Hey Nick,
Thanks for responding. Hope you had a nice holiday. Here's an example of the Declude log when a message has a weight over 20 (on our system, we delete these messages). When I check the corresponding message ID in the system log I find that these messages were not delivered to the user's mailbox and they were also NOT forwarded or copied to the user's alternate mailbox. I believe this action is correct.
01/05/2009 00:03:11.783 q9488017a00002a8b.smd XXXXStart: doprewhitelist
01/05/2009 00:03:11.783 q9488017a00002a8b.smd IP 123.128.173.170 not in whitelist (10.240.77.113). nm=ffffffff
01/05/2009 00:03:11.783 q9488017a00002a8b.smd IP 123.128.173.170 not in whitelist (10.240.77.165). nm=ffffffff
01/05/2009 00:03:11.783 q9488017a00002a8b.smd IP 123.128.173.170 not in whitelist (10.240.1.25). nm=ffffffff
01/05/2009 00:03:11.783 q9488017a00002a8b.smd IP 123.128.173.170 not in whitelist (69.159.193.34). nm=ffffffff
01/05/2009 00:03:11.783 q9488017a00002a8b.smd IP 123.128.173.170 not in whitelist (63.246.31.248). nm=ffffffff
01/05/2009 00:03:11.783 q9488017a00002a8b.smd XXXXEND: doprewhitelist
01/05/2009 00:03:16.471 q9488017a00002a8b.smd Filter: Set min weight to fail to 3.
01/05/2009 00:03:16.487 q9488017a00002a8b.smd Filter: Set max weight to 7.
01/05/2009 00:03:16.487 q9488017a00002a8b.smd Triggered COUNTRIES PCRE filter FILTER-COUNTRY : CN [weight -> 5]
01/05/2009 00:03:16.487 q9488017a00002a8b.smd Triggered COUNTRY PCRE filter FILTER-COUNTRY : CN [weight -> 3]
01/05/2009 00:03:16.487 q9488017a00002a8b.smd Filter: Maximum weight of 7 reached (with 8); ending this filter.
01/05/2009 00:03:16.487 q9488017a00002a8b.smd Filter: Set min weight to fail to 6.
01/05/2009 00:03:16.502 q9488017a00002a8b.smd Filter: Set min weight to fail to 6.
01/05/2009 00:03:16.518 q9488017a00002a8b.smd Filter: Set min weight to fail to 7.
01/05/2009 00:03:16.518 q9488017a00002a8b.smd Triggered SUBJECT PCRE filter FILTER-SCAM : -1251?B?U3 [weight -> 4]
01/05/2009 00:03:16.580 q9488017a00002a8b.smd Filter: Set min weight to fail to 8.
01/05/2009 00:03:16.612 q9488017a00002a8b.smd Filter: Set min weight to fail to 2.
01/05/2009 00:03:16.612 q9488017a00002a8b.smd Triggered SUBJECT CONTAINS filter FILTER-SUBJECT on = [weight->1].
01/05/2009 00:03:16.612 q9488017a00002a8b.smd FIVETEN-SRC:2 ZEN:7 CMDSPACE:8 REVDNS:10 SPAMHEADERS:3 nFROMNOMATCH:-1 FILTER-COUNTRY:7 . Total weight = 36.
01/05/2009 00:03:16.690 q9488017a00002a8b.smd Did not find [ [email protected] ] in [ MY USERs EMAIL ] address book
01/05/2009 00:03:16.690 q9488017a00002a8b.smd Finish Address Book WhiteList
01/05/2009 00:03:16.690 q9488017a00002a8b.smd Using [incoming] CFG file E:\IMAIL\Declude\$default$.junkmail.
01/05/2009 00:03:16.690 q9488017a00002a8b.smd Tests failed [weight=36]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] FIVETEN-SRC="" ZEN=IGNORE[7] CMDSPACE=IGNORE[8] REVDNS=IGNORE[10] SPAMHEADERS=IGNORE[3] FILTER-COUNTRY=IGNORE[7] WEIGHT10=SUBJECT[10] WEIGHT14=HOLD[14] WEIGHT20=DELETE[20] WEIGHT30=IGNORE[30]
01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed FIVETEN-SRC (170.173.128.123.blackholes.five-ten-sg.com.). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed ZEN ("http://www.spamhaus.org/query/bl?ip=123.128.173.170"). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed CMDSPACE (Space found in RCPT TO: command.). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed REVDNS (This E-mail was sent from a MUA/MTA 123.128.173.170 with no reverse DNS entry.). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000080f].). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed FILTER-COUNTRY (Message failed FILTER-COUNTRY test (line 197, weight 8) (weight capped at 7)). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed WEIGHT10 (Weight of 36 reaches or exceeds the limit of 10.). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed WEIGHT14 (Weight of 36 reaches or exceeds the limit of 14.). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Msg failed WEIGHT20 (Weight of 36 reaches or exceeds the limit of 20.). Action="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Subject: =?windows-1251?B?U3dpc3MgQnJhbmRlZCBXYXRjaGVz?=
01/05/2009 00:03:16.690 q9488017a00002a8b.smd From: [email protected] To: MYUSERsEMAIL IP: 123.128.173.170 ID:
01/05/2009 00:03:16.690 q9488017a00002a8b.smd Action(s) taken for [MYUSERsEMAIL] = IGNORE SUBJECT HOLD DELETE [LAST ACTION="">01/05/2009 00:03:16.690 q9488017a00002a8b.smd Cumulative action(s) on this email = IGNORE SUBJECT HOLD DELETE [LAST ACTION="">
Next here is the Declude log for a message that reached a weight of only 11. This would trigger the SUBJECT action and an IMAIL inbound rule on the domain would deliver to the user's Spam folder.
01/05/2009 00:23:42.393 q995b01a300002c81.smd XXXXStart: doprewhitelist
01/05/2009 00:23:42.393 q995b01a300002c81.smd IP 65.121.73.120 not in whitelist (10.240.77.113). nm=ffffffff
01/05/2009 00:23:42.393 q995b01a300002c81.smd IP 65.121.73.120 not in whitelist (10.240.77.165). nm=ffffffff
01/05/2009 00:23:42.393 q995b01a300002c81.smd IP 65.121.73.120 not in whitelist (10.240.1.25). nm=ffffffff
01/05/2009 00:23:42.393 q995b01a300002c81.smd IP 65.121.73.120 not in whitelist (69.159.193.34). nm=ffffffff
01/05/2009 00:23:42.393 q995b01a300002c81.smd IP 65.121.73.120 not in whitelist (63.246.31.248). nm=ffffffff
01/05/2009 00:23:42.393 q995b01a300002c81.smd XXXXEND: doprewhitelist
01/05/2009 00:23:46.408 q995b01a300002c81.smd Filter: Set min weight to fail to 3.
01/05/2009 00:23:46.612 q995b01a300002c81.smd Filter: Set max weight to 7.
01/05/2009 00:23:46.612 q995b01a300002c81.smd Triggered COUNTRY PCRE filter FILTER-COUNTRY : US [weight -> 0]
01/05/2009 00:23:46.612 q995b01a300002c81.smd Filter: Set min weight to fail to 6.
01/05/2009 00:23:46.721 q995b01a300002c81.smd Filter: Set min weight to fail to 6.
01/05/2009 00:23:46.752 q995b01a300002c81.smd Filter: Set min weight to fail to 7.
01/05/2009 00:23:47.080 q995b01a300002c81.smd Filter: Set min weight to fail to 8.
01/05/2009 00:23:47.080 q995b01a300002c81.smd Triggered BODY PCRE filter FILTER-STOCKS : Market [weight -> 1]
01/05/2009 00:23:47.221 q995b01a300002c81.smd Filter: Set min weight to fail to 2.
01/05/2009 00:23:47.221 q995b01a300002c81.smd CMDSPACE:8 SPAMHEADERS:3 SPFPASS:-2 FROMNOMATCH:2 . Total weight = 11.
01/05/2009 00:23:47.299 q995b01a300002c81.smd Did not find [ FROMADDRESS ] in [ MY USERs EMAIL ] address book
01/05/2009 00:23:47.299 q995b01a300002c81.smd Finish Address Book WhiteList
01/05/2009 00:23:47.299 q995b01a300002c81.smd Using [incoming] CFG file E:\IMAIL\Declude\$default$.junkmail.
01/05/2009 00:23:47.299 q995b01a300002c81.smd Tests failed [weight=11]: CATCHALLMAILS=IGNORE[0] NOLEGITCONTENT=IGNORE[0] IPNOTINMX=IGNORE[0] CMDSPACE=IGNORE[8] SPAMHEADERS=IGNORE[3] SPFPASS=IGNORE[-2] FROMNOMATCH=IGNORE[2] WEIGHT10=SUBJECT[10]
01/05/2009 00:23:47.299 q995b01a300002c81.smd Msg failed CMDSPACE (Space found in RCPT TO: command.). Action="">01/05/2009 00:23:47.299 q995b01a300002c81.smd Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [4000020e].). Action="">01/05/2009 00:23:47.299 q995b01a300002c81.smd Msg failed SPFPASS (SPF returned PASS for this E-mail.). Action="">01/05/2009 00:23:47.299 q995b01a300002c81.smd Msg failed FROMNOMATCH (Env sender (FROMADDRESS) From: (Anthony FROMADDRESS) mismatch.). Action="">01/05/2009 00:23:47.299 q995b01a300002c81.smd Msg failed WEIGHT10 (Weight of 11 reaches or exceeds the limit of 10.). Action="">01/05/2009 00:23:47.299 q995b01a300002c81.smd L1 Message OK
01/05/2009 00:23:47.299 q995b01a300002c81.smd Subject: Exclusive Webinar Invitation
01/05/2009 00:23:47.299 q995b01a300002c81.smd From: FROMADDRESS To: MY USERs EMAIL IP: 65.121.73.120 ID:
01/05/2009 00:23:47.299 q995b01a300002c81.smd Action(s) taken for [MYUSERsEMAIL] = IGNORE SUBJECT [LAST ACTION="">01/05/2009 00:23:47.299 q995b01a300002c81.smd Cumulative action(s) on this email = IGNORE SUBJECT [LAST ACTION="">
Here is the system log for the above message.
01:05 00:23 SMTPD(995b01a300002c81) [10.240.76.1] connect 65.121.73.120 port 36284
01:05 00:23 SMTPD(995b01a300002c81) [65.121.73.120] HELO mx1.expiredandfsboleads.com
01:05 00:23 SMTPD(995b01a300002c81) [65.121.73.120] MAIL FROM: <FROMADDRESS>
01:05 00:23 SMTPD(995b01a300002c81) [65.121.73.120] RCPT TO: <MYUSERsEMAIL>
01:05 00:23 SMTPD(995b01a300002c81) [65.121.73.120] c:\spool\D995b01a300002c81.SMD 13637
01:05 00:23 SMTPD(995b01a300002c81) performing antispam checks
01:05 00:23 SMTP-(995b01a300002c81) processing c:\spool\q995b01a300002c81.smd
01:05 00:23 SMTP-(995b01a300002c81) Inbound X-IMail-Rule: <Copy .Mac Mail>T~MYUSERsEMAIL:[email protected] Data- MYUSERsEMAIL <MYuser@
01:05 00:23 SMTP-(995b01a300002c81) ldeliver MYUSERsDOMAIN.com MYUSER-SPAM (1) FROMADDRESS 14067
01:05 00:23 SMTP-(995b01a300002c81) Trying mac.com (0)
01:05 00:23 SMTP-(995b01a300002c81) 220 smtpin126-bge351000 -- Server ESMTP (Sun Java(tm) System Messaging Server 6.3-7.03 (built Aug 4 2008; 32bit))
01:05 00:23 SMTP-(995b01a300002c81) Connect mac.com [17.148.20.65:25] (1)
01:05 00:23 SMTP-(995b01a300002c81) >EHLO smtp.epidirect.com
01:05 00:23 SMTP-(995b01a300002c81) 250-smtpin126-bge351000
01:05 00:23 SMTP-(995b01a300002c81) 250-8BITMIME
01:05 00:23 SMTP-(995b01a300002c81) 250-PIPELINING
01:05 00:23 SMTP-(995b01a300002c81) 250-CHUNKING
01:05 00:23 SMTP-(995b01a300002c81) 250-DSN
01:05 00:23 SMTP-(995b01a300002c81) 250-ENHANCEDSTATUSCODES
01:05 00:23 SMTP-(995b01a300002c81) 250-EXPN
01:05 00:23 SMTP-(995b01a300002c81) 250-HELP
01:05 00:23 SMTP-(995b01a300002c81) 250-XADR
01:05 00:23 SMTP-(995b01a300002c81) 250-XSTA
01:05 00:23 SMTP-(995b01a300002c81) 250-XCIR
01:05 00:23 SMTP-(995b01a300002c81) 250-XGEN
01:05 00:23 SMTP-(995b01a300002c81) 250-XLOOP C9095CB0275B46353EDE5C498AE7120F
01:05 00:23 SMTP-(995b01a300002c81) 250-ETRN
01:05 00:23 SMTP-(995b01a300002c81) 250-NO-SOLICITING
01:05 00:23 SMTP-(995b01a300002c81) 250 SIZE 0
01:05 00:23 SMTP-(995b01a300002c81) >MAIL FROM:<FROMADDRESS>
01:05 00:23 SMTP-(995b01a300002c81) 250 2.5.0 Address Ok.
01:05 00:23 SMTP-(995b01a300002c81) >RCPT To:[email protected]
01:05 00:23 SMTP-(995b01a300002c81) 250 2.1.5 [email protected] OK.
01:05 00:23 SMTP-(995b01a300002c81) >DATA
01:05 00:23 SMTP-(995b01a300002c81) 354 Enter mail, end with a single ".".
01:05 00:23 SMTP-(995b01a300002c81) >.
01:05 00:23 SMTP-(995b01a300002c81) 250 2.5.0 Ok.
01:05 00:23 SMTP-(995b01a300002c81) rdeliver mac.com [email protected] (1) FROMADDRESS 14067
01:05 00:23 SMTP-(995b01a300002c81) >QUIT
01:05 00:23 SMTP-(995b01a300002c81) 221 2.3.0 Bye received. Goodbye.
01:05 00:23 SMTP-(995b01a300002c81) finished c:\spool\q995b01a300002c81.smd status=1
You can see the X-IMAIL Rule firing and sending a copy of the message off to the user's alternate address. I'm thinking that Declude is doing just what it is supposed to do. I checked the user's Spam folder and this message is definitely there and it was copied to the alternate. I have changed the user's inbound copy rule and added:
AND
Subject DOES NOT CONTAIN **SPAM**
That should fix the problem.
-----Original Message-----
From: "Nick Hayer" <[email protected]>
Sent 12/20/2008 6:54:45 PM
To: [email protected]
Subject: Re: [Declude.JunkMail] Imail frowarding bypasses Declude JunkMail?
Kathy Leonard wrote:
I have a number of people complaining about a lot of spam getting through to mailboxes. After checking, I found that these people either had Inbound rules copying messages or just forwarding to another mailbox outside the server.
Hi Kathy,
If you would post a header and the corresponding Declude log snipit then that may provide enough info for a possible solution...
-Nick
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [email protected], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
