Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

2003-12-05 Thread Matthew Bramble 
That's why you should name it BONDEDSENDER-DYNA and why it doesn't 
matter on my system.

The trick here is that Declude will skip over the DNS-based tests on 
anything beyond the first hop if the name has DUL or DYNA in it.  
Someone else is using CBL-DYNA in order to keep that test from throwing 
FP's when the originating computer's IP address is on the list, but used 
a legit mail server to send the E-mail (instead of direct delivery which 
is the real issue).

Scanning multiple hops seems to be mostly useful in places where E-mail 
is being forwarded, which only exposes the legit forwarding machine.  It 
would be great if there was some other way to identify when a message 
has been forwarded at the server level, and skip the last hop when that 
happenes.  I kind of doubt that this would be possible.  In the 
mean-time, I am going to try IPBYPASSing the mail servers that are known 
to be forwarding to my server which should have the same effect as a 
selective use of multiple hop scanning.

Matt



George Kulman wrote:

Matt,

I do scan multiple hops.

George

 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Matthew Bramble
Sent: Friday, December 05, 2003 7:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER 
didn't work for me me

George,

The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would 
definitely prevent it from scanning prior hops.  I find this 
test to be 
useful as it is IP based and helps some very important E-mail 
that tends 
to have issues with several major RBL's.  I haven't started 
to scan on 
multiple hops yet, so this doesn't come into play.

Matt



George Kulman wrote:

   

Rob,

Your backup and gateways should have IPBYPASS entries in the 
 

GLOBAL.CFG.
   

The BONDEDSENDER should be the originating Server and that 
 

should be what's
   

used for this test.

I discontinued use within a few days since  was letting spam 
 

through with it
   

and there were other ways to handle the valid mail.

George



 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Robert Grosshandler
Sent: Friday, December 05, 2003 6:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
didn't work for me me

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a 
   

backup mail
   

server)?

Rob

  
   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30 H2 with Declude 1.76i30 Declude 1.76i30 H2 with Declude 1.76i30

2003-12-05 Thread Matthew Bramble 
Well, I was really hoping it would have been a Declude problem...that 
way it probably would have been fixed in days as opposed to requiring me 
to get an upgrade to IMail 8 for them to fix the issue.

I'm going to reduce my queue from running every 15 minutes to every hour 
just to lessen the possibility of this happening.  Please keep us posted 
if you hear anything.  I imagine it will take them a while and IMail 7 
users may be out in the dark.

Matt



R. Scott Perry wrote:


This is the first time that I have ever seen this and it occurred 
just a few days after upgrading from 1.75i6 to 1.76i28-30.  Unlike 
some others that I have noted in the past, I am using IMail 7.15 
Hotfix 2, so it doesn't seem related to IMail 8.


This is getting scary.  It looks like there is a serious bug in IMail 
v7 and v8 that is just starting to be discovered:

--- IMail Log ---
20031205 184256 127.0.0.1   SMTPD (046101B0) [208.7.179.15] 
connect 64.119.217.36 port 41441
20031205 184258 127.0.0.1   SMTPD (queue run) 13471 1 69
20031205 184258 127.0.0.1   SMTPD (046101B0) [64.119.217.36] 
E:\spool\D1800046101b02123.SMD 1332
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q1800046101b02123.SMD
12/05/2003 18:43:02 Q1800046101b02123 Scanned: Virus Free [MIME: 1 765]
12/05/2003 18:43:04 Q1800046101b02123 Msg failed DELETE (Weight of 80 
reaches or exceeds the limit of 30.). Action=DELETE.


This is the same pattern that we tracked in another E-mail:

[1] IMail's SMTPD process starts receiving the E-mail.
[2] IMail starts a "queue run" to deliver E-mail in the spool
[3] IMail's SMTPD process saves the E-mail to the hard drive
[4] IMail's queue run delivers the E-mail
[5] IMail's SMTPD process starts Declude
[6] IMail tries to deliver the E-mail that Declude scanned
Ipswitch has been notified that there is a problem here; hopefully, 
they will take care of it.

   -Scott


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Request for a possible new feature - Whitelist Reason

2003-12-05 Thread R. Scott Perry 

Would it be possible to indicate why a email is whitelisted the headers?
Like:
Whitelisted(Auth)
Whitelisted(Auto)
Whitelisted(CFG)
Whitelisted(File)
This would make easier to determine why an email is whitelisted.
That's something we are going to try to add.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30 H2 with Declude 1.76i30

2003-12-05 Thread R. Scott Perry 

This is the first time that I have ever seen this and it occurred just a 
few days after upgrading from 1.75i6 to 1.76i28-30.  Unlike some others 
that I have noted in the past, I am using IMail 7.15 Hotfix 2, so it 
doesn't seem related to IMail 8.
This is getting scary.  It looks like there is a serious bug in IMail v7 
and v8 that is just starting to be discovered:

--- IMail Log ---
20031205 184256 127.0.0.1   SMTPD (046101B0) [208.7.179.15] connect 
64.119.217.36 port 41441
20031205 184258 127.0.0.1   SMTPD (queue run) 13471 1 69
20031205 184258 127.0.0.1   SMTPD (046101B0) [64.119.217.36] 
E:\spool\D1800046101b02123.SMD 1332
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q1800046101b02123.SMD
12/05/2003 18:43:02 Q1800046101b02123 Scanned: Virus Free [MIME: 1 765]
12/05/2003 18:43:04 Q1800046101b02123 Msg failed DELETE (Weight of 80 
reaches or exceeds the limit of 30.). Action=DELETE.
This is the same pattern that we tracked in another E-mail:

[1] IMail's SMTPD process starts receiving the E-mail.
[2] IMail starts a "queue run" to deliver E-mail in the spool
[3] IMail's SMTPD process saves the E-mail to the hard drive
[4] IMail's queue run delivers the E-mail
[5] IMail's SMTPD process starts Declude
[6] IMail tries to deliver the E-mail that Declude scanned
Ipswitch has been notified that there is a problem here; hopefully, they 
will take care of it.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Request for a possible new feature - Whitelist Reason

2003-12-05 Thread J.D. Springer 




Scott:

Would it be possible to indicate why a email is whitelisted the headers?
Like:
Whitelisted(Auth)
Whitelisted(Auto)
Whitelisted(CFG)
Whitelisted(File)

This would make easier to determine why an email is whitelisted.

Sincerely,
J.D. Springer




---
[This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

2003-12-05 Thread George Kulman 
Matt,

I do scan multiple hops.

George

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Matthew Bramble
> Sent: Friday, December 05, 2003 7:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER 
> didn't work for me me
> 
> 
> George,
> 
> The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would 
> definitely prevent it from scanning prior hops.  I find this 
> test to be 
> useful as it is IP based and helps some very important E-mail 
> that tends 
> to have issues with several major RBL's.  I haven't started 
> to scan on 
> multiple hops yet, so this doesn't come into play.
> 
> Matt
> 
> 
> 
> George Kulman wrote:
> 
> >Rob,
> >
> >Your backup and gateways should have IPBYPASS entries in the 
> GLOBAL.CFG.
> >
> >The BONDEDSENDER should be the originating Server and that 
> should be what's
> >used for this test.
> >
> >I discontinued use within a few days since  was letting spam 
> through with it
> >and there were other ways to handle the valid mail.
> >
> >George
> >
> >  
> >
> >>-Original Message-
> >>From: [EMAIL PROTECTED] 
> >>[mailto:[EMAIL PROTECTED] On Behalf Of 
> >>Robert Grosshandler
> >>Sent: Friday, December 05, 2003 6:38 PM
> >>To: [EMAIL PROTECTED]
> >>Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
> >>didn't work for me me
> >>
> >>
> >>Negative weights on last hop only?
> >>
> >>How would that affect a gateway (or e-mail that goes to a 
> backup mail
> >>server)?
> >>
> >>Rob
> >>
> >>
> >>
> 
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

2003-12-05 Thread Matthew Bramble 
George,

The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would 
definitely prevent it from scanning prior hops.  I find this test to be 
useful as it is IP based and helps some very important E-mail that tends 
to have issues with several major RBL's.  I haven't started to scan on 
multiple hops yet, so this doesn't come into play.

Matt



George Kulman wrote:

Rob,

Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG.

The BONDEDSENDER should be the originating Server and that should be what's
used for this test.
I discontinued use within a few days since  was letting spam through with it
and there were other ways to handle the valid mail.
George

 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Robert Grosshandler
Sent: Friday, December 05, 2003 6:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
didn't work for me me

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a backup mail
server)?
Rob

   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30

2003-12-05 Thread Matthew Bramble 
Scott,

This is the first time that I have ever seen this and it occurred just a 
few days after upgrading from 1.75i6 to 1.76i28-30.  Unlike some others 
that I have noted in the past, I am using IMail 7.15 Hotfix 2, so it 
doesn't seem related to IMail 8.

I'm thinking that since I first noticed this so soon after upgrading to 
the 1.76 beta (I was on 1.75 until a few days ago), that it in fact has 
something to do with Declude and something that was introduced with 
1.76.  This message shows up in all of my logs, including both Declude 
logs, but the message headers don't show any marks and the message 
scored 8 times my hold weight and was and was still delivered.

The corresponding section of all associated logs and the message headers 
follow.

Thanks,

Matt

--- Message Headers ---
From - Fri Dec 05 18:43:42 2003
X-UIDL: 363570087
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Received: from e.greatestsavingsnow.com [64.119.217.36] by igaia.com
 (SMTPD32-7.15) id A80046101B0; Fri, 05 Dec 2003 18:42:56 -0500
To: [EMAIL PROTECTED]
Date: Fri, 5 Dec 2003 18:43:00 -0500
Message-ID: <[EMAIL PROTECTED]>
From: Degrees Online <[EMAIL PROTECTED]>
Return-Path: <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
Subject: At No Cost to you - Let our online advisors help you
X-MimeOLE: Prodigy Compatibility V 4.f416b237 or later
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 363570087
--- IMail Log ---
20031205 184256 127.0.0.1   SMTPD (046101B0) [208.7.179.15] connect 
64.119.217.36 port 41441
20031205 184256 127.0.0.1   SMTPD (046101B0) [64.119.217.36] HELO 
e.greatestsavingsnow.com
20031205 184256 127.0.0.1   SMTPD (046101B0) [64.119.217.36] MAIL 
FROM: <[EMAIL PROTECTED]>
20031205 184257 127.0.0.1   SMTPD (046101B0) [64.119.217.36] RCPT 
TO: <[EMAIL PROTECTED]>
20031205 184258 127.0.0.1   SMTPD (queue run) 13471 1 69
20031205 184258 127.0.0.1   SMTPD (046101B0) [64.119.217.36] 
E:\spool\D1800046101b02123.SMD 1332
20031205 184258 127.0.0.1   SMTP (3696) E:\spool\Q1800046101b02123.SMD
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q1800046101b02123.SMD
20031205 184258 127.0.0.1   SMTP (3696) ldeliver igaia.com matt-main 
(1) [EMAIL PROTECTED] 1332
20031205 184258 127.0.0.1   SMTP (3696) finished 
E:\spool\Q1800046101b02123.SMD status=1
20031205 184258 127.0.0.1   SMTP (3696) E:\spool\Q2e6e006301c6bc72.SMD
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q2e6e006301c6bc72.SMD
20031205 184258 127.0.0.1   SMTP (3696) Trying a-znet.com (0)
20031205 184258 127.0.0.1   SMTP (3696) Connect a-znet.com 
[209.105.132.200:25] (1)
20031205 184258 127.0.0.1   SMTP (3696) 220 
mail01.ispc.xtelegent.net ESMTP Postfix
20031205 184258 127.0.0.1   SMTP (3696) >EHLO igaia.com
20031205 184258 127.0.0.1   SMTP (3696) 250-mail01.ispc.xtelegent.net
20031205 184258 127.0.0.1   SMTP (3696) 250-PIPELINING
20031205 184258 127.0.0.1   SMTP (3696) 250-SIZE 1024
20031205 184258 127.0.0.1   SMTP (3696) 250-VRFY
20031205 184258 127.0.0.1   SMTP (3696) 250-ETRN
20031205 184258 127.0.0.1   SMTP (3696) 250 8BITMIME
20031205 184258 127.0.0.1   SMTP (3696) >MAIL FROM:<[EMAIL PROTECTED]>
20031205 184258 127.0.0.1   SMTP (3696) 250 Ok
20031205 184258 127.0.0.1   SMTP (3696) >RCPT To:<[EMAIL PROTECTED]>
20031205 184259 127.0.0.1   SMTP (3696) 450 <[EMAIL PROTECTED]>: User 
unknown in local recipient table
20031205 184259 127.0.0.1   SMTP (3696) >QUIT
20031205 184259 127.0.0.1   SMTP (3696) 221 Bye
20031205 184259 127.0.0.1   SMTP (3696) requeuing 
E:\spool\Q2e6e006301c6bc72.SMD R0 T68
20031205 184259 127.0.0.1   SMTP (3696) finished 
E:\spool\Q2e6e006301c6bc72.SMD status=3
20031205 184259 127.0.0.1   SMTP (3696) E:\spool\Q2f32139d013ebc15.SMD
20031205 184259 127.0.0.1   SMTP (3696) processing 
E:\spool\Q2f32139d013ebc15.SMD
20031205 184259 127.0.0.1   SMTP (3696) Trying a-znet.com (0)
20031205 184259 127.0.0.1   SMTP (3696) Connect a-znet.com 
[209.105.132.200:25] (1)
20031205 184259 127.0.0.1   SMTP (3696) 220 
mail02.ispc.xtelegent.net ESMTP Postfix
20031205 184259 127.0.0.1   SMTP (3696) >EHLO igaia.com
20031205 184259 127.0.0.1   SMTP (3696) 250-mail02.ispc.xtelegent.net
20031205 184259 127.0.0.1   SMTP (3696) 250-PIPELINING
20031205 184259 127.0.0.1   SMTP (3696) 250-SIZE 1024
20031205 184259 127.0.0.1   SMTP (3696) 250-VRFY
20031205 184259 127.0.0.1   SMTP (3696) 250-ETRN
20031205 184259 127.0.0.1   SMTP (3696) 250 8BITMIME
20031205 184259 127.0.0.1   SMTP (3696) >MAIL FROM:<[EMAIL PROTECTED]>
20031205 184259 127.0.0.1   SMTP (3696) 250 Ok
20031205 184259 127.0.0.1   SMTP (3696) >RCPT To:<[EMAIL PROTECTED]>
20031205 184300 127.0.0.1   SMTP (3

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Keith Anderson 

I have a client that insists on trying these silly challenge-response tricks
and gets caught into that trap all the time.  I don't know why, but he'll
wake up one morning and decide to install one of those utilities on all of
his company's workstations.  He forgets that his mail server is setup to
modify messages with a privacy statement at the bottom, and a tag in the
subject line, so the challenge-response emails are unrecognized when they
are returned by the machine to which they were sent, which didn't recognize
it either.  Then after an hour or two, especially after a few of the
employees have sent a number of emails to group accounts, the mail server
stops responding... CPU at 100% trying to handle the email challenges and
responses that are multiplying each time they hit another group account.
Then it's $100 for the service call, $200 an hour for an on-site visit to
clean up the problem...  so, like I said, I'm not personally bothered by
this type of thing.  I've got guys standing around that need work.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Matthew Bramble
> Sent: Friday, December 05, 2003 3:59 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Spam Lion Functionality
>
>
> Didn't think of that one.  I guess this goes to the design of
> the system
> though, and the fact that some clearly haven't considered the looping
> potential.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

2003-12-05 Thread George Kulman 
Rob,

Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG.

The BONDEDSENDER should be the originating Server and that should be what's
used for this test.

I discontinued use within a few days since  was letting spam through with it
and there were other ways to handle the valid mail.

George

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Robert Grosshandler
> Sent: Friday, December 05, 2003 6:38 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
> didn't work for me me
> 
> 
> Negative weights on last hop only?
> 
> How would that affect a gateway (or e-mail that goes to a backup mail
> server)?
> 
> Rob
> 
> 
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

2003-12-05 Thread Matthew Bramble 
I meant negative weights on last hop for the RBL's.  There are only a 
few popular ones out there.  Gateways should be IPBYPASsed.

Matt



Robert Grosshandler wrote:

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a backup mail
server)?
Rob

 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Burzin Sumariwalla 
I also think that one needs to examine the purpose of the email system 
before using this or any other anti-spam technique.
I think it works well for specific organizations.  For example, I found out 
about the product because I tried to contact one of
my vendors and was presented with the need for authentication.  I figure 
that this probably helps the sales team as they have
little need to be contacted by random parties.  Note:  This presupposes 
that the contact process is "screened" somehow.
Note 2:  I should not have had to authenticate with anybody at the company 
as I was already a known client-- I chalk this up
to poor challenge/response management.  Here's a good article on points to 
consider when implementing C/R.

http://www.templetons.com/brad/spam/challengeresponse.html

Does C/R work well at a broad ISP level?  I don't know.  I'd be really 
leary of implementing C/R as a first or single test if I didn't understand
the organization better.

Just 2 more cents

Burzin



At 04:24 PM 12/5/2003, you wrote:
>> Your users will lose a lot of email specially if they shop online. <<

Again - with a weight-based system, they would not lose any email - as long
as the online shop manages to stay off black-lists, has a valid RDNS, has a
valid Hostname, etc.  Assuming it's tied to a weight-based system, I see
them as a great opportunity to 'tighten the noose' without blocking
legitimate email.
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

2003-12-05 Thread Robert Grosshandler 
Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a backup mail
server)?

Rob



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help with 'fromfile'

2003-12-05 Thread T. Bradley Dean 
Aha! Another one hasn't been sent yet, but I think I see it already:

12/05/2003 14:17:34.980 Q03fd3cc fromfile: Starting BLOCKEDSENDERS
12/05/2003 14:17:34.980 Q03fd3cc fromfile: Done with BLOCKEDSENDERS [2 lines
processed]

I had three lines, but only two cariage return line feeds. I think I've
fixed it:

12/05/2003 14:18:09.481 Q041f39c fromfile: Starting BLOCKEDSENDERS
12/05/2003 14:18:09.497 Q041f39c fromfile: Done with BLOCKEDSENDERS [3 lines
processed]

Thanks!

~Brad 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 10:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Help with 'fromfile'



> >And this in junkmail_blockedsendrs.cfg:
> >
> >sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam
> >
> >I do see BLOCKEDSENDERS firing for other things, but not for this. 
> >I'm assuming my error is in junkmail_blockedsenders.cfg, right? 
> >Should I change it to @cooldude.sweet-n-sour.com and just hope they 
> >don't send from other sub-domains?

In this case, it's time for the debug mode.  To use the debug mode, you can 
change the "LOGLEVEL LOW" line in \IMail\Declude\global.cfg to "LOGLEVEL 
DEBUG".  Then, after an E-mail gets through that should have failed the 
BLOCKEDSENDERS test, you can then switch back to "LOGLEVEL LOW" (the debug 
mode adds huge amounts of information to the log file).  You can then send 
me the \IMail\spool\dec.log file (as an attachment, NOT sent from web 
messaging), and I can take a look at it to see what is happening.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Matthew Bramble 
Didn't think of that one.  I guess this goes to the design of the system 
though, and the fact that some clearly haven't considered the looping 
potential.

Matt

Keith Anderson wrote:


I love challenge-response systems.  They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between each other
until someone notices that their mail server has somehow processed 100
million messages but only allowed 50 through.

 

Challenge response systems are killing us ..

Your users will lose a lot of email specially if they shop online.
   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me

2003-12-05 Thread Matthew Bramble 
Andrew,

I think you have a very good idea, in fact, all negative weight tests 
should probably be limited to just the last hop since they are typically 
designed to only apply to the last hop.

It might be a good idea for Scott to limit BONDEDSENDER to the last hop 
by default, and maybe give us another prefix/suffix to use for this 
purpose instead of DYNA or DUL since that might not be easily understood 
by some.

Matt



Colbeck, Andrew wrote:

Check out these received lines:

Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by
mail.bentall.com
 (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800
Received: from ebay.com (lore.ebay.com [66.135.195.181])
by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3
for ; Fri, 05 Dec 2003 00:20:20 -0600
Date: Fri, 05 Dec 2003 00:20:20 -0600
From: "Snapper S. Perseid" <[EMAIL PROTECTED]>
X-Mailer: The Bat! (v2.00.7) Personal
X-Priority: 3
Message-ID: <[EMAIL PROTECTED]>
To: snip 
Subject: [Msg Track# snip]  Your billing profile on ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
The Shaw Cable address is for a home user and e-mail directly from it would
be suspect.  In fact, it is heavily listed in static and dynamic ip4r
databases, spamdomains, etc. and that would put it well over my hold weight.
The line with lore.ebay.com is entirely fake, but the address for
lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight
that this phishing spam got through.  So, I'm thinking of renaming my test
to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r
test against the first hop.
Does anybody see a problem with doing that?

Andrew 8)
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Andy Schmidt 

>> Your users will lose a lot of email specially if they shop online. <<

Again - with a weight-based system, they would not lose any email - as long
as the online shop manages to stay off black-lists, has a valid RDNS, has a
valid Hostname, etc.  Assuming it's tied to a weight-based system, I see
them as a great opportunity to 'tighten the noose' without blocking
legitimate email.

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson
Sent: Friday, December 05, 2003 05:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality




I love challenge-response systems.  They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between each other
until someone notices that their mail server has somehow processed 100
million messages but only allowed 50 through. 

> Challenge response systems are killing us ..
>
> Your users will lose a lot of email specially if they shop online.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] The first time BONDEDSENDER didn't work for me

2003-12-05 Thread Colbeck, Andrew 
Check out these received lines:

Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by
mail.bentall.com
  (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800
Received: from ebay.com (lore.ebay.com [66.135.195.181])
by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3
for ; Fri, 05 Dec 2003 00:20:20 -0600
Date: Fri, 05 Dec 2003 00:20:20 -0600
From: "Snapper S. Perseid" <[EMAIL PROTECTED]>
X-Mailer: The Bat! (v2.00.7) Personal
X-Priority: 3
Message-ID: <[EMAIL PROTECTED]>
To: snip 
Subject: [Msg Track# snip]  Your billing profile on ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit

The Shaw Cable address is for a home user and e-mail directly from it would
be suspect.  In fact, it is heavily listed in static and dynamic ip4r
databases, spamdomains, etc. and that would put it well over my hold weight.

The line with lore.ebay.com is entirely fake, but the address for
lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight
that this phishing spam got through.  So, I'm thinking of renaming my test
to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r
test against the first hop.

Does anybody see a problem with doing that?

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Keith Anderson 


I love challenge-response systems.  They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between each other
until someone notices that their mail server has somehow processed 100
million messages but only allowed 50 through.


> Challenge response systems are killing us ..
>
> Your users will lose a lot of email specially if they shop online.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Andy Schmidt 

Hi Scott:

I understand - no sense getting involved until EarthLink has invalidated
most of the claims.

I think this is a key quote:

"Mailblocks' Goldman admits that there were prior publications, but argues
that at least some portions of his patents remain valid. "The patents have
very specific claims in them," Goldman told me. "The claims are different
than the types of things people have been doing before. Maybe here and
there, they're the same so not 100 percent of the claims are valid, but many
of them are."

Translated that means - if key claims are eliminated because of prior art,
then the patent may possibly still 'survive' - but everyone will simply
design their own challenge/response systems to mirror the prior art.  The
only thing to avoid are the truly "new" inventions that are left in the
remaining claims - unless the remaining claims would have been obvious based
on the prior art.


Overall - I'm pretty encouraged by the quality of what has been cited
already:

"By Aug. 28, 1997, when Christopher Alan Cobb filed for his patent that
eventually was purchased by Mailblocks, the challenge-response idea had
become commonplace on the Internet: 

Brad Templeton, chairman of the Electronic Frontier Foundation, had written
his Viking-12 CR utility and was using it. Templeton says he'd be delighted
to testify on behalf of EarthLink to help the company invalidate the
Mailblocks patent. 

Over a year earlier, Brent Chapman's majordomo, the popular mailing list
software, included a CR feature. 

A November 1996 post to Usenet's news.admin.net-abuse.usenet newsgroup talks
about a "random challenge that is very easy for a human to respond to, but
next to impossible for a computer." Another from January 1997 describes an
e-mail "spam block 'bot" that was so effective "I've received hate mail from
spammers concerning it," and a third post describes a commercial product
called the Deadbolt Personal E-mail Filter. 

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 04:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality



>Patent Number?

6,199,102.  To view it, you can go to 
http://patft.uspto.gov/netahtml/srchnum.htm and enter "6,199,102" there.

For a bit of background, you can go to 
http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5
565050.htm 
ms may be much narrower) than the casual reader
>appreciates.  Also, one has to look at the patent file wrapper to 
>determine the outcome of prior art searches to see if subsequent 
>communication with the examiner may have further narrowed the scope.

Good points -- and exactly why it would be expensive to pursue.  Patent law 
isn't simple.

FWIW, a number of people have tried to find prior art, and were 
unable.  Extensive searches?  Probably not.  But a number of anti-spam 
people tried and were unable to.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Andy Schmidt 

Scott:

>> it would require either [1] paying royalties to the guy that bought the
patent, or [2] challenging the patent.  <<

Actually - NO.  
The preferred (3rd) option is to obtain a limited, but FREE license (or a
$1.00 or other minimal fee) license to use the patented methods.  The terms
of the license are not disclosed - but THEY can show that the patent is
being recognized (by citing another licensee -> you) and THEY are doing the
"right thing" by not stifling spam-fighting.

Don't assume that every license must cost money (in this early stage).  They
may want to go after the BIG guys with the big money and want to garner
support of the small guys.

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

2003-12-05 Thread R. Scott Perry 

In my initial post about this issue in the section with the entries from the
Declude log file the last entry is...
12/05/2003 11:21:24 Qb07f13c Last action = IGNORE

Does that have anything to do with the fact that the message is not being
sent over to my Hotmail account?  If so, can you tell why the Last action =
ignore?
That's normal.  The "Last action" line refers to an action that is taken 
after all the recipients have been processed, but the ROUTETO action is 
done before that.

Also, in your below response, you say "debug mode would be the next step".
Are you talking about 'debug mode" for Declude JunkMail?  Do I enable that
by setting the Log Level to Debug in GLOBAL.CFG?
Don't worry about that yet -- the IMail SMTP log file entries are the first 
step.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread brian 

Here are the stats for Tuesday. Wednesday and Thursday we were testing some
things the stats were skewed. This was for our main solidoak.com domain mail
server (general business, not tech support). Our tech support server lets more
spam through, however we can only do limited header type spam checking because
of the type of content the message bodies might contain. People are reporting
porno web sites all the time to our CYBERsitter support accounts.

For Tuesday, there was 1 false positive (Delivery Req) and 4 spams that got
through. So with 5139 incoming connection requests, and 4 spams that got
through, it was 99.92% effective. At least for that day ;) Some days we don't
get any spam, but on bad days as many as 20 may get by. Rarely does any single
user get more than 1. But as you might guess, this level is not much to test
with.

The first set of stats (Alligate Statistics) are from the filtering module
that is similar to the Declude version and will (eventually) be identical.

The second set of stats (Alligate SMTP Daily Statistics) is an overall summary
of delivery. A lot of spam is stopped at the "front door" by the SMTP servive
using the tarpitting and dictionary attack defense mechanisms among others.

Alligate Statistics for: Tue, 02 Dec 2003
 Report date: Fri, 05 Dec 2003 01:09pm
 
  Incoming Msgs:3173
  Outgoing Msgs: 152
 Total Msgs:3325
 
 Est Legit Mail: 696
 
%Inc%Fld
 ---
 Adult Msgs: 136  4%  5%
  Spam Msgs:2492 79% 95%
   Total Failed:2628 83%
Repeat Spammers:1300 41% 49%
Banned File Att:  20  1%  1%
Viruses:  14  0%  1%
  Total Deleted:2208 70% 84%
 Total Held: 420 13% 16%
Msgs Passed: 160  5%
   Msgs Ignored: 536 16%
   Delivery Req:   1  0%
 
 Avg Spam Score:  56
Avg Adult Score:  36
 Avg Exit Score:  57
 
  Avg Proc Time:  48 milliseconds.
 
 
Alligate SMTP Daily Statistics for: 12/2/2003
 
Incoming connections: 5139
Valid Recipients: 4106
  Invalid Recipients: 1361
  Messages delivered: 701
  Spammers tarpitted: 557
   Tarpit client disconnects: 64
  Connections per minute: 3
   Deliveries per minute: 0
 
   Overall delivery rate: 14%
 
  Overall rejection rate: 86%

 
On 12/05/03 2:56pm you wrote...
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of
>[EMAIL PROTECTED]
>Sent: Friday, December 05, 2003 2:18 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics
>
>
>our gateway now handles all incoming mail and there is no spam coming into
>our mail servers to test. The new test platforms will allow us to move some
>domains 
>
>
>So are you saying your product when used as a gateway is 100% effective at
>removing spam?  Nothing slips through
>
>Darrell
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Burzin Sumariwalla 
Oh forgot to add:

http://www.spamwolf.com/patents/prior_art.html  -- prior work on c/r.

Burzin

At 02:29 PM 12/5/2003, you wrote:
But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131  

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Andy Schmidt 

Hi,

I guess it's worthwhile to see how Earthlink's prior art defense (e.g.,
http://news.com.com/2010-1032_3-1003921.html) will hold up.  I wouldn't
write off this concept, yet.  I've seen these kind of thing pop up and
eventually die more than once (but, certainly, sometimes "sofware" patents
turn out to be legit.)

Best Regards
Andy 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla
Sent: Friday, December 05, 2003 04:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality


I didn't know that concept was patented.  It seems pretty old to me-- halt 
who goes there?
Anyway I did some research, and here's what I found:

Here are some links... read if you are interested:

http://www.cleanmymailbox.com/mailblocks.html-- links to patent 
infringement issue http://www.geocities.com/spamresources/filter-cr.htm

Burzin



At 02:29 PM 12/5/2003, you wrote:
>But, the ultimate challenge is the patent.  That means that it would
>require either [1] paying royalties to the guy that bought the patent, or 
>[2] challenging the patent.  We haven't yet found enough benefit from such 
>a test to warrant estimating those costs, given that they are likely to be 
>much higher than for any other spam test we've added.
>
>-Scott

--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
   Pager: (314) 407-3345

Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

2003-12-05 Thread Dan Geiser 
Scott,
In my initial post about this issue in the section with the entries from the
Declude log file the last entry is...

12/05/2003 11:21:24 Qb07f13c Last action = IGNORE

Does that have anything to do with the fact that the message is not being
sent over to my Hotmail account?  If so, can you tell why the Last action =
ignore?

Also, in your below response, you say "debug mode would be the next step".
Are you talking about 'debug mode" for Declude JunkMail?  Do I enable that
by setting the Log Level to Debug in GLOBAL.CFG?

Thanks,
Dan

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 12:54 PM
Subject: Re: [Declude.JunkMail] ROUTETO Not Working


>
> >We are running Declude v1.75.
> >
> >Any ideas?
>
> The next step would be to check the IMail SMTP log file to see what it
says.
>
> If that doesn't provide enough information, the debug mode would be the
> next step.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread Bill Landry 
This is great news, Brian!  Thanks for continuing to support the Declude
version of Alligate.

Bill
- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 11:18 AM
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics


>
> Actually what Chris was *supposed* to say was that the gateway version of
> Alligate does a much better job than the Declude version, not Declude
itself.
> The Declude version is now outdated and had not been updated for several
> months. The Declude version was not dumped however it is not currently
> available. We won't offer something for sale unless it is the best we can
do.
>
> We got in a couple of new copies of IMail last week so we can set up new
test
> platforms. We have been unable to test the Declude version because our
gateway
> now handles all incoming mail and there is no spam coming into our mail
> servers to test. The new test platforms will allow us to move some domains
out
> of the normal loop and we will be able to update the Declude version again
> (shortly we hope).
>
> Brian
>
> On 12/04/03 4:34pm you wrote...
> >I *believe* I spoke to Chris.  If it wasn't "dump" it was "drop".  I
didn't
> >interpret this as negative statement,
> >just friendly marketing or another opinion among many. I don't think
Chris
> >intended this as a put down.
> >Just an opinion on a competing product.  You'd hardly expect the person
> >answering the sales line to say
> >anything else.
> >
> >What I am certain about was that I was told that Alligate would do a
better
> >job (albeit as its own Gateway)
> >than Declude at blocking spam.
> >
> >If I've offended or misunderstood anyone, please feel free to correct me.
> >
> >Thanks,
> >Burzin
> >
> >t 03:51 PM 12/4/2003, you wrote:
> >>Was the exact phrase Dump Declude used? If so, who did you speak with?
> >>
> >>Yes, SpamManager is Alligate is NOXMail. (Original name.)
> >>
> >>They have made a business decision and I hope them all the luck, as they
> >are
> >>doing very well.
> >>
> >>John Tolmachoff
> >>Engineer/Consultant/Owner
> >>eServices For You
> >
> >---
> >[This E-mail scanned for viruses by Declude Virus]
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread John Tolmachoff \(Lists\) 
> Actually what Chris was *supposed* to say was that the gateway version of
> Alligate does a much better job than the Declude version, not Declude
> itself.

Thanks for the clarification Brian.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Matthew Bramble 
This just needs to be tested in court I would imagine.  The patent 
office has been known to issue patents recently on things such as 
swinging on a swing and peanut butter and jelly sandwiches.  This 
doesn't sound like it is revolutionary in any way shape or form and it 
is quite easy to develop with existing tools.  One could get this to 
function with Declude in just a day of work for instance.

Personally I favor the idea of digest notifications with the ability to 
retrieve and/or whitelist messages that might have been blocked.  BTW, 
that idea is copyrighted by Matthew Bramble, all rights reserved, and 
I'd patent it also if I wanted to be a complete jerk :)

Matt



Andy Schmidt wrote:

Patent Number?

Many patents exists and seem to be broad.  But often, upon close
examination, the claims may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication with
the examiner may have further narrowed the scope.
Best Regards
Andy Schmidt
H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
http://www.HM-Software.com/

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 03:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality


 

Sorry - I really don't see why this is not a highly desirable feature 
and how this would create "spam" that the "WARN" or "BOUNCE" action 
don't generate already!?
   

It doesn't create more spam than BOUNCE -- it creates the exact same 
amount.  But that's the problem.  Instead of 1,000 E-mails to you being 
blocked as spam, if the spammer chooses my E-mail address to use as the 
return address, you'll now get 0 spams -- but I'll get 1,000.  Less 
annoying spams, yes, but spam nonetheless.  And actually harder to deal 
with, since they come from your server (so they are much less likely to get 
caught), and I have to verify that the bounce messages aren't for E-mails I 
sent.

Yes, if you set it up well -- not requiring verifications for E-mails that 
have a low weight (probably legit; mail that wouldn't otherwise be blocked) 
and not requiring them for E-mails with a high weight (almost certainly 
spam) -- it could be useful, with minimal collateral damage.  But even so, 
there's the problem with mailing lists, and the temptation to block a bit 
more spam by requiring confirmations on lower weights (for example, if 
someone asks me for free advice, they are likely to get it -- but not if 
they block my mail or require a confirmation, since just about everything 
under our control is set up perfectly from an anti-spam perspective, and 
responding to confirmations is a nuisance, and may not even work).  Then, 
there's the spammers (aka SpamArrest) that harvest confirmations addresses 
and sell them to spammers, and the spammers that send pretend confirmations 
to get people to their websites -- these make it less likely legit people 
will confirm.

But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread R. Scott Perry 

Patent Number?
6,199,102.  To view it, you can go to 
http://patft.uspto.gov/netahtml/srchnum.htm and enter "6,199,102" there.

For a bit of background, you can go to 
http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5565050.htm 
ms may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication with
the examiner may have further narrowed the scope.
Good points -- and exactly why it would be expensive to pursue.  Patent law 
isn't simple.

FWIW, a number of people have tried to find prior art, and were 
unable.  Extensive searches?  Probably not.  But a number of anti-spam 
people tried and were unable to.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Burzin Sumariwalla 
I didn't know that concept was patented.  It seems pretty old to me-- halt 
who goes there?
Anyway I did some research, and here's what I found:

Here are some links... read if you are interested:

http://www.cleanmymailbox.com/mailblocks.html-- links to patent 
infringement issue
http://www.geocities.com/spamresources/filter-cr.htm

Burzin



At 02:29 PM 12/5/2003, you wrote:
But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Andy Schmidt 

Patent Number?

Many patents exists and seem to be broad.  But often, upon close
examination, the claims may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication with
the examiner may have further narrowed the scope.

Best Regards
Andy Schmidt

H&M Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 03:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality



>Sorry - I really don't see why this is not a highly desirable feature 
>and how this would create "spam" that the "WARN" or "BOUNCE" action 
>don't generate already!?

It doesn't create more spam than BOUNCE -- it creates the exact same 
amount.  But that's the problem.  Instead of 1,000 E-mails to you being 
blocked as spam, if the spammer chooses my E-mail address to use as the 
return address, you'll now get 0 spams -- but I'll get 1,000.  Less 
annoying spams, yes, but spam nonetheless.  And actually harder to deal 
with, since they come from your server (so they are much less likely to get 
caught), and I have to verify that the bounce messages aren't for E-mails I 
sent.

Yes, if you set it up well -- not requiring verifications for E-mails that 
have a low weight (probably legit; mail that wouldn't otherwise be blocked) 
and not requiring them for E-mails with a high weight (almost certainly 
spam) -- it could be useful, with minimal collateral damage.  But even so, 
there's the problem with mailing lists, and the temptation to block a bit 
more spam by requiring confirmations on lower weights (for example, if 
someone asks me for free advice, they are likely to get it -- but not if 
they block my mail or require a confirmation, since just about everything 
under our control is set up perfectly from an anti-spam perspective, and 
responding to confirmations is a nuisance, and may not even work).  Then, 
there's the spammers (aka SpamArrest) that harvest confirmations addresses 
and sell them to spammers, and the spammers that send pretend confirmations 
to get people to their websites -- these make it less likely legit people 
will confirm.

But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread John Tolmachoff \(Lists\) 
FYI, I have filters set to look for those challenge/response messages and
add a high weight. :)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla
> Sent: Friday, December 05, 2003 12:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Spam Lion Functionality
> 
> Don't worry Kami and others...
> 
> Even if I implemented something similar, I never envisioned deploying it
> domain-wide or reling upon it
> as a single test.  Instead I envisioned deploying it for selected
> users--  I wouldn't have even asked if a key user hadn't
> requested this.
> 
> In our organization, the bulk of the email traffic seems to be within the
> domain itself, so the it may have worked for us
> 
> Oh well
> 
> Burzin
> 
> 
> 
> 
> 
> At 01:30 PM 12/5/2003, you wrote:
> > >Upon receipt of incoming email it checks to see if the sender is
> > >authorized.  If the sender is authorized, the message is passed along
> > >to the intended reciepients.
> >
> >PLEASE RECONSIDER..
> >
> >Challenge response systems are killing us ..
> >
> >Your users will lose a lot of email specially if they shop online.
> >
> >Right now we are having a very difficult time with Earthlink's challenge
> >response and our online receipts being sent to donors.  Every single
> email
> >has to be manually attended to ..
> >
> >I have sent several messages to companies like Earthlink and suggested to
> >them the idea of creating a universal whitelist for online systems that
> >generate receipts automatically.. If this is not attended to or looked
> into
> >either online commerce has to die or challenge response.
> >
> >Regards,
> >Kami
> >
> >---
> >[This E-mail was scanned for viruses by Declude Virus
> >(http://www.declude.com)]
> >
> >---
> >This E-mail came from the Declude.JunkMail mailing list.  To
> >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> >type "unsubscribe Declude.JunkMail".  The archives can be found
> >at http://www.mail-archive.com.
> >---
> >[This E-mail scanned for viruses by Declude Virus]
> 
> --
> Burzin Sumariwalla   Phone: (314) 994-9411 x291
> [EMAIL PROTECTED]  Fax:   (314) 997-7615
>Pager: (314) 407-3345
> 
> Networking and Telecommunications Manager
> Information Technology Services
> St. Louis County Library District
> 1640 S. Lindbergh Blvd.
> St. Louis, MO  63131
> 
> ---
> [This E-mail scanned for viruses by Declude Virus]
> 
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New phishing..

2003-12-05 Thread Matthew Bramble 
Kami,

I noticed that the [EMAIL PROTECTED] filter got tripped without the @LINKED 
filter.  Please download a more recent copy from my site.  This 
obviously shouldn't be happening.

Matt



Kami Razvan wrote:

Hi;
 
We just got the following: - a Phishing attempt.
 
Actually quite interesting.. I clicked on the link to see where it 
goes.  It goes to the actual Visa site but a small window pops up and 
asks for your visa and various other info for verification.
 
If only they could use their talents elsewhere..
 
=
 
Received: from 81.15.163.193 [81.15.163.193] by foroosh.com
  (SMTPD32-8.04) id A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500
Date: Fri, 05 Dec 2003 22:15:45 -0500
From: Visa International Service <[EMAIL PROTECTED] 
>
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Reply-To: Visa International Service <[EMAIL PROTECTED] 
>
Organization: Visa International Service
X-Priority: 3 (Normal)
To:  
Subject: [53~]Visa Security Update
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <[EMAIL PROTECTED] 
>
X-IMAIL-SPAM-DNSBL: (SPAMCOP,42729954,127.0.0.2)
X-IMAIL-SPAM-VALHELO: (42729954)
X-IMAIL-SPAM-VALFROM: (42729954)
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [8004000f].
X-RBL-Warning: HELOBOGUS: Domain 81.15.163.193 has no MX or A records.
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, weight 1)
X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL 
test (line 46, weight 35)
X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test 
(line 49, weight 5)
X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test 
(line 146, weight 10)
X-RBL-Warning: [EMAIL PROTECTED] : Message failed 
[EMAIL PROTECTED]  test (line 385, weight 0)
X-Declude-Sender: [EMAIL PROTECTED]  
[81.15.163.193]
X-Declude-Spoolname: Dd74d028c01e2d4e2.SMD
X-Note: This E-mail was scanned & filtered by Declude [1.77] for SPAM 
& virus.
X-Weight: 53
X-Note: Sent from Reverse DNS:  163-193.promontel.net.pl
X-Hello: 81.15.163.193
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, 
FILTER-HEADER-XMAIL, FILTER-MAILFROM, FILTER-SPAM-HTML, [EMAIL PROTECTED] 
, WEIGHT20s, WEIGHT20r
X-Note: Recipient(s): xx
X-Country-Chain: POLAND->destination
X-RCPT-TO: mailto:[EMAIL PROTECTED]>
Status: U
X-UIDL: 331472220
 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread Pete McNeil 
I'm not sure I'm following you... but I think what you might need is an 
additional license. Suppose you create one rulebase that will contain only 
your white rules. Then leave the normal sniffer rulebase alone. The small 
rulebase with the white rules will be so small as to require nearly no 
additional processing power. You would have your white rules, and you would 
retain any black rules that matched as well.

An alternative while still using a single rulebase is to parse the log file 
for the details with an additional utility. Message Sniffer can only return 
a single numeric result, but it records all of the rules that matched.

Hope this helps,
_M
At 02:02 PM 12/5/2003, you wrote:
Hello David,

Friday, December 5, 2003, 11:44:41 AM, you wrote:

DS> 3. Anyone see any problems with this scenario?

Ok, I'll answer my own question.  In thinking about this more, this
isn't going to work.
If I recode my rule base to return a 1 instead of 0 on whitelist, then
the original sniffer test will interpret the 1 as a spam, then the
externalplus test will interpret the 1 as whitelist and override the
sniffer external test.
So, I still lose the original reason for sniffer failure since sniffer
will always be returning a 1, right?


--
Best regards,
 Davidmailto:[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread R. Scott Perry 

Sorry - I really don't see why this is not a highly desirable feature and
how this would create "spam" that the "WARN" or "BOUNCE" action don't
generate already!?
It doesn't create more spam than BOUNCE -- it creates the exact same 
amount.  But that's the problem.  Instead of 1,000 E-mails to you being 
blocked as spam, if the spammer chooses my E-mail address to use as the 
return address, you'll now get 0 spams -- but I'll get 1,000.  Less 
annoying spams, yes, but spam nonetheless.  And actually harder to deal 
with, since they come from your server (so they are much less likely to get 
caught), and I have to verify that the bounce messages aren't for E-mails I 
sent.

Yes, if you set it up well -- not requiring verifications for E-mails that 
have a low weight (probably legit; mail that wouldn't otherwise be blocked) 
and not requiring them for E-mails with a high weight (almost certainly 
spam) -- it could be useful, with minimal collateral damage.  But even so, 
there's the problem with mailing lists, and the temptation to block a bit 
more spam by requiring confirmations on lower weights (for example, if 
someone asks me for free advice, they are likely to get it -- but not if 
they block my mail or require a confirmation, since just about everything 
under our control is set up perfectly from an anti-spam perspective, and 
responding to confirmations is a nuisance, and may not even work).  Then, 
there's the spammers (aka SpamArrest) that harvest confirmations addresses 
and sell them to spammers, and the spammers that send pretend confirmations 
to get people to their websites -- these make it less likely legit people 
will confirm.

But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Andy Schmidt 

Combined with a weighting scheme it IS a worthwhile option.

Currently, our option are "BOUNCE" (or now that ridiculous renamed version
of the same action) - which means a FALSE positive will receive a notice and
now has to contact us "manually" to address the false positive status.

Or we "DELETE" - and have nightmares about possible false positives.

If Declude had a "VALIDATE" action (for emails that normally would BOUNCE or
DELETE or HOLD), then those highly questionable mails would simply get an
email (not any worse than using BOUNCE!) but at least the 0.1% of false
positives could help themselves.

The end-result for Declude users - we could much more worry-free "VALIDATE"
emails that otherwise we would have to "pass".  Less Spam would get through
(due to higher threshold).  False positives would not require the sys-admin
to scan through "Held" mail - but instead the responsibility would be back
in the lap of the sender who used an "implicated" mail server.

Sorry - I really don't see why this is not a highly desirable feature and
how this would create "spam" that the "WARN" or "BOUNCE" action don't
generate already!?

Best Regards
Andy

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Burzin Sumariwalla 
Don't worry Kami and others...

Even if I implemented something similar, I never envisioned deploying it 
domain-wide or reling upon it
as a single test.  Instead I envisioned deploying it for selected 
users--  I wouldn't have even asked if a key user hadn't
requested this.

In our organization, the bulk of the email traffic seems to be within the 
domain itself, so the it may have worked for us

Oh well

Burzin





At 01:30 PM 12/5/2003, you wrote:
>Upon receipt of incoming email it checks to see if the sender is
>authorized.  If the sender is authorized, the message is passed along
>to the intended reciepients.
PLEASE RECONSIDER..

Challenge response systems are killing us ..

Your users will lose a lot of email specially if they shop online.

Right now we are having a very difficult time with Earthlink's challenge
response and our online receipts being sent to donors.  Every single email
has to be manually attended to ..
I have sent several messages to companies like Earthlink and suggested to
them the idea of creating a universal whitelist for online systems that
generate receipts automatically.. If this is not attended to or looked into
either online commerce has to die or challenge response.
Regards,
Kami
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread Darrell LaRock 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics


our gateway now handles all incoming mail and there is no spam coming into
our mail servers to test. The new test platforms will allow us to move some
domains 


So are you saying your product when used as a gateway is 100% effective at
removing spam?  Nothing slips through

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] New phishing..

2003-12-05 Thread Kami Razvan 



Hi;
 
We just got the 
following: - a Phishing attempt.
 
Actually quite 
interesting.. I clicked on the link to see where it goes.  It goes to the 
actual Visa site but a small window pops up and asks for your visa and various 
other info for verification.
 
If only they could 
use their talents elsewhere..
 
=
 
Received: from 
81.15.163.193 [81.15.163.193] by foroosh.com  (SMTPD32-8.04) id 
A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500Date: Fri, 05 Dec 2003 22:15:45 
-0500From: Visa International Service <[EMAIL PROTECTED]>X-Mailer: 
Microsoft Outlook Express 6.00.2800.1158Reply-To: Visa International Service 
<[EMAIL PROTECTED]>Organization: 
Visa International ServiceX-Priority: 3 (Normal)To: Subject: 
[53~]Visa Security UpdateMime-Version: 1.0Content-Type: text/html; 
charset=iso-8859-1Content-Transfer-Encoding: 8bitMessage-Id: <[EMAIL PROTECTED]>X-IMAIL-SPAM-DNSBL: 
(SPAMCOP,42729954,127.0.0.2)X-IMAIL-SPAM-VALHELO: 
(42729954)X-IMAIL-SPAM-VALFROM: (42729954)X-RBL-Warning: BADHEADERS: 
This E-mail was sent from a broken mail client [8004000f].X-RBL-Warning: 
HELOBOGUS: Domain 81.15.163.193 has no MX or A records.X-RBL-Warning: 
IPNOTINMX: X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, 
weight 1)X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed 
FILTER-HEADER-XMAIL test (line 46, weight 35)X-RBL-Warning: FILTER-MAILFROM: 
Message failed FILTER-MAILFROM test (line 49, weight 5)X-RBL-Warning: 
FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 146, weight 
10)X-RBL-Warning: [EMAIL PROTECTED]: Message 
failed [EMAIL PROTECTED] test (line 385, weight 
0)
X-Declude-Sender: 
[EMAIL PROTECTED] 
[81.15.163.193]X-Declude-Spoolname: Dd74d028c01e2d4e2.SMDX-Note: This 
E-mail was scanned & filtered by Declude [1.77] for SPAM & 
virus.X-Weight: 53X-Note: Sent from Reverse DNS:  
163-193.promontel.net.plX-Hello: 81.15.163.193X-Spam-Tests-Failed: 
BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, FILTER-HEADER-XMAIL, FILTER-MAILFROM, 
FILTER-SPAM-HTML, [EMAIL PROTECTED], WEIGHT20s, 
WEIGHT20rX-Note: Recipient(s): xxX-Country-Chain: 
POLAND->destinationX-RCPT-TO: >
 
Dear 
Customer,
 
Our latest security system will help you to avoid 
possible fraud actions and keep your investments in 
safety.
 
Due to technical security update you have to 
reactivate your account
 
Click on the link below to login to your updated 
Visa account.
 
To log into your account, please visit the Visa 
Website at 
 
http://www.visa.com 
:UserSession=2f6q9uuu88312264trzzz55884495&usersoption=SecurityUpdate&[EMAIL PROTECTED]/verified_by_visa.html">http://www.visa.com
 

 
We respect your time and business. It's 
our pleasure to serve you.
 
Please don't reply to this email. This e-mail was 
generated by a mail handling system.
 
http://www.geocities.com/cardvisa3/white_visa_logo.gif">>Copyright 1996-2003, Visa International Service Association. All 
rights 
reserved.
 
 
 

RE: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Kami Razvan 
>Upon receipt of incoming email it checks to see if the sender is 
>authorized.  If the sender is authorized, the message is passed along 
>to the intended reciepients.

PLEASE RECONSIDER..

Challenge response systems are killing us ..

Your users will lose a lot of email specially if they shop online.

Right now we are having a very difficult time with Earthlink's challenge
response and our online receipts being sent to donors.  Every single email
has to be manually attended to ..

I have sent several messages to companies like Earthlink and suggested to
them the idea of creating a universal whitelist for online systems that
generate receipts automatically.. If this is not attended to or looked into
either online commerce has to die or challenge response.

Regards,
Kami

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread Robert Grosshandler 

Brian wrote - 


>The new test platforms will allow us to move some domains out of the normal
loop and we will be able to update the
>Declude version again (shortly we hope).

For those of us who use the Declude version of Alligate (alongside Sniffer)
we hope that's soon!  It is great having two full-featured engines that let
us rest comfortably if we delete e-mail without inspection.  If both engines
agree that something is spam, it is probably spam!

Rob

www.iGive.com
Turn your holiday shopping into cash for your cause.


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

2003-12-05 Thread brian 

Actually what Chris was *supposed* to say was that the gateway version of
Alligate does a much better job than the Declude version, not Declude itself.
The Declude version is now outdated and had not been updated for several
months. The Declude version was not dumped however it is not currently
available. We won't offer something for sale unless it is the best we can do.

We got in a couple of new copies of IMail last week so we can set up new test
platforms. We have been unable to test the Declude version because our gateway
now handles all incoming mail and there is no spam coming into our mail
servers to test. The new test platforms will allow us to move some domains out
of the normal loop and we will be able to update the Declude version again
(shortly we hope).

Brian
 
On 12/04/03 4:34pm you wrote...
>I *believe* I spoke to Chris.  If it wasn't "dump" it was "drop".  I didn't 
>interpret this as negative statement,
>just friendly marketing or another opinion among many. I don't think Chris 
>intended this as a put down.
>Just an opinion on a competing product.  You'd hardly expect the person 
>answering the sales line to say
>anything else.
>
>What I am certain about was that I was told that Alligate would do a better 
>job (albeit as its own Gateway)
>than Declude at blocking spam.
>
>If I've offended or misunderstood anyone, please feel free to correct me.
>
>Thanks,
>Burzin
>
>t 03:51 PM 12/4/2003, you wrote:
>>Was the exact phrase Dump Declude used? If so, who did you speak with?
>>
>>Yes, SpamManager is Alligate is NOXMail. (Original name.)
>>
>>They have made a business decision and I hope them all the luck, as they
>are
>>doing very well.
>>
>>John Tolmachoff
>>Engineer/Consultant/Owner
>>eServices For You
>
>---
>[This E-mail scanned for viruses by Declude Virus]
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>---
>This E-mail came from the Declude.JunkMail mailing list.  To
>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
>type "unsubscribe Declude.JunkMail".  The archives can be found
>at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread R. Scott Perry 

Is anyone familiar with a product called Spam Lion.  It's too pricey for 
my organization, but it seems to do the following:

Upon receipt of incoming email it checks to see if the sender is 
authorized.  If the sender is authorized, the message is passed along to 
the intended reciepients.  If the sender is not authorzied, the message is 
quarantined and the sender is notified by email and asked to perform a 1 
time registration.  Presumably the quarantine spool is automatically 
cleaned on a recurring basis.
That is called "challenge/response", and has many, many drawbacks.  In 
short, you end up becoming a spammer, and your users end up losing a lot of 
mail.

Even if our customers convinced us that it would be a worthwhile action in 
Declude JunkMail, someone decided to buy a patent for it, so it would 
likely cost a large amount of money to take on such a test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Whitelistfile options question

2003-12-05 Thread R. Scott Perry 

I read through the new Junkmail manual (I know, shocking).

This line in the manual prompted this question:
"Note the file you use with the WHITELISTFILE option does NOT use the same
format as the WHITELIST entries in the global.cfg file."
Does the WHITELISTFILE option support subdomains? i.e. .example.com?
Yes, it does.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Whitelistfile options question

2003-12-05 Thread tom 
I read through the new Junkmail manual (I know, shocking).

This line in the manual prompted this question:
"Note the file you use with the WHITELISTFILE option does NOT use the same
format as the WHITELIST entries in the global.cfg file."

Does the WHITELISTFILE option support subdomains? i.e. .example.com?


Thanks

Tom

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Lion Functionality

2003-12-05 Thread Burzin Sumariwalla 
Hello,

Is anyone familiar with a product called Spam Lion.  It's too pricey for my 
organization, but it seems to do the following:

Upon receipt of incoming email it checks to see if the sender is 
authorized.  If the sender is authorized, the message is passed along to 
the intended reciepients.  If the sender is not authorzied, the message is 
quarantined and the sender is notified by email and asked to perform a 1 
time registration.  Presumably the quarantine spool is automatically 
cleaned on a recurring basis.

Is it possible to do something similar with Declude?

Thanks,
Burzin
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread David Sullivan 
Hello David,

Friday, December 5, 2003, 11:44:41 AM, you wrote:

DS> 3. Anyone see any problems with this scenario?

Ok, I'll answer my own question.  In thinking about this more, this
isn't going to work.

If I recode my rule base to return a 1 instead of 0 on whitelist, then
the original sniffer test will interpret the 1 as a spam, then the
externalplus test will interpret the 1 as whitelist and override the
sniffer external test.

So, I still lose the original reason for sniffer failure since sniffer
will always be returning a 1, right?




-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help with 'fromfile'

2003-12-05 Thread R. Scott Perry 

>And this in junkmail_blockedsendrs.cfg:
>
>sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam
>
>I do see BLOCKEDSENDERS firing for other things, but not for this. I'm
>assuming my error is in junkmail_blockedsenders.cfg, right? Should I
>change it to @cooldude.sweet-n-sour.com and just hope they don't send
>from other sub-domains?
In this case, it's time for the debug mode.  To use the debug mode, you can 
change the "LOGLEVEL LOW" line in \IMail\Declude\global.cfg to "LOGLEVEL 
DEBUG".  Then, after an E-mail gets through that should have failed the 
BLOCKEDSENDERS test, you can then switch back to "LOGLEVEL LOW" (the debug 
mode adds huge amounts of information to the log file).  You can then send 
me the \IMail\spool\dec.log file (as an attachment, NOT sent from web 
messaging), and I can take a look at it to see what is happening.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help with 'fromfile'

2003-12-05 Thread T. Bradley Dean 
v1.75

~Brad 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, December 04, 2003 5:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Help with 'fromfile'



>And this in junkmail_blockedsendrs.cfg:
>
>sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam
>
>I do see BLOCKEDSENDERS firing for other things, but not for this. I'm 
>assuming my error is in junkmail_blockedsenders.cfg, right? Should I 
>change it to @cooldude.sweet-n-sour.com and just hope they don't send 
>from other sub-domains?

What version of Declude are you running ("\IMail\Declude -diag" from a 
command prompt wil show you)?  I believe there was a version that had a 
problem if the return address was more than 32 characters long, which it is 
in this case.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Finding reason for white list

2003-12-05 Thread Keith Purtell 
This mystery turned out to be postmaster error. We had white listed our own domain 
name (I know some
people don't think that's a good idea), and neglected to include the "@" symbol. So 
incoming mail
appeared to be white listed because a spammer was sending us garbage from
"[EMAIL PROTECTED]". I'm posting this embarrassing fact
for the benefit of anyone who encounters a similar problem.

Keith Purtell, Web/Network Administrator
VantageMed Operations (Kansas City)

CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole 
use of the
intended recipient(s) and may contain confidential and privileged information. Any 
unauthorized
review, use, disclosure or distribution is prohibited. If you are not the intended 
recipient, please
contact the sender by reply email and destroy all copies of the original message.


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
> Sent: Monday, December 01, 2003 5:31 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Finding reason for white list
>
>
>
> > > What is the exact message in the E-mail headers saying that
> > > it was whitelisted?
> >
> >X-Tests-Failed: Whitelisted
> >
> > >
> > > Are you using WHITELIST AUTH or AUTOWHITELIST?
> >
> >No and yes. In the case of the particular user whose incoming mail I
> >extracted the spam from, none
> >of the spammer addresses where in her address book. I also
> checked her
> >AutoWhite list.
>
> This looks like a case for the DEBUG mode.
>
> To use the debug mode, you can change the "LOGLEVEL LOW" line in
> \IMail\Declude\global.cfg to "LOGLEVEL DEBUG".  Then, after
> this problem
> occurs again, you can then switch back to "LOGLEVEL LOW" (the
> debug mode
> adds huge amounts of information to the log file).  You can
> then E-mail me
> the \IMail\spool\dec.log file (as an attachment, NOT sent
> from web
> messaging), and I can take a look at it to see what is happening.
>
> -Scott


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

2003-12-05 Thread R. Scott Perry 

We are running Declude v1.75.

Any ideas?
The next step would be to check the IMail SMTP log file to see what it says.

If that doesn't provide enough information, the debug mode would be the 
next step.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread Bill Landry 
Nevermind, guess I should have checked the manual before sending...  ;-)

Bill
- Original Message - 
From: "Bill Landry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 9:48 AM
Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer


> I must have missed something along the way.  What is "externalplus"?
>
> Bill
> - Original Message - 
> From: "R. Scott Perry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, December 05, 2003 9:06 AM
> Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
>
>
> >
> > >Based on my reading of the last sniffer thread, this will not cause
> > >degradation in performance because Declude is "smart" enough to only
> > >call sniffer once for multiple tests, but
> > >
> > >1. What if the tests are different types, in this case external and
> > >externalplus?
> >
> > That's not a problem.  The test will still only be run once.  If the
test
> > has been run before in the same way (same program name and parameters),
it
> > will not be run again, regardless of whether it is defined as external
or
> > externalplus.
> >
> > If the program is called in a different way (with different parameters,
> for
> > example), then it will be run again.
> >
> > >2. What performance impact is there in adding the additional action?
> >
> > There should be very little degradation in performance.  It should not
be
> > noticeable.
> >
> > >4. If the message gets my subject line modification because it fails
> > >weighting, but is whitelisted per the new external plus test, will
> > >that negate the action on weighting?
> >
> > That is correct.  When an E-mail is whitelisted, it is forced to pass
all
> > the spam tests, so no action will be taken.
> >
> > -Scott
> > ---
> > Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> > Declude Virus: Catches known viruses and is the leader in mailserver
> > vulnerability detection.
> > Find out what you've been missing: Ask about our free 30-day evaluation.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> >
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread R. Scott Perry 

I must have missed something along the way.  What is "externalplus"?
It's a test type that lets you run an external test that is can do more 
than a standard test.  Instead of returning an exit code that designates 
pass/fail or a weight to use, it can return codes to tell Declude JunkMail 
to do specific things.  Right now, an exit code of 1 will whitelist an 
E-mail.  Exit codes of 2-9 are reserved for future use, as needed.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread Bill Landry 
I must have missed something along the way.  What is "externalplus"?

Bill
- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 9:06 AM
Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer


>
> >Based on my reading of the last sniffer thread, this will not cause
> >degradation in performance because Declude is "smart" enough to only
> >call sniffer once for multiple tests, but
> >
> >1. What if the tests are different types, in this case external and
> >externalplus?
>
> That's not a problem.  The test will still only be run once.  If the test
> has been run before in the same way (same program name and parameters), it
> will not be run again, regardless of whether it is defined as external or
> externalplus.
>
> If the program is called in a different way (with different parameters,
for
> example), then it will be run again.
>
> >2. What performance impact is there in adding the additional action?
>
> There should be very little degradation in performance.  It should not be
> noticeable.
>
> >4. If the message gets my subject line modification because it fails
> >weighting, but is whitelisted per the new external plus test, will
> >that negate the action on weighting?
>
> That is correct.  When an E-mail is whitelisted, it is forced to pass all
> the spam tests, so no action will be taken.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Kami Razvan 
Dan:

FILTER-REVDNS filterC:\IMail\Declude\Filters\IMail_Filter_REVDNS.txt
x 0 0

This is our Global entry for the file.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 12:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

Kami,
What is the name of the filter file that you have entries of those type in?

Thanks,
Dan

- Original Message -
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:51 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


> Yes...
>
> Like a filter file:
>
> REVDNS -20 ENDSWITH .amazon.com
>
> I put the period before Amazon to just make sure no funky domain like
> .spamamazon.com can get through.
>
> Regards,
> Kami
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Friday, December 05, 2003 10:39 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
>
> Kami:
> I've been taking a look at your configuration files every few weeks and
> based on what I saw there a couple of months ago, I also started
> WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
> probably many I'm not seeing as flagged by SPAMCOP because of the
whitelist.
> It just so happened that the 3 I listed had not been whitelisted.  I know
> that whitelisting will fix the problems but I also know that there's is
> definitely something up with SPAMCOP.
>
> Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
> file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
> to go past that limit and/or else offload those into a separate file?
>
> How do you do the negative Reverse DNS entries?  Is that just by using the
> FILTER test?
>
> Thanks,
> Dan
>
> - Original Message -
> From: "Kami Razvan" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, December 05, 2003 10:24 AM
> Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
>
>
> > Dan:
> >
> > We made a decision a long time ago to whitelist REVDNS of all the folks
> you
> > had listed.
> >
> > We now have two REVDNS negative files.
> >
> > 1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
> moves
> > these entries to their own files).
> >
> > 2:  Negative reverseDNS files that adds negative weight to the ones that
> are
> > legitimate and used by our users.
> >
> > That took care of a lot of problems..
> >
> > Regards,
> > Kami
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> > Sent: Friday, December 05, 2003 10:10 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
> >
> > Hello, All,
> > Has anyone noticed in the last few days that the IP addresses of a lot
of
> > legitimate e-mailers are showing up on SPAMCOP's blocklists?
Specifically
> > I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
> and
> > a few others.  Does anyone think it's possible that SPAMCOP's databases
> are
> > being gamed by Spammers by submitting lots of e-mails with legit IP
> > addresses and pretend that they came across as spam?  Or maybe there are
> > uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
> > representative of spam?  Or even that IronPort's purchase of SPAMCOP has
> > somehow affected the way that they do things?
> >
> > Just curious.  These legit IPs showing up on SPAMCOP are really throwing
> > lots of False Positives in my weighting system.
> >
> > Thanks,
> > Dan
> > [EMAIL PROTECTED]
> >
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> > Declude.JunkMail".  The archives can be found at
> > http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> >
>
> ---
> Sign up for virus-free and spam-free e-mail wi

Re: [Declude.JunkMail] ROUTETO Not Working

2003-12-05 Thread Dan Geiser 
Hello, Scott,
We are running Declude v1.75.

Any ideas?

Thanks,
Dan

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 12:25 PM
Subject: Re: [Declude.JunkMail] ROUTETO Not Working


>
> >As a test I switched the address listed after the ROUTTEO action from
> >@hotmail.com to one of the e-mail addresses I have on the local
> >IMail server, [EMAIL PROTECTED], and the ROUTEd spam started
showing
> >up immediately.
>
> What version of Declude JunkMail are you running ("\IMail\Declude -diag"
> from a command prompt will show you)?  With versions before 1.67, the
> ROUTETO action would not work on outgoing E-mail.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

2003-12-05 Thread R. Scott Perry 

As a test I switched the address listed after the ROUTTEO action from
@hotmail.com to one of the e-mail addresses I have on the local
IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing
up immediately.
What version of Declude JunkMail are you running ("\IMail\Declude -diag" 
from a command prompt will show you)?  With versions before 1.67, the 
ROUTETO action would not work on outgoing E-mail.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread R. Scott Perry 

Do you have plans to offer offloading for WHITELIST HELO and WHITELIST
REVDNS?
Not at this time, simply because we can't envision there being a need for 
200 such entries.  :)

However, the WHITELIST limit is something that comes up frequently, so it 
is quite possible that more changes will be made to allow for more 
WHITELIST entries.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Hosting Support 
I'm not sure if everyone has heard, but IronPort bought SpamCop.  It's
likely that they're fiddling with it.  There's an article on Slashdot from
Wednesday about it.

http://yro.slashdot.org/article.pl?sid=03/12/03/2016218&mode=thread&tid=111&tid=126&tid=137&tid=187

Personally, After seeing so many FPs as a result of SpamCop weighting, I
stopped using it a year ago.

Darin.


- Original Message - 
From: "Dan Geiser" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:10 AM
Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

_
[This E-mail virus scanned by 4C Web]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread R. Scott Perry 

Based on my reading of the last sniffer thread, this will not cause
degradation in performance because Declude is "smart" enough to only
call sniffer once for multiple tests, but
1. What if the tests are different types, in this case external and
externalplus?
That's not a problem.  The test will still only be run once.  If the test 
has been run before in the same way (same program name and parameters), it 
will not be run again, regardless of whether it is defined as external or 
externalplus.

If the program is called in a different way (with different parameters, for 
example), then it will be run again.

2. What performance impact is there in adding the additional action?
There should be very little degradation in performance.  It should not be 
noticeable.

4. If the message gets my subject line modification because it fails
weighting, but is whitelisted per the new external plus test, will
that negate the action on weighting?
That is correct.  When an E-mail is whitelisted, it is forced to pass all 
the spam tests, so no action will be taken.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Dan Geiser 
Scott,
Do you have plans to offer offloading for WHITELIST HELO and WHITELIST
REVDNS?

Thanks,
Dan

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 11:07 AM
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


>
> >Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG?
>
> Only the WHITELIST FROM lines can be moved out of the global.cfg file.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Dan Geiser 
Kami,
What is the name of the filter file that you have entries of those type in?

Thanks,
Dan

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:51 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


> Yes...
>
> Like a filter file:
>
> REVDNS -20 ENDSWITH .amazon.com
>
> I put the period before Amazon to just make sure no funky domain like
> .spamamazon.com can get through.
>
> Regards,
> Kami
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Friday, December 05, 2003 10:39 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
>
> Kami:
> I've been taking a look at your configuration files every few weeks and
> based on what I saw there a couple of months ago, I also started
> WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
> probably many I'm not seeing as flagged by SPAMCOP because of the
whitelist.
> It just so happened that the 3 I listed had not been whitelisted.  I know
> that whitelisting will fix the problems but I also know that there's is
> definitely something up with SPAMCOP.
>
> Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
> file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
> to go past that limit and/or else offload those into a separate file?
>
> How do you do the negative Reverse DNS entries?  Is that just by using the
> FILTER test?
>
> Thanks,
> Dan
>
> - Original Message -
> From: "Kami Razvan" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, December 05, 2003 10:24 AM
> Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
>
>
> > Dan:
> >
> > We made a decision a long time ago to whitelist REVDNS of all the folks
> you
> > had listed.
> >
> > We now have two REVDNS negative files.
> >
> > 1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
> moves
> > these entries to their own files).
> >
> > 2:  Negative reverseDNS files that adds negative weight to the ones that
> are
> > legitimate and used by our users.
> >
> > That took care of a lot of problems..
> >
> > Regards,
> > Kami
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> > Sent: Friday, December 05, 2003 10:10 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
> >
> > Hello, All,
> > Has anyone noticed in the last few days that the IP addresses of a lot
of
> > legitimate e-mailers are showing up on SPAMCOP's blocklists?
Specifically
> > I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
> and
> > a few others.  Does anyone think it's possible that SPAMCOP's databases
> are
> > being gamed by Spammers by submitting lots of e-mails with legit IP
> > addresses and pretend that they came across as spam?  Or maybe there are
> > uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
> > representative of spam?  Or even that IronPort's purchase of SPAMCOP has
> > somehow affected the way that they do things?
> >
> > Just curious.  These legit IPs showing up on SPAMCOP are really throwing
> > lots of False Positives in my weighting system.
> >
> > Thanks,
> > Dan
> > [EMAIL PROTECTED]
> >
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> > (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
> > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> > Declude.JunkMail".  The archives can be found at
> > http://www.mail-archive.com.
> >
> > ---
> > [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> > type "unsubscribe Declude.JunkMail".  The archives can be found
> > at http://www.mail-archive.com.
> > ---
> > Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> > http://www.nexustechgroup.com/mailscan
> >
> >
>
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://ww

[Declude.JunkMail] ROUTETO Not Working

2003-12-05 Thread Dan Geiser 
Hello, All,
I am trying to learn a little bit about the ROUTETO action and I can't seem
to get it to work as expected.  I am using DJM Pro.

My current DELETE weight is 40.  In the "per-domain" $default$.junkmail
files for two of my highest "spam volume" domains I changed the action from
"DELETE" to "ROUTETO @hotmail.com" (both without the quotes).  I
expected messages which were previously being deleted by my DJM
configuration to start showing up in my Hotmail inbox but I'm not receiving
anything there.

As a test I switched the address listed after the ROUTTEO action from
@hotmail.com to one of the e-mail addresses I have on the local
IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing
up immediately.

Does anyone know why if I used an externally hosted e-mail after the ROUTETO
action that I wouldn't get the e-mail but if I used an e-mail address hosted
on my local e-mail server that I would?  Perhaps this doesn't have anything
to do with it being external but instead it's just a Hotmail issue?

Here are the relevant entries from my GLOBAL.CFG...
-
WEIGHT-DELETE  weight  x x 40 0
-

Here are the relevant entries from one of my $default$.junkmail files...
-
WEIGHT-DELETE  ROUTETO [EMAIL PROTECTED]
-

Here are the entries from my DJM log file for a message which did NOT show
up at my Hotmail account...
-
12/05/2003 11:21:24 Qb07f13c SPAMCOP:7 SBL:5 NOABUSE:2 NOPOSTMASTER:1
BASE64:4 HELOBOGUS:6 REVDNS:4 SPAMHEADERS:3 CBL:5 CSMA-SBL:5 SPAMDOMAINS:10
.  Total weight = 52
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMCOP (Blocked - see
http://www.spamcop.net/bl.shtml?202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SBL
(http://www.spamhaus.org/SBL/sbl.lasso?query=SBL7535). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOABUSE (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOPOSTMASTER (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed BASE64 (A binary encoded text or
HTML section was found in this E-mail.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed HELOBOGUS (Domain WJQ-Q8OLH5GE22P
has no MX or A records.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed REVDNS (This E-mail was sent from a
MUA/MTA 202.102.142.58 with no reverse DNS entry.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [420f].). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed WEIGHT-DELETE (Weight of 52 reaches
or exceeds the limit of 40.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed CBL (Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed CSMA-SBL
(http://bl.csma.biz/cgi-bin/listing.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMDOMAINS (Spamdomain '@yahoo.com'
found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].).
Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c R1 Message OK
12/05/2003 11:21:24 Qb07f13c Using [incoming] CFG file
d:\iMail\Declude\american-apex.com\$default$.junkmail.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMCOP (Blocked - see
http://www.spamcop.net/bl.shtml?202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SBL
(http://www.spamhaus.org/SBL/sbl.lasso?query=SBL7535). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOABUSE (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOPOSTMASTER (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed BASE64 (A binary encoded text or
HTML section was found in this E-mail.). Action=WARN.
12/05/2003 11:21:24 Qb07f13c Msg failed HELOBOGUS (Domain WJQ-Q8OLH5GE22P
has no MX or A records.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed REVDNS (This E-mail was sent from a
MUA/MTA 202.102.142.58 with no reverse DNS entry.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [420f].). Action=WARN.
12/05/2003 11:21:24 Qb07f13c Msg failed CATCHALLMAILS (). Action=COPYTO.
12/05/2003 11:21:24 Qb07f13c Msg failed WEIGHT-DELETE (Weight of 52 reaches
or exceeds the limit of 40.). Action=ROUTETO.
12/05/2003 11:21:24 Qb07f13c Msg failed CBL (Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed CSMA-SBL
(http://bl.csma.biz/cgi-bin/listing.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMDOMAINS (Spamdomain '@yahoo.com'
found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].).
Action=WARN.
12/05/2003 11:21:24 Qb07f13c L2 Message OK
12/05/2003 11:21:24 Qb07f13c Subject: Buy Valium Cheap
12/05/2003 11:21:24 Qb07f13c From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 202.102.142.58 ID:
12/05/2003 11:21:24 Qb07f13c Last action = IGNORE.
-

Thanks,
Dan Geiser
[EMA

[Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

2003-12-05 Thread David Sullivan 

I want to use Sniffer to whitelist messages that would fail other
Declude tests, not just Sniffer alone AND I want to retain the
original Sniffer failure code if the message did fail Sniffer.

Sohere's where I'm headed.

Keep my single Sniffer weighted test for spam detection and add this
(per Scott's recommendation):

SNIFFER-WHITELIST externalplus P:\IMail\Declude\Sniffer\LicenseID.exe 
AuthenticationCode"

to do this, I will have my Sniffer rule base re-coded to return a 1 on
my custom whitelists instead of a 0.  With externalplus, 1 indicates
Whitelist.

Based on my reading of the last sniffer thread, this will not cause
degradation in performance because Declude is "smart" enough to only
call sniffer once for multiple tests, but

1. What if the tests are different types, in this case external and
externalplus?

2. What performance impact is there in adding the additional action?

4. If the message gets my subject line modification because it fails
weighting, but is whitelisted per the new external plus test, will
that negate the action on weighting?  If so, should I also give the
externalplus test weights like this:

-200 0

3. Anyone see any problems with this scenario?
  

-- 
Best regards,
 David  mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Markus Gufler 

> Yes...
> 
> Like a filter file:
> 
> REVDNS -20 ENDSWITH .amazon.com
> 
> I put the period before Amazon to just make sure no funky 
> domain like .spamamazon.com can get through.


Hmmpfff

I hoped already that that could be a reason for unlimited IPBYPASS
entries...  ;-)

Markus 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] MAILFROM like Imail Test..

2003-12-05 Thread Alejandro Valenzuela 
Ok, I didn't noticed how easy could spam pass this test.
Thanks Scott.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 6:00 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] MAILFROM like Imail Test..



>Declude MAILFROM test check only the domain on the MAILFROM address
>But we recive a lot of SPAM with mailfrom like this.
<[EMAIL PROTECTED]>
>since hotmail.com is a valid Domain, then the message pass the test
>
>Is there a test like the "Mailfrom" of Imail that test that the
>user really exists on the remote server ??

No.  The problem is that such a test is very resource intensive -- 
specifically, it will use about 10 times as much bandwidth as the MAILFROM 
test, and will often have false negatives (E-mail addresses that do not 
exist, but pass the test), and occasional false positives (E-mail addresses 
that do exist, but fail the test).  Also, it will delay the delivery of the 
E-mail by anywhere from several seconds to a minute or so (lots of 
mailservers take a long time to respond to commands), as there are about 8 
round trips that need to be made rather than just 1 -- and those round 
trips also require more effort on the remote end.

Then, imagine if a spammer joe jobs you, using your E-mail address as the 
return address.  If everyone plays this game, then your mailserver is going 
to receive thousands to millions of hits in a very short period of time, 
causing a DDoS attack on your server.

So I'm not a big fan of this type of test.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread R. Scott Perry 

Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG?
Only the WHITELIST FROM lines can be moved out of the global.cfg file.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Dan Geiser 
Hi, Scott,
If I am using...

WHITELIST REVDNS .ebay.com

or

WHITELIST HELO .mail.yahoo.com

entries in my GLOBAL.CFG can those also be offloaded into a separate file?
Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG?

Thanks,
Dan

- Original Message - 
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:46 AM
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


>
> >Am I correct that you can only add 100 WHITELIST entries to the
GLOBAL.CFG
> >file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there
anyway
> >to go past that limit and/or else offload those into a separate file?
>
> Actually, it's a limit of 200.
>
> The WHITELIST FROM entries can be offloaded to a separate file (with
> unlimited entries), using the WHITELISTFILE option.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reverse DNS...

2003-12-05 Thread IS - Systems Eng. (Karl Drugge) 











Do what I do… I have
a rule defined that subtracts the points my REVDNS rule adds, and put the
domains I ned to get through in that list. Kind of clunky and mna-power
intensive, but it works for me. I couldn’t imagine doing it for hundreds
of domains…

 

Karl Drugge

 

 

 

 

 

 



-Original Message-
From: Kami Razvan
[mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 05, 2003 10:11 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail]
Reverse DNS...

 



What can we do when the likes of
Amazon don't have reverse DNS?





 





==





X-Declude-Sender: [EMAIL PROTECTED]
[12.32.32.130]
X-Declude-Spoolname: D938c00b8023227dd.SMD
X-Note: This E-mail was scanned & filtered by Declude [1.77] for SPAM &
virus.
X-Weight: 57
X-Note: Sent
from Reverse DNS:  [No Reverse DNS]
X-Hello: boi1-app-101.amazon.com
X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL,
FILTER-SPAM-HTML, FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH,
SPAMDOMAINS, WEIGHT20s, WEIGHT20r
X-Note: Recipient(s):  [EMAIL PROTECTED]
X-Country-Chain: UNITED STATES->destination
X-RCPT-TO: <[EMAIL PROTECTED]>





 





Incredible...











 





Regards,





Kami

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Burzin Sumariwalla 
Hi Dan,

I've only seen one FP from SpamCop in the last week.  I routinely see email 
sent by legitimate firms get tagged as spam, but usually
these firms are using third party mailers to send information.

Burzin

At 09:10 AM 12/5/2003, you wrote:
Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?
Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.
Thanks,
Dan
[EMAIL PROTECTED]
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Kami Razvan 
Yes...

Like a filter file:

REVDNS -20 ENDSWITH .amazon.com

I put the period before Amazon to just make sure no funky domain like
.spamamazon.com can get through.

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 10:39 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

Kami:
I've been taking a look at your configuration files every few weeks and
based on what I saw there a couple of months ago, I also started
WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
probably many I'm not seeing as flagged by SPAMCOP because of the whitelist.
It just so happened that the 3 I listed had not been whitelisted.  I know
that whitelisting will fix the problems but I also know that there's is
definitely something up with SPAMCOP.

Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
to go past that limit and/or else offload those into a separate file?

How do you do the negative Reverse DNS entries?  Is that just by using the
FILTER test?

Thanks,
Dan

- Original Message -
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:24 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


> Dan:
>
> We made a decision a long time ago to whitelist REVDNS of all the folks
you
> had listed.
>
> We now have two REVDNS negative files.
>
> 1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
moves
> these entries to their own files).
>
> 2:  Negative reverseDNS files that adds negative weight to the ones that
are
> legitimate and used by our users.
>
> That took care of a lot of problems..
>
> Regards,
> Kami
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Friday, December 05, 2003 10:10 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
>
> Hello, All,
> Has anyone noticed in the last few days that the IP addresses of a lot of
> legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
> I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
and
> a few others.  Does anyone think it's possible that SPAMCOP's databases
are
> being gamed by Spammers by submitting lots of e-mails with legit IP
> addresses and pretend that they came across as spam?  Or maybe there are
> uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
> representative of spam?  Or even that IronPort's purchase of SPAMCOP has
> somehow affected the way that they do things?
>
> Just curious.  These legit IPs showing up on SPAMCOP are really throwing
> lots of False Positives in my weighting system.
>
> Thanks,
> Dan
> [EMAIL PROTECTED]
>
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread R. Scott Perry 

Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
to go past that limit and/or else offload those into a separate file?
Actually, it's a limit of 200.

The WHITELIST FROM entries can be offloaded to a separate file (with 
unlimited entries), using the WHITELISTFILE option.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Dan Geiser 
Kami:
I've been taking a look at your configuration files every few weeks and
based on what I saw there a couple of months ago, I also started
WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
probably many I'm not seeing as flagged by SPAMCOP because of the whitelist.
It just so happened that the 3 I listed had not been whitelisted.  I know
that whitelisting will fix the problems but I also know that there's is
definitely something up with SPAMCOP.

Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
to go past that limit and/or else offload those into a separate file?

How do you do the negative Reverse DNS entries?  Is that just by using the
FILTER test?

Thanks,
Dan

- Original Message - 
From: "Kami Razvan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:24 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


> Dan:
>
> We made a decision a long time ago to whitelist REVDNS of all the folks
you
> had listed.
>
> We now have two REVDNS negative files.
>
> 1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
moves
> these entries to their own files).
>
> 2:  Negative reverseDNS files that adds negative weight to the ones that
are
> legitimate and used by our users.
>
> That took care of a lot of problems..
>
> Regards,
> Kami
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
> Sent: Friday, December 05, 2003 10:10 AM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
>
> Hello, All,
> Has anyone noticed in the last few days that the IP addresses of a lot of
> legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
> I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
and
> a few others.  Does anyone think it's possible that SPAMCOP's databases
are
> being gamed by Spammers by submitting lots of e-mails with legit IP
> addresses and pretend that they came across as spam?  Or maybe there are
> uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
> representative of spam?  Or even that IronPort's purchase of SPAMCOP has
> somehow affected the way that they do things?
>
> Just curious.  These legit IPs showing up on SPAMCOP are really throwing
> lots of False Positives in my weighting system.
>
> Thanks,
> Dan
> [EMAIL PROTECTED]
>
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
> just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
> Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
> ---
> Sign up for virus-free and spam-free e-mail with Nexus Technology Group
> http://www.nexustechgroup.com/mailscan
>
>

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Kami Razvan 
Dan:

We made a decision a long time ago to whitelist REVDNS of all the folks you
had listed.

We now have two REVDNS negative files.

1:  Whitelist as entered in the Global.cfg (I only hope one day Scott moves
these entries to their own files).

2:  Negative reverseDNS files that adds negative weight to the ones that are
legitimate and used by our users.

That took care of a lot of problems..

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 10:10 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Technical Support 
I have noticed this as well, and it is causing me a never-ending stream
of headaches.
 
Jim O'Keefe 
Technical Support 
@YourNET Connection, Inc. 
[EMAIL PROTECTED]   


-Original Message-
From: Dan Geiser [mailto:[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:10 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot
of
legitimate e-mailers are showing up on SPAMCOP's blocklists?
Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
and
a few others.  Does anyone think it's possible that SPAMCOP's databases
are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail has been scanned for viruses by the YourNet Connection
Virus system]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Reverse DNS...

2003-12-05 Thread Kami Razvan 



What can we do 
when the likes of Amazon don't have reverse DNS?
 
==
X-Declude-Sender: 
[EMAIL PROTECTED] 
[12.32.32.130]X-Declude-Spoolname: D938c00b8023227dd.SMDX-Note: This 
E-mail was scanned & filtered by Declude [1.77] for SPAM & 
virus.X-Weight: 57X-Note: Sent from Reverse DNS:  [No 
Reverse DNS]X-Hello: 
boi1-app-101.amazon.comX-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, 
NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL, FILTER-SPAM-HTML, 
FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, SPAMDOMAINS, WEIGHT20s, 
WEIGHT20rX-Note: Recipient(s):  [EMAIL PROTECTED]X-Country-Chain: 
UNITED STATES->destinationX-RCPT-TO: <[EMAIL PROTECTED]>
 
Incredible...

 
Regards,
Kami

[Declude.JunkMail] SPAMCOP Having Legit IP Addresses

2003-12-05 Thread Dan Geiser 
Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Fw: [IMail Forum] November 2003 Spam Statistics

2003-12-05 Thread Jeff Pereira 

- Original Message -
From: "Jeff Pereira" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 9:26 AM
Subject: Re: [IMail Forum] November 2003 Spam Statistics


> Scott -
>
> Is it possible to post the configuration files for Declude Junkmail that
> were used to produce the results obtained in the November 2003 Spam
> Statistics?
>
> I am sure that there are a number of other users out there like myself
that
> have limited resources to devode to spam control and for whom spam control
> is a secondary or tertiary responsibility.
>
> It would be nice to know that I could start with a given a set of
> configuration files that are able to generate what I feel to be very
> impressive statistics.
>
> Thank you.
>
> Jeff
>
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>
> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
> List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
> ---
> [This E-mail scanned for viruses by Declude Virus]
>
>

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance

2003-12-05 Thread Tyler Jensen 
I installed a full retail copy of Office 2003 Professional and I have the
same issue. Missing headers.

Tyler

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mark Smith
> Sent: Friday, December 05, 2003 5:48 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] A little CMA documentation for Outlook
> 2003 RFC non-compliance 2003 RFC non-compliance
>
>
> I'm assuming that this only happens with Outlook 2003 used with a
> non-Exchange (POP3/IMAP/SMTP mode)?
>
> Here are two headers from Outlook 2003 installed by Office 2003 Pro
> Microsoft Volume Licensing (not OEM)
>
> >From Outlook/MAPI via Exchange 2003
>
> -0-
>
> Received: from us-inboundmx.blank.com [61.220.41.95] by
> popmail.domain2.com
> with ESMTP
>   (SMTPD32-8.03) id AFB28130208; Fri, 05 Dec 2003 05:36:34 -0500
> X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
> Content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
>   charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> Subject: testing
> Date: Fri, 5 Dec 2003 05:36:34 -0500
> Message-ID:
> <[EMAIL PROTECTED]>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: testing
> Thread-Index: AcO7G6c5ASWwh2hOTRWz0b/pUSbfKw==
> From: "Mark E. Smith" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> X-Note: Weight: 0 - This E-mail was scanned by NETrends Systems
> (www.netrends.com) for spam.
> X-Spam-Tests-Failed: Whitelisted
> X-Spam-Prob: 0.169437
> X-RCPT-TO: <[EMAIL PROTECTED]>
> Status: U
> X-UIDL: 341408898
>
> -0-
>
> >From Outlook/POP3/SMTP via iMail SMTP
>
> -0-
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from ussmtpin2.blank.com ([10.7.4.111]) by
> us-inboundmx.blank.com
> with Microsoft SMTPSVC(6.0.3790.0);
>Fri, 5 Dec 2003 05:40:53 -0500
> Received: from popmail.domain2.com [16.196.89.161] by ussmtpin2.blank.com
> with ESMTP
>   (SMTPD32-8.03) id A0B38CD0118; Fri, 05 Dec 2003 05:40:51 -0500
> Received: from msmithd800xp [162.83.21.69] by popmail.domain2.com
> with ESMTP
>   (SMTPD32-8.03) id A0AF8330208; Fri, 05 Dec 2003 05:40:47 -0500
> From: "Mark Smith" <[EMAIL PROTECTED]>
> To: "Mark E. Smith" <[EMAIL PROTECTED]>
> Subject: Testing from domain2
> Date: Fri, 5 Dec 2003 05:40:47 -0500
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> Thread-Index: AcO7HD5aazFkluigRS2DXlE/jJeQ9w==
> Message-Id: <[EMAIL PROTECTED]>
> X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
> [420e].
> X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
> X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
> test (27)
> X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
> (46)
> X-Note: Weight: 3 - This E-mail was scanned by NETrends Systems
> (www.netrends.com) for spam.
> X-RBL-Warning: WHITELISTFILE: Message failed WHITELISTFILE test (100)
> X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
> X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (27)
> X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
> test (27)
> X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
> (37)
> X-Note: Weight: -110 - This E-mail was scanned by NETrends Systems
> (www.netrends.com) for viruses and spam.
> Return-Path: [EMAIL PROTECTED]
> X-OriginalArrivalTime: 05 Dec 2003 10:40:53.0729 (UTC)
> FILETIME=[42002510:01C3BB1C]
>
> -0-
>
>
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of R.
> > Scott Perry
> > Sent: Thursday, December 04, 2003 2:19 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Declude.JunkMail] A little CMA documentation
> > for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
> >
> >
> > >I have a customer who was having trouble with his messages sent to
> > >users on servers that use spam filters not being delivered.
> > I had him
> > >send a message to me so I could see what tests it fails.  As some of
> > >you may have already guessed, he's got a new pc with Outlook
> > 2003 and
> > >the messages fail the spam headers test.  I informed him that among
> > >mail server and/or spamfilter administrators this is a known issue.
> > >So, he calls MS.  MS says it's OEM software, call the
> > vendor.  Dell says I'm full of it.
> > >
> > >So...
> > >
> > >Would someone with more thorough and better understanding than mine
> > >please send me something (with permission to quote or I'd just lift
> > >from
> > >archives) that I can send to this customer?  I'm looking for
> > what it is
> > >that Outlook 2003 does wrong and what RFC it is not
> > conforming to.  He
> > >wants to then show it to Dell and request an exchange for
> > Office 2002.
> >
> > It's really a Microsoft issue (it's a bug -- er, "new
> > feature" -- in Outlook 2003), but they may have a special
> > arrangement with Dell.  Microsoft had a few complaints from
>

RE: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released

2003-12-05 Thread R. Scott Perry 

I am still a little shaky on what END does.

If we have a filter file and have the following line - lets say on line 1:

HEADERS  END  CONTAINS  X-IMAIL-SPAM-VALREVDNS

If this condition is met then the filter will exit?
Correct.

So anytime an END condition is satisfied the rest of the filter is not to 
be analyzed.
Correct.

The idea was originally proposed to help with the Anti-filter concept.. But
I am not sure how it will work.
I think that there are two purposes for END:

[1] It will reduce CPU usage for large filters, if you know they do not 
need to be used for some reason.
[2] It will allow you to have weights applied only under certain 
conditions.  For example, "If the E-mail contains 'example.com' but not 
'example.net', apply a weight of 5" (with "ANYWHERE END CONTAINS 
example.net" and "ANYWHERE 5 CONTAINS example.com").
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MAILFROM like Imail Test..

2003-12-05 Thread R. Scott Perry 

Declude MAILFROM test check only the domain on the MAILFROM address
But we recive a lot of SPAM with mailfrom like this. <[EMAIL PROTECTED]>
since hotmail.com is a valid Domain, then the message pass the test
Is there a test like the "Mailfrom" of Imail that test that the
user really exists on the remote server ??
No.  The problem is that such a test is very resource intensive -- 
specifically, it will use about 10 times as much bandwidth as the MAILFROM 
test, and will often have false negatives (E-mail addresses that do not 
exist, but pass the test), and occasional false positives (E-mail addresses 
that do exist, but fail the test).  Also, it will delay the delivery of the 
E-mail by anywhere from several seconds to a minute or so (lots of 
mailservers take a long time to respond to commands), as there are about 8 
round trips that need to be made rather than just 1 -- and those round 
trips also require more effort on the remote end.

Then, imagine if a spammer joe jobs you, using your E-mail address as the 
return address.  If everyone plays this game, then your mailserver is going 
to receive thousands to millions of hits in a very short period of time, 
causing a DDoS attack on your server.

So I'm not a big fan of this type of test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released

2003-12-05 Thread Kami Razvan 
Hi;

I am still a little shaky on what END does.

If we have a filter file and have the following line - lets say on line 1:

HEADERS  END  CONTAINS  X-IMAIL-SPAM-VALREVDNS

If this condition is met then the filter will exit?  So anytime an END
condition is satisfied the rest of the filter is not to be analyzed.

The idea was originally proposed to help with the Anti-filter concept.. But
I am not sure how it will work.

Regards,
Kami




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, December 04, 2003 7:17 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released

We have just released Declude Virus v1.77 (beta).  See
http://www.declude.com/junkmail/manual.htm .  Notable changes since the last
beta include:

 o BOUNCE action renamed to BOUNCEONLYIFYOUMUST (please read the
information on this action in the manual before using it).
 o "filter" test type now can have MAXWEIGHT/MINWEIGHT option.
 o "filter" test type now can have "END" in place of the weight
 o "filter" test type now has SKIPIFWEIGHT option to bypass filters
if a certain weight has already been reached.
 o HIDETESTS option to hide tests from X-Spam-Tests-Failed: header.
 o Numerous minor fixes

Other additions and fixes can be found in the release notes, at
http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service
Agreement is entitled to free upgrades (see http://www.declude.com/agree.htm
for information on the Declude Service Agreement).

---

Quick Resource Reference:

Tech Support:  [EMAIL PROTECTED]
Mailing List: Send E-mail to [EMAIL PROTECTED] with "subscribe 
declude.junkmail your name" in the body
New Releases List: Send E-mail to [EMAIL PROTECTED] with "subscribe 
declude.releases your name" in the body
Troubleshooting: See manual URL above; look at "Troubleshooting" section
Emergency Uninstall:  See manual URL above; look at "Emergency Uninstall" 
section
Urgent Support: urgent @declude.com (for urgent/time-sensitive issues only)
Declude Addons/Tools URL: http://www.declude.com/tools
Manual: http://www.declude.com/junkmail/manual.htm

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance

2003-12-05 Thread Mark Smith 
I'm assuming that this only happens with Outlook 2003 used with a
non-Exchange (POP3/IMAP/SMTP mode)?

Here are two headers from Outlook 2003 installed by Office 2003 Pro
Microsoft Volume Licensing (not OEM)

>From Outlook/MAPI via Exchange 2003

-0-

Received: from us-inboundmx.blank.com [61.220.41.95] by popmail.domain2.com
with ESMTP
  (SMTPD32-8.03) id AFB28130208; Fri, 05 Dec 2003 05:36:34 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: testing
Date: Fri, 5 Dec 2003 05:36:34 -0500
Message-ID:
<[EMAIL PROTECTED]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: testing
Thread-Index: AcO7G6c5ASWwh2hOTRWz0b/pUSbfKw==
From: "Mark E. Smith" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
X-Note: Weight: 0 - This E-mail was scanned by NETrends Systems
(www.netrends.com) for spam.
X-Spam-Tests-Failed: Whitelisted
X-Spam-Prob: 0.169437
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 341408898

-0-

>From Outlook/POP3/SMTP via iMail SMTP

-0-

Microsoft Mail Internet Headers Version 2.0
Received: from ussmtpin2.blank.com ([10.7.4.111]) by us-inboundmx.blank.com
with Microsoft SMTPSVC(6.0.3790.0);
 Fri, 5 Dec 2003 05:40:53 -0500
Received: from popmail.domain2.com [16.196.89.161] by ussmtpin2.blank.com
with ESMTP
  (SMTPD32-8.03) id A0B38CD0118; Fri, 05 Dec 2003 05:40:51 -0500
Received: from msmithd800xp [162.83.21.69] by popmail.domain2.com with ESMTP
  (SMTPD32-8.03) id A0AF8330208; Fri, 05 Dec 2003 05:40:47 -0500
From: "Mark Smith" <[EMAIL PROTECTED]>
To: "Mark E. Smith" <[EMAIL PROTECTED]>
Subject: Testing from domain2
Date: Fri, 5 Dec 2003 05:40:47 -0500
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Thread-Index: AcO7HD5aazFkluigRS2DXlE/jJeQ9w==
Message-Id: <[EMAIL PROTECTED]>
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[420e].
X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
test (27)
X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
(46)
X-Note: Weight: 3 - This E-mail was scanned by NETrends Systems
(www.netrends.com) for spam.
X-RBL-Warning: WHITELISTFILE: Message failed WHITELISTFILE test (100)
X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (27)
X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
test (27)
X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
(37)
X-Note: Weight: -110 - This E-mail was scanned by NETrends Systems
(www.netrends.com) for viruses and spam.
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 05 Dec 2003 10:40:53.0729 (UTC)
FILETIME=[42002510:01C3BB1C]

-0-





> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of R.
> Scott Perry
> Sent: Thursday, December 04, 2003 2:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] A little CMA documentation
> for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
>
>
> >I have a customer who was having trouble with his messages sent to
> >users on servers that use spam filters not being delivered.
> I had him
> >send a message to me so I could see what tests it fails.  As some of
> >you may have already guessed, he's got a new pc with Outlook
> 2003 and
> >the messages fail the spam headers test.  I informed him that among
> >mail server and/or spamfilter administrators this is a known issue.
> >So, he calls MS.  MS says it's OEM software, call the
> vendor.  Dell says I'm full of it.
> >
> >So...
> >
> >Would someone with more thorough and better understanding than mine
> >please send me something (with permission to quote or I'd just lift
> >from
> >archives) that I can send to this customer?  I'm looking for
> what it is
> >that Outlook 2003 does wrong and what RFC it is not
> conforming to.  He
> >wants to then show it to Dell and request an exchange for
> Office 2002.
>
> It's really a Microsoft issue (it's a bug -- er, "new
> feature" -- in Outlook 2003), but they may have a special
> arrangement with Dell.  Microsoft had a few complaints from
> people using Outlook that their machine name was "leaked" in
> the Message-ID header.  Instead of ignoring the complaint, or
> making the host name used in the Message-ID: header
> configurable, they chose to remove the Message-ID: header.
>
> Microsoft is technically RFC-compliant, *if* they understand
> the consequences of what they did.  In order words, it is
> only RFC-compliant if accept the fact that the E-mail sent
> from Outlook 2003 may be marked as spam.
>
> Microsoft's position, from what we understand, is that they
> expect all mailservers to whitelist outgoing E-mail from
> Outlook 2003 users, and add the Message-ID: heade

RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance

2003-12-05 Thread Mark Smith 
BTW,
I forwarded this issue to a colleague, Sue Moser of Slipstick Systems
http://www.slipstick.com and Windows magazine contributor.

Mark

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of R.
> Scott Perry
> Sent: Thursday, December 04, 2003 2:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] A little CMA documentation
> for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
>
>
> >I have a customer who was having trouble with his messages sent to
> >users on servers that use spam filters not being delivered.
> I had him
> >send a message to me so I could see what tests it fails.  As some of
> >you may have already guessed, he's got a new pc with Outlook
> 2003 and
> >the messages fail the spam headers test.  I informed him that among
> >mail server and/or spamfilter administrators this is a known issue.
> >So, he calls MS.  MS says it's OEM software, call the
> vendor.  Dell says I'm full of it.
> >
> >So...
> >
> >Would someone with more thorough and better understanding than mine
> >please send me something (with permission to quote or I'd just lift
> >from
> >archives) that I can send to this customer?  I'm looking for
> what it is
> >that Outlook 2003 does wrong and what RFC it is not
> conforming to.  He
> >wants to then show it to Dell and request an exchange for
> Office 2002.
>
> It's really a Microsoft issue (it's a bug -- er, "new
> feature" -- in Outlook 2003), but they may have a special
> arrangement with Dell.  Microsoft had a few complaints from
> people using Outlook that their machine name was "leaked" in
> the Message-ID header.  Instead of ignoring the complaint, or
> making the host name used in the Message-ID: header
> configurable, they chose to remove the Message-ID: header.
>
> Microsoft is technically RFC-compliant, *if* they understand
> the consequences of what they did.  In order words, it is
> only RFC-compliant if accept the fact that the E-mail sent
> from Outlook 2003 may be marked as spam.
>
> Microsoft's position, from what we understand, is that they
> expect all mailservers to whitelist outgoing E-mail from
> Outlook 2003 users, and add the Message-ID: header.
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail
> mailservers.
> Declude Virus: Catches known viruses and is the leader in
> mailserver vulnerability detection.
> Find out what you've been missing: Ask about our free 30-day
> evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
> (http://www.declude.com)]
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be
> found at http://www.mail-archive.com.
>


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] MAILFROM like Imail Test..

2003-12-05 Thread John Tolmachoff \(Lists\) 
In a filter file:

HEADERS (weight)CONTAINSX-IMAIL-SPAM-INVALIDFROM

Imail is checking to see if the sender exists and places that into the
header. (If you have Imail configured to add headers.)

HOWEVER, this does not work for @yahoo.com addresses.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela
> Sent: Thursday, December 04, 2003 10:45 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] MAILFROM like Imail Test..
> 
> Here are the headers...  How this can be caught with Declude ??
> 
> 12:05 00:32 SMTPD(06E400CC) [0640]  VALIDATION: (MAIL
> FROM) mail.fanosa.com FAILED to validate MAIL FROM address
> [EMAIL PROTECTED]
> 12:05 00:32 SMTPD(06E400CC) [0640]  VALIDATION: (MAIL
> FROM) <[EMAIL PROTECTED]> user does not exist on remote system
> 12:05 00:33 SMTPD(06E500CC) [2292]  VALIDATION: (MAIL
> FROM) mail.fanosa.com FAILED to validate MAIL FROM address
> [EMAIL PROTECTED]
> 12:05 00:33 SMTPD(06E500CC) [2292]  VALIDATION: (MAIL
> FROM) <[EMAIL PROTECTED]> user does not exist on remote system
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro
> Valenzuela
> Sent: Thursday, December 04, 2003 11:40 PM
> To: [EMAIL PROTECTED]
> Subject: [Declude.JunkMail] MAILFROM like Imail Test..
> 
> 
> Declude MAILFROM test check only the domain on the MAILFROM address
> But we recive a lot of SPAM with mailfrom like this.
> <[EMAIL PROTECTED]>
> since hotmail.com is a valid Domain, then the message pass the test
> 
> Is there a test like the "Mailfrom" of Imail that test that the
> user really exists on the remote server ??
> 
> <[EMAIL PROTECTED]>  (In Imail this will fail...)
> 
> Thanks..
> 
> 
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
> Sent: Thursday, December 04, 2003 5:21 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] sniffer
> 
> 
> FYI, I believe the demo consolidates everything into two separate tests:
> General & Malware.  However, it will still give you a very good idea of
> the
> overall effectiveness of running Sniffer with Declude.
> 
> Bill
> - Original Message -
> From: "T. Bradley Dean" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, December 04, 2003 4:02 PM
> Subject: RE: [Declude.JunkMail] sniffer
> 
> 
> >Declude is optimized to run the external test only once
> 
> That was going to be my next question, it looked terribly in-efficient at
> first!
> 
> Thanks for the responses guys. I just installed the demo.
> 
> ~Brad
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> Sent: Wednesday, December 03, 2003 8:10 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] sniffer
> 
> 
> Brad,
> 
> That's right.
> :-)
> 
> Heuristics for patterns are grouped by the spam that prompts us to
> generate
> them, or by how we created them. Most of the time they are at least close
> to classifying the type of spam. Each system that uses Message Sniffer is
> encouraged to specify adjustable weights for each rule group so that the
> results from the pattern matching tests can be "tuned" for the greatest
> accuracy on that system and according to it's unique mix of incoming spam
> and the users being served.
> 
> Declude is optimized to run the external test only once and allow the
> result code to be evaluated for all of the tests that define that external
> test... so in the example shown below sniffer would be called once and
> it's
> result code would be evaluated many times.
> 
> Message Sniffer will typically match many patterns in a given spam.
> Currently the voting system that decides the winning pattern match uses
> the
> following rule: Chose the first pattern match found with the lowest
> symbol.
> 
> Within the standard rulebase, rule groups are loosely grouped so that the
> least specific patterns have the largest symbols. The combination of these
> arrangements tends toward selecting the most specific pattern match
> available for a given message.
> 
> If anyone has other questions that are specific to sniffer then please
> feel
> free to contact us off list at our support@ sortmonster.com address.
> 
> Thanks,
> 
> _M
> 
> At 10:20 PM 12/3/2003, you wrote:
> >Brad, Sniffer does message based pattern matching (Pete, correct me if
> >I am wrong).  If you opt to separate the 20 or so tests that Sniffer
> >currently supports, then you can set whatever weight you want to each
> >individual test. Here is how I currently have the individual Sniffer
> >tests defined in my global.cfg (License ID and Authentication Code
> >obscured):
> >
> >SNIFFER-WHITELIST external 000
> >"M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
> >AuthenticationCode" -5 0
> >SNIFFER-TRAVEL  external 047 "M:\IMail\Dec

RE: [Declude.JunkMail] MAILFROM like Imail Test..

2003-12-05 Thread Alejandro Valenzuela 
Here are the headers...  How this can be caught with Declude ??

12:05 00:32 SMTPD(06E400CC) [0640]  VALIDATION: (MAIL
FROM) mail.fanosa.com FAILED to validate MAIL FROM address
[EMAIL PROTECTED]
12:05 00:32 SMTPD(06E400CC) [0640]  VALIDATION: (MAIL
FROM) <[EMAIL PROTECTED]> user does not exist on remote system
12:05 00:33 SMTPD(06E500CC) [2292]  VALIDATION: (MAIL
FROM) mail.fanosa.com FAILED to validate MAIL FROM address
[EMAIL PROTECTED]
12:05 00:33 SMTPD(06E500CC) [2292]  VALIDATION: (MAIL
FROM) <[EMAIL PROTECTED]> user does not exist on remote system

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alejandro
Valenzuela
Sent: Thursday, December 04, 2003 11:40 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] MAILFROM like Imail Test..


Declude MAILFROM test check only the domain on the MAILFROM address
But we recive a lot of SPAM with mailfrom like this. <[EMAIL PROTECTED]>
since hotmail.com is a valid Domain, then the message pass the test

Is there a test like the "Mailfrom" of Imail that test that the 
user really exists on the remote server ??

<[EMAIL PROTECTED]>  (In Imail this will fail...)

Thanks..






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Thursday, December 04, 2003 5:21 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] sniffer


FYI, I believe the demo consolidates everything into two separate tests:
General & Malware.  However, it will still give you a very good idea of the
overall effectiveness of running Sniffer with Declude.

Bill
- Original Message - 
From: "T. Bradley Dean" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 04, 2003 4:02 PM
Subject: RE: [Declude.JunkMail] sniffer


>Declude is optimized to run the external test only once

That was going to be my next question, it looked terribly in-efficient at
first!

Thanks for the responses guys. I just installed the demo.

~Brad

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Wednesday, December 03, 2003 8:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] sniffer


Brad,

That's right.
:-)

Heuristics for patterns are grouped by the spam that prompts us to generate
them, or by how we created them. Most of the time they are at least close
to classifying the type of spam. Each system that uses Message Sniffer is
encouraged to specify adjustable weights for each rule group so that the
results from the pattern matching tests can be "tuned" for the greatest
accuracy on that system and according to it's unique mix of incoming spam
and the users being served.

Declude is optimized to run the external test only once and allow the
result code to be evaluated for all of the tests that define that external
test... so in the example shown below sniffer would be called once and it's
result code would be evaluated many times.

Message Sniffer will typically match many patterns in a given spam.
Currently the voting system that decides the winning pattern match uses the
following rule: Chose the first pattern match found with the lowest symbol.

Within the standard rulebase, rule groups are loosely grouped so that the
least specific patterns have the largest symbols. The combination of these
arrangements tends toward selecting the most specific pattern match
available for a given message.

If anyone has other questions that are specific to sniffer then please feel
free to contact us off list at our support@ sortmonster.com address.

Thanks,

_M

At 10:20 PM 12/3/2003, you wrote:
>Brad, Sniffer does message based pattern matching (Pete, correct me if
>I am wrong).  If you opt to separate the 20 or so tests that Sniffer
>currently supports, then you can set whatever weight you want to each
>individual test. Here is how I currently have the individual Sniffer
>tests defined in my global.cfg (License ID and Authentication Code
>obscured):
>
>SNIFFER-WHITELIST external 000
>"M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" -5 0
>SNIFFER-TRAVEL  external 047 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 07 0
>SNIFFER-INSURANCE external 048 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 10 0
>SNIFFER-AV-PUSH  external 049 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 07 0
>SNIFFER-WAREZ  external 050 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 10 0
>SNIFFER-SPAMWARE external 051 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 10 0
>SNIFFER-SNAKEOIL external 052 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 10 0
>SNIFFER-SCAMS  external 053 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 10 0
>SNIFFER-PORN  external 054 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCode" 12 0
>SNIFFER-MALWARE  external 055 "M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
>AuthenticationCod