTP id 1DDC75A8670 for <[EMAIL PROTECTED]>; Tue, 17 May 2005 22:31:24 +0000 (UTC) X-BigFish: vpcs45(z7b5iqca0ilzzzzzz2dh) x-sprint-detected-spam: This message appears to be spam. X-SpamScore: 45 X-CustomSpam: This message was filtered by custom spam filter option - Image links to remote sites Received: by mail39-res.bigfish.com (MessageSwitch) id 1116369083564041_21303; Tue, 17 May 2005 22:31:23 +0000 (UCT) Received: from OUTGOING58.postalmailhostings.com (unknown [69.1.199.58]) by mail39-res.bigfish.com (Postfix) with SMTP id 30BB45A86B1 for <[EMAIL PROTECTED]>; Tue, 17 May 2005 22:31:23 +0000 (UTC) Date:Tue, 17 May 2005 18:31:23 -0700 From:Approval Department<[EMAIL PROTECTED]> To:<[EMAIL PROTECTED]> Subject:NEED FUNDS NOW? Get a 1000USD Cash Advance today X-ID:4285425 Mime-Version:1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c010140e]. X-RBL-Warning: HELOBOGUS: Domain mail39-res.bigfish.com has no MX or A records [0001]. X-RBL-Warning: MAILFROM: Domain OUTGOING58.emailfriendlyhoster.com has no MX or A records [0001]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c010140e]. X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D716C043E01AE0738.SMD X-Declude-Note: Scanned by Declude 2.0.6 (http://www.declude.com/x-note.htm) for spam. X-Declude-Scan: Score [26] at 17:34:22 on 17 May 2005 X-Declude-Tests: BADHEADERS, HELOBOGUS, MAILFROM, SPAMHEADERS, WEIGHT25PLUS X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 374011979 ----- Original Message ----- From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Tuesday, May 17, 2005 5:24 PM Subject: Spam-Junk-Ad:Re: [Declude.JunkMail] example Doug, Is it possible that the spam service you are using may send your message through multiple servers on their end? Darrell ------------------------------------------------------------------------ DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Try it today - http://www.invariantsystems.com Doug Anderson writes: Does anyone have an example of a declude junkmail config file they can share which has a inbound from a gateway server? We have an external service scanning the emails for virus and spam (adding x-header only). So our mx record points to them. They then send the email via smtp to us. What I'm hearing from the users is more spam coming through and what I'm seeing in the headers makes me wonder if we're really checking with completely. In my global I have IPBYPASS for all the spam service IP's Does any other settings need to be set? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================