Re: Re::Re: [Declude.JunkMail] example

[Darin Cox]

ï Hi Doug,   On the Declude isn't cutting it thread... Declude plus Message Sniffer catches well over 99.9% of spam for us, with spam being about 68% of traffic during the week and 90% over the weekend.  So, this combo can certainly be configured to catch almost everything coming in.   You might consider signing up for the MDLP beta from SortMonster.  If nothing else, it will give you some great statistics on the effectiveness of the tests you run.  Couple that will publishing an email address for users to forward any received spam to and you should get a fairly accurate picture of your capture rate, as well as have a mechanism for tuning your filters/weights. Darin.     ----- Original Message ----- From: Doug Anderson To: Declude.JunkMail@declude.com Sent: Tuesday, May 17, 2005 11:02 PM Subject: Re::Re: [Declude.JunkMail] example Matt,   Per your question on what I'm trying to do. New management feels that they want "more" and declude isn't cutting it. The idea was to insert an x-header in, that way frontbridge gets some numbers on spam/not spam without blocking and allow declude to do it's thing which I get numbers from. We then compare them. Management feels we're missing 50% of the spam with declude. I disagree with them and was hoping this would show them that we're within only a few percent difference at a substantial price reduction (frontbridge+sprint=$$$$$$$)   Any declude people comment on Matt's email?..   ----- Original Message ----- From: Matt To: Declude.JunkMail@declude.com Sent: Tuesday, May 17, 2005 7:23 PM Subject: Spam-Junk-Ad:Re: [Declude.JunkMail] example Doug, Sprint resells FrontBridge, and bigfish.com is one of FrontBridge's servers.  The problem is that there are two hops within their network, and while you are IPBYPASSing the connecting server, they have another hop in there with an address of 127.0.0.1 and that needs to be bypassed as well.  Even though this is the loopback address, Declude is currently seeing this as the source IP because it is in the first non IPBYPASSed header. I'm not sure if Declude will handle this the way that you want it to despite the above modification because FrontBridge is also inserting their own headers before the original received header that contains the IP that you are after.  I'm not sure if Declude will stop looking for IP's after finding non-Received headers or if it will continue.  That all depends on how they handle the parsing and it may or may not be compatible.  The following header is the connecting header when it reaches FrontBridge (note that Postfix splits it into a "by" and "from" part: Received: by mail39-res.bigfish.com (MessageSwitch) id 1116369083564041_21303; Tue, 17 May 2005 22:31:23 +0000 (UCT) Received: from OUTGOING58.postalmailhostings.com (unknown [69.1.199.58]) by mail39-res.bigfish.com (Postfix) with SMTP id 30BB45A86B1 for <[EMAIL PROTECTED]>; Tue, 17 May 2005 22:31:23 +0000 (UTC) Regardless of the above, I'm curious why you aren't filtering for their headers.  This message contained a header that seems to indicate that they detected it as spam. x-sprint-detected-spam: This message appears to be spam. X-SpamScore: 45 X-CustomSpam: This message was filtered by custom spam filter option - Image links to remote sites You would need Declude Pro to set up a filter for the HEADERS, or also an external test could be created for this purpose, but it doesn't seem to make much sense to not block it.  Maybe you can clarify what you are trying to do here and why you aren't tagging these headers as spam. Matt Doug Anderson wrote: Anything's possible with sprint. Below is a header. It seems to be the common theme. BADHEADERS, MAILFROM: SPAMHEADERS, and HELOBOGUS. Nothing more, nothing less. I've scaned my declude logs for the last 2 days. no IP4r or rhsbl test have run. I put a >>>> at the mark where sprint's headers end and what I want checked. Shouldn't IPBYPASS look at the 63.161.60.61 and say ignore this part? My understanding is IPBYPASS should say that's one of mine - don't check it, check the next hop. Received: from mail39-res-R.bigfish.com [63.161.60.61] by mail.ameripride.org with ESMTP (SMTPD32-8.15) id A16C43E01AE; Tue, 17 May 2005 17:34:20 -0500 Received: from mail39-res.bigfish.com (localhost.localdomain [127.0.0.1]) by mail39-res-R.bigfish.com (Postfix) with ESMTP id 1DDC75A8670 for <[EMAIL PROTECTED]>; Tue, 17 May 2005 22:31:24 +0000 (UTC) X-BigFish: vpcs45(z7b5iqca0ilzzzzzz2dh) x-sprint-detected-spam: This message appears to be spam. X-SpamScore: 45 X-CustomSpam: This message was filtered by custom spam filter option - Image links to remote sites Received: by mail39-res.bigfish.com (MessageSwitch) id 1116369083564041_21303; Tue, 17 May 2005 22:31:23 +0000 (UCT) Received: from OUTGOING58.postalmailhostings.com (unknown [69.1.199.58]) by mail39-res.bigfish.com (Postfix) with SMTP id 30BB45A86B1 for <[EMAIL PROTECTED]>; Tue, 17 May 2005 22:31:23 +0000 (UTC) Date:Tue, 17 May 2005 18:31:23 -0700 From:Approval Department<[EMAIL PROTECTED]> To:<[EMAIL PROTECTED]> Subject:NEED FUNDS NOW? Get a 1000USD Cash Advance today X-ID:4285425 Mime-Version:1.0 Content-Type: text/html; Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [c010140e]. X-RBL-Warning: HELOBOGUS: Domain mail39-res.bigfish.com has no MX or A records [0001]. X-RBL-Warning: MAILFROM: Domain OUTGOING58.emailfriendlyhoster.com has no MX or A records [0001]. X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [c010140e]. X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Declude-Spoolname: D716C043E01AE0738.SMD X-Declude-Note: Scanned by Declude 2.0.6 (http://www.declude.com/x-note.htm) for spam. X-Declude-Scan: Score [26] at 17:34:22 on 17 May 2005 X-Declude-Tests: BADHEADERS, HELOBOGUS, MAILFROM, SPAMHEADERS, WEIGHT25PLUS X-Country-Chain: UNITED STATES->destination X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 374011979 ----- Original Message ----- From: "Darrell ([EMAIL PROTECTED])" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Tuesday, May 17, 2005 5:24 PM Subject: Spam-Junk-Ad:Re: [Declude.JunkMail] example Doug, Is it possible that the spam service you are using may send your message through multiple servers on their end? Darrell ------------------------------------------------------------------------ DLAnalyzer - Comprehensive reporting for Declude Junkmail and Virus. Try it today - http://www.invariantsystems.com Doug Anderson writes: Does anyone have an example of a declude junkmail config file they can share which has a inbound from a gateway server? We have an external service scanning the emails for virus and spam (adding x-header only). So our mx record points to them. They then send the email via smtp to us. What I'm hearing from the users is more spam coming through and what I'm seeing in the headers makes me wonder if we're really checking with completely. In my global I have IPBYPASS for all the spam service IP's Does any other settings need to be set? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================