RE: AW: AW: AW: [Declude.JunkMail] No action taken

Gary Steiner Mon, 05 Jun 2006 18:03:02 -0700

Before I started seeing these spams, my Declude logs were set to MID, and each 
of these new spams would show the same three lines:


06/04/2006 07:25:39.868 50467903 Error in envelope file: 
c:\SmarterMail\Spool\proc\work\50467903.hdr
06/04/2006 07:25:46.165 50467903 AHBL:6 CBL:14 DSBL:6 MXRATE-BLOCK:7 
SORBS-HTTP:5 SORBS-WEB:5 SPAMCOP:14 FIVETENSRC:4 BADHEADERS:8 REVDNS:6 .  Total 
weight = 75.
06/04/2006 07:25:46.165 50467903 Cumulative action(s) taken on this email = NO 
ACTIONS WERE TAKEN 


The received message would always contain some bogus character in the Return 
line:

Return-Path: <y> Sun Jun 04 15:30:55 2006

and the Declude Sender would always be blank:

X-Declude-Sender: <> [85.18.14.30]

The WEIGHT14, WEIGHT20, and WEIGHT30 tests I have defined don't show up in the 
tests failed, and those are the tests that do the holding.  Yet as you can see 
above with a message of weight 75 that those tests should have been triggered.  
So it would seem that somehow Declude aborts before it gets to those tests.  
Also, the Country Chain statement that appears in the message header is always 
blank:

X-Country-Chain: 

I have since changed the log level to DEBUG and sent Declude a copy of those 
logs.  Hopefully everyone else who is experiencing this problem is doing the 
same.

If you want to reproduce this problem on your own system, just take the two 
characters shown above and swap them for the return line in one of your held 
spams, then requeue the message.  You will see it go through just as described 
by everyone else on this list.



-------- Original Message --------
> From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
> Sent: Monday, June 05, 2006 7:43 PM
> To: [email protected]
> Subject: RE: AW: AW: AW: [Declude.JunkMail] No action taken
> 
> Another country heard from (hey, literally!).
>  
> I'm not seeing the email patterns reported.  I have a gateway-only scenario 
> so I thought a different angle on this might be helpful.
>  
> Like Matt, I thought an illegal character or unusual MAILFROM might 
> contribute to the problem.
>  
> I looked through my last few days of logs and although I found enough "NO 
> ACTIONS WERE TAKEN", they were all because of valid whitelist entries.
>  
> Andrew.
>  
> 
> 
>   _____  
> 
>       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
>       Sent: Monday, June 05, 2006 3:49 PM
>       To: [email protected]
>       Subject: Re: AW: AW: AW: [Declude.JunkMail] No action taken
>
>
>       Markus,
>
>       Maybe you could post log snippets from both IMail and Declude???  In 
> this case a Q file would also be golden.
>
>       It kind of sounds like a non-standard character is being sent and 
> Declude may be barfing on the pattern???  It may be that Declude is showing a 
> null sender (or <l> in one of your examples) because it isn't expecting the 
> character and barfs on the data.  Then this may in turn be causing other 
> unexpected behavior.  Just guessing of course.
>
>       I would dig, but this stuff isn't coming through my gateway.
>
>       Matt
>
>
>
>       Markus Gufler wrote: 
> 
>               looking at another mailserver smtp logfile I can't realy see 
> some malformed mailfrom line. The only thing I can see in the othe logfiles 
> is a wave of messages with mailfrom lines like
>                
>               [EMAIL PROTECTED]
>                
>               the first character is random
>               the second one seems always be an underscore (or something 
> similar)
>               then is attached a name after the underscore and before the @
>               after the @ the domains is a random name like "mail" "bk" or 
> "inbox"
>               the final TLD seems always be ".ru"
>                
>               This pattern of mailfrom is missing completely in the same time 
> range on my IMail Server. There are only mailfrom's like
>                
>               l
>                
>               the first character is random the second one seems bring 
> IMail/Declude in the nirvana...
>                
>               Markus
>                
>                
> 
> 
>   _____  
> 
>                       Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im 
> Auftrag von Markus Gufler
>                       Gesendet: Dienstag, 6. Juni 2006 00:07
>                       An: [email protected]
>                       Betreff: AW: AW: AW: [Declude.JunkMail] No action taken
>
>
>                       After seeing this "" in the smtp logfile it seems not 
> logic to me that there must be something wrong in the configuration.
>                       The first line of the declude logfiles says that the 
> message is failing several tests and that is not whitelisted as other 
> correctly whitelisted messages are
>                       Both in- and outgoing final actions are defined to hold 
> such type of messages but they are not hold.
>                       There are only 4 defined actions IN:Subject, IN:Hold, 
> OUT:Subject and OUT:Hold plus the IGNORE-action. At least one of this actions 
> should happen. But not "no actions were taken"
>                        
>                       I can't remember: Are inbound rules processed before or 
> after declude processing?
>                       At the moment I try to find such a malformed mail from 
> line in an other (not IMail) logfile.
>                       It would be interesting to have a origina queue file of 
> such a message. (not possible with "no actions were taken")
>                        
>                       Markus
>                        
>                       PS: I haven't send a message directly to declude 
> support but I expect that they write at least an official statement to the 
> list that they are aware of a possible problem and that they are still alive. 
> (hopefully!!!)
>                        
>                        
> 
> 
>   _____  
> 
>                               Von: [EMAIL PROTECTED] [mailto:[EMAIL 
> PROTECTED] Im Auftrag von Matt
>                               Gesendet: Montag, 5. Juni 2006 23:48
>                               An: [email protected]
>                               Betreff: Re: AW: AW: [Declude.JunkMail] No 
> action taken
>
>
>                               Markus,
>
>                               How about some debug logging?  It should be 
> easy to pick out these messages.
>
>                               I fear that maybe something is different on 
> your system than some others.  John for instance indicated that adding the 
> actions to his Global.cfg seems to have fixed the issue, yet you are still 
> seeing the issues.  I'm wondering if maybe you are whitelisting them or 
> something???  Maybe it will show an error???
>
>                               Matt
>
>
>
>                               Markus Gufler wrote: 
> 
>                                       I'm 100% sure that I have exactly the 
> same two actions defined in both
>                                       global.cfg and $default$.junkmail. They 
> are there for several months now and
>                                       this server is handling also several 
> gatewayed domains. As I know gatewayed
>                                       messages are handled as outgoing.
>
>                                       Markus
>
>
>
>                                         
> 
>                                       -----Ursprüngliche Nachricht-----
>                                       Von: [EMAIL PROTECTED] [mailto:[EMAIL 
> PROTECTED] Im 
>                                       Auftrag von John Shacklett
>                                       Gesendet: Montag, 5. Juni 2006 23:10
>                                       An: [email protected]
>                                       Betreff: RE: AW: [Declude.JunkMail] No 
> action taken
>
>                                       I think that Matt's reply to Markus is 
> right on track. I went 
>                                       back and looked at some headers from my 
> sneaky stock scamspam 
>                                       and it appears that whatever is 
> happening incorrectly is 
>                                       causing these messages to be treated as 
> outgoing and I had a 
>                                       typo in my global.cfg that was 
> preventing my HOLD and DELETE 
>                                       actions from taking place. I haven't 
> seen any slip through 
>                                       since making that repair.
>
>                                       That doesn't answer Heimir's basic 
> question about official response. 
>
>                                       -----Original Message-----
>                                       From: [EMAIL PROTECTED] [mailto:[EMAIL 
> PROTECTED] On 
>                                       Behalf Of Heimir Eidskrem
>                                       Sent: Monday, 05 June 2006 2:53 PM
>                                       To: [email protected]
>                                       Subject: Re: AW: [Declude.JunkMail] No 
> action taken
>
>                                       It seems to be obvious that this is a 
> Declude problem with so 
>                                       many reports.
>                                       Why no response from Declude yet?
>
>                                       H.
>
>
>                                       Matt wrote:
>                                           
> 
>                                       Markus,
>
>                                       Your headers show that it was also a 
> null sender for the 
>                                             
> 
>                                       messages that 
>                                           
> 
>                                       bypassed your weights.  Also curiously, 
> you are logging in your 
>                                       headers the inorout variable and it 
> shows the message as 
>                                             
> 
>                                       being outgoing:
>                                           
> 
>                                           X-Note: Sent from <> - [No Reverse 
> DNS] 
>                                             
> 
>                                       ([210.212.188.106]) outgoing.
>                                           
> 
>                                       It appears that Declude is treating all 
> null senders as outgoing, 
>                                       which would then use actions contained 
> in your Global.cfg 
>                                             
> 
>                                       instead of a 
>                                           
> 
>                                       JunkMail file, and I'm guessing that 
> you don't have any actions 
>                                       defined in your Global.cfg?  Maybe that 
> is the source of the bug.
>
>                                       I don't recall this ever happening with 
> 2.x and before, so 
>                                             
> 
>                                       maybe it's 
>                                           
> 
>                                       a change of behavior in 3+.
>
>                                       Declude???
>
>                                       Matt
>
>
>
>                                       Markus Gufler wrote:
>                                             
> 
>                                       (reposting the same message without 
> attachments)
>
>                                       Hi
>
>                                       After reading this thread and have seen 
> 3 spam messages in 
>                                               
> 
>                                       my inbox 
>                                           
> 
>                                       who has final results-lines in the 
> header with more then 
>                                               
> 
>                                       200% of my 
>                                           
> 
>                                       hold weight I've made some research: 
> Exactly the same is happening 
>                                       here with Declude 3.1.0 and Imail 8.15 
> from 2006-06-04 
>                                               
> 
>                                       20:00:00 GMT+1 
>                                           
> 
>                                       on. I have the same actions for in- and 
> outgoing messages in my 
>                                       config
>                                               
> 
>                                       files.
>                                           
> 
>                                       Normaly a message in v3+ is (MID) 
> logged with 6 lines. 
>                                       Each message with the final action "NO 
> ACTIONS WERE TAKEN" 
>                                               
> 
>                                       has only 2 
>                                           
> 
>                                       lines in the logfile
>
>                                       06/04/2006 20:00:37.719 
> q1fa255d9003021bd.smd CBL:10 
>                                               
> 
>                                       SPAMCOP:20 ... .  
>                                           
> 
>                                       Total weight = 360.
>                                       06/04/2006 20:00:37.719 
> q1fa255d9003021bd.smd Cumulative action(s) 
>                                       taken on this email = NO ACTIONS WERE 
> TAKEN
>
>                                       With this final weight the defined 
> action is HOLD.
>
>                                       I've noted also that this two lines are 
> looking nearly like a 
>                                       whitelisted
>                                       message:
>
>                                       06/04/2006 19:31:27.015 
> q18de1b3b00b21c63.smd Action(s) taken for 
>                                       [EMAIL PROTECTED] = WHITELISTED [LAST 
>                                       ACTION=WHITELISTED]
>                                       06/04/2006 19:31:27.015 
> q18de1b3b00b21c63.smd Cumulative action(s) 
>                                       taken on this email = NO ACTIONS WERE 
> TAKEN
>
>                                       So it seems to me that something is 
> whitelisting this type 
>                                               
> 
>                                       of message 
>                                           
> 
>                                       but I don't know what.
>
>                                       Following my logfiles arround 400 spam 
> each one with a 
>                                               
> 
>                                       final result 
>                                           
> 
>                                       between 200 and 400% of the defined 
> hold weight has passed 
>                                               
> 
>                                       the filter 
>                                           
> 
>                                       instead of being HOLD.
>
>                                       Markus
>
>
>
>
>                                         
>                                               
> 
>                                       -----Ursprüngliche Nachricht-----
>                                       Von: [EMAIL PROTECTED]
>                                       [mailto:[EMAIL PROTECTED] Im Auftrag 
> von John 
>                                       Shacklett
>                                       Gesendet: Montag, 5. Juni 2006 13:37
>                                       An: [email protected]
>                                       Betreff: RE: [Declude.JunkMail] No 
> action taken
>
>                                       This morning I'm seeing a flood of 
> stock spam with scores 
>                                                 
> 
>                                       that are 
>                                           
> 
>                                       more than double my delete weight 
> getting through with "no action 
>                                       taken". I'm looking at one right now 
> with a score of 67, 
>                                                 
> 
>                                       and in my 
>                                           
> 
>                                       scheme we delete at 30.
>
>                                       -----Original Message-----
>                                       From: [EMAIL PROTECTED]
>                                       [mailto:[EMAIL PROTECTED] On Behalf Of 
> Matt
>                                       Sent: Sunday, 04 June 2006 8:21 PM
>                                       To: [email protected]
>                                       Subject: Re: [Declude.JunkMail] No 
> action taken
>
>                                       I was noticing the other day on some 
> version of 4.x that bounce 
>                                       messages for a domain that should have 
> been using the 
>                                                 
> 
>                                       settings in my 
>                                           
> 
>                                       $Default$.JunkMail failed to take those 
> actions.  Typically I do 
>                                       per-domain configs, but a few I just 
> have using my 
>                                       $Default$.JunkMail. I noticed this as 
> soon as I upgraded 
>                                                 
> 
>                                       to 4.x, and 
>                                           
> 
>                                       I'm pretty sure it is a bug.  I am not 
> sure if it only affects 
>                                       bounce messages or all messages for 
> those domains (note 
>                                                 
> 
>                                       that all of 
>                                           
> 
>                                       my domains are gatewayed from the 
> Declude box so they may 
>                                                 
> 
>                                       be treated 
>                                           
> 
>                                       differently from locally hosted E-mail.
>
>                                       I believe that putting the actions in 
> your Global.cfg would take 
>                                       action on this stuff.  Global.cfg is 
> meant for outgoing E-mail 
>                                       actions.  While this was clearly 
> incoming E-mail and not the way 
>                                       things used to work with 2.x and 
> before, I'm pretty sure 
>                                                 
> 
>                                       that this 
>                                           
> 
>                                       will take care of the issue.
>
>                                       When I get some time to look into this 
> further I'll 
>                                                 
> 
>                                       probably report 
>                                           
> 
>                                       the bug to Declude.  I'm pretty sure 
> that I have seen 
>                                                 
> 
>                                       several other 
>                                           
> 
>                                       such posts that might have been caused 
> by this change in behavior.
>
>                                       Matt
>
>
>
>                                       Heimir Eidskrem wrote:
>
>                                           
>                                                 
> 
>                                       Why would no action been taken on this 
> email.
>                                       We hold on 100.
>
>
>                                       >From Declude log:
>
>                                       06/04/2006 17:38:44.987 
> q60eb01820000d92b.smd Triggered 
>                                                   
> 
>                                       COUNTRIES 
>                                           
> 
>                                       CONTAINS filter COUNTRYFILTER on ES 
> [weight->10].
>                                       06/04/2006 17:38:45.003 
> q60eb01820000d92b.smd Filter: Set
>                                             
>                                                   
> 
>                                       max weight
>                                           
>                                                 
> 
>                                       to 60.
>                                       06/04/2006 17:38:45.112 
> q60eb01820000d92b.smd Filter: Set
>                                             
>                                                   
> 
>                                       max weight
>                                           
>                                                 
> 
>                                       to 70.
>                                       06/04/2006 17:38:45.159 
> q60eb01820000d92b.smd Filter
>                                             
>                                                   
> 
>                                       REVDNSBLACKLIST: 
>                                           
>                                                 
> 
>                                       Skipping E-mail with a current weight 
> of 245 (>=80)
>                                       06/04/2006 17:38:45.159 
> q60eb01820000d92b.smd Filter 
>                                                   
> 
>                                       BADWORDFILTER: 
>                                           
> 
>                                       Skipping E-mail with a current weight 
> of 245 (>=30)
>                                       06/04/2006 17:38:45.159 
> q60eb01820000d92b.smd SPAMCOP:70
>                                             
>                                                   
> 
>                                       FIVETENSRC:30
>                                           
>                                                 
> 
>                                       SORBS-DUL:35 COUNTRYFILTER:10 
> SNIFFERGETRICH:100 .  Total
>                                             
>                                                   
> 
>                                       weight = 245.
>                                           
>                                                 
> 
>                                       06/04/2006 17:38:45.159 
> q60eb01820000d92b.smd Cumulative 
>                                                   
> 
>                                       action(s) 
>                                           
> 
>                                       taken on this email = NO ACTIONS WERE 
> TAKEN
>
>
>
>                                       Received: from jose-mih7wjftkx 
> [62.42.134.246] by 
>                                                   
> 
>                                       xxxxxxxxxxx with 
>                                           
> 
>                                       ESMTP
>                                        (SMTPD-8.22) id A0EC1404; Sun, 04 Jun 
> 2006 17:38:36 -0500
>                                       Date: Sun, 4 Jun 2006 22:38:39 -0060
>                                       From: "Rene Benjamin" [EMAIL PROTECTED]
>                                       X-Mailer: The Bat! (3.69.9) Personal
>                                       Reply-To: [EMAIL PROTECTED]
>                                       X-Priority: 3 (Normal)
>                                       Message-ID: <[EMAIL PROTECTED]> 
> <mailto:[EMAIL PROTECTED]> 
>                                       To: xxxxxxxx
>                                       Subject: Under The Radar Equity Alert
>                                       MIME-Version: 1.0
>                                       Content-Type: text/plain; 
> charset=us-ascii
>                                       Content-Transfer-Encoding: 7bit
>                                       X-Declude-Sender: <> [62.42.134.246]
>                                       X-Declude-Spoolname: 
> D60eb01820000d92b.smd
>                                       X-Spam-Tests-Failed: SPAMCOP, 
> FIVETENSRC, SORBS-DUL,
>                                             
>                                                   
> 
>                                       NOLEGITCONTENT,
>                                           
>                                                 
> 
>                                       IPNOTINMX, COUNTRYFILTER, 
> SNIFFERGETRICH, WEIGHT75, WEIGHT100, 
>                                       CATCHALLMAILS [245]
>                                       X-Note: This E-mail was scanned by 
> Declude JunkMail
>                                             
>                                                   
> 
>                                       (www.declude.com)
>                                           
>                                                 
> 
>                                       for spam.
>                                       X-RCPT-TO: <[EMAIL PROTECTED]>
>                                       Status: U
>                                       X-UIDL: 440029386
>
>
>                                       X-IMail-ThreadID: 60eb01820000d92b
>
>
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To 
>                                       unsubscribe, just send an E-mail to 
>                                                   
> 
>                                       [EMAIL PROTECTED], and type 
>                                           
> 
>                                       "unsubscribe Declude.JunkMail".  The 
> archives can be found at 
>                                       http://www.mail-archive.com.
>
>
>                                             
>                                                   
> 
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To 
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], 
>                                                 
> 
>                                       and type 
>                                           
> 
>                                       "unsubscribe Declude.JunkMail".  The 
> archives can be found at 
>                                       http://www.mail-archive.com.
>
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To 
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], 
>                                                 
> 
>                                       and type 
>                                           
> 
>                                       "unsubscribe Declude.JunkMail".  The 
> archives can be found at 
>                                       http://www.mail-archive.com.
>
>                                           
>                                                 
> 
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To 
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], and type 
>                                       "unsubscribe Declude.JunkMail".  The 
> archives can be found at 
>                                       http://www.mail-archive.com.
>
>
>                                         
>                                               
> 
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list. To 
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], and type 
>                                       "unsubscribe Declude.JunkMail". The 
> archives can be found at 
>                                       http://www.mail-archive.com.
>                                             
> 
>                                       [This E-mail scanned for viruses by 
> Declude EVA]
>
>
>
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To 
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], and 
>                                       type "unsubscribe Declude.JunkMail".  
> The archives can be 
>                                       found at http://www.mail-archive.com.
>
>
>                                       [This E-mail scanned for viruses by 
> Declude EVA]
>
>
>
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To 
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], and 
>                                       type "unsubscribe Declude.JunkMail".  
> The archives can be 
>                                       found at http://www.mail-archive.com.
>
>
>
>                                           
> 
>
>                                       [This E-mail scanned for viruses by 
> Declude EVA]
>
>
>
>                                       ---
>                                       This E-mail came from the 
> Declude.JunkMail mailing list.  To
>                                       unsubscribe, just send an E-mail to 
> [EMAIL PROTECTED], and
>                                       type "unsubscribe Declude.JunkMail".  
> The archives can be found
>                                       at http://www.mail-archive.com.
>
>
>
>
>                                         
> 
> 
>                               ---
>                               This E-mail came from the Declude.JunkMail 
> mailing list. To
>                               unsubscribe, just send an E-mail to [EMAIL 
> PROTECTED], and
>                               type "unsubscribe Declude.JunkMail". The 
> archives can be found
>                               at http://www.mail-archive.com.
>
> 
> 
>                       ---
>                       This E-mail came from the Declude.JunkMail mailing 
> list. To
>                       unsubscribe, just send an E-mail to [EMAIL PROTECTED], 
> and
>                       type "unsubscribe Declude.JunkMail". The archives can 
> be found
>                       at http://www.mail-archive.com.
>
> 
> 
>               ---
>               This E-mail came from the Declude.JunkMail mailing list. To
>               unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>               type "unsubscribe Declude.JunkMail". The archives can be found
>               at http://www.mail-archive.com.
>
> 
> 
>       ---
>       This E-mail came from the Declude.JunkMail mailing list. To
>       unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>       type "unsubscribe Declude.JunkMail". The archives can be found
>       at http://www.mail-archive.com.
>
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com. 



[This E-mail scanned for viruses by Declude EVA]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: AW: AW: AW: [Declude.JunkMail] No action taken

Reply via email to