[MBF] Re: Abuse & Postmaster
Hi Martin, There is no way at all for any external party (a black list, DNSSTUFF or a recipient SMTP server) to determine whether inside your Imail or SmarterMail configuration you defined a particular email address (such as Postmaster@..., Abuse@... or Root@...) as a separate mailbox or as a forwarding alias. All that's visible to the outside is whether your server accepts an email address as valid - or not. So - a few things are possible: a) A bug in the testing tool you are using, or b) Your mail server having rejected an email from the testing tools SMTP relay because it fails some OTHER rule, or c) Your mail server's IP address currently being listed in one of the "non-compliant servers" black list, and your testing tool is reporting THAT. Outside of those most likely scenarios, there are also some servers that don't care much about the "abuse" contact for your DOMAIN name, because the assumption is that spammers will register new (or hack reputable) domain names all the time. Instead, they use the "WHOIS" information of your provider's IP block to ee if IT contains an abuse contact - since that would be a much more likely "legitimate" abuse contact. The problem comes in with SWIPing. When providers have various WHOIS entries for countless delegated segments of their huge IP blocks, they don't always bother to populate all those fields down the stream. While a human would have the sense to follow the chain up to the ultimate parent organization and readily find their official abuse contacts - it's not unusual for attempted spam filters to fail miserably and consider the individual IP block as missing an abuse contact. Best Regards Andy Schmidt 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 <http://www.hm-software.com/> http://www.HM-Software.com/ Von: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> [mailto:community@mailsbestfriend.com] Im Auftrag von Martin Margheim Gesendet: Montag, 21. November 2016 15:11 An: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> Betreff: [MBF] Abuse & Postmaster I have been working with the premise that postmaster and abuse email accounts could be operated as alias email addresses. However, for whatever reason, a check this morning using DNSTUFF's Professional Toolset results in reporting no abuse or postmaster email exists. Perhaps this is result of how the toolset checks for email addresses. Afterall, it is a rather dated toolset and perhaps never been updated, particularly since acquired by SolarWinds no longer a subscription DNS Tool. Thoughts? Martin
[MBF] Re: Help with PCRE
Uh - okay. The problem is NOT the order (or the fact that the last item wouldn't have a whitespace character, which could be handled easily). The real problem is that a match will ONLY be made if every single "token" in your string is actually included in your list of alternatives. The problem is that I see now that you have OTHER tokens in your string that are NOT in your list - which your RegEx does not permit. The following works with all your examples: (((\S*\s)*(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS)\s?){4,}) This is NOT matched, because there are not four of them: PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB This IS matching PSKY, NEWERDOMAIN, ROUTING, SORBS: PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO This is NOT matched, because it only matches PSKY, ROUTING and SORBS: PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO Please note, that at present it will only match FULL words - so " BADHELO " is NOT a match for " HELO ", " BADHEADERS " is NOT a match for " HEADERS ", etc. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August 26, 2016 7:25 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Help with PCRE OK this is working now, sort of: (?:LASHBACK\s|PSKY\s|NEWERDOMAIN\s|HEADERS\s|ROUTING\s|MAILSPIKE-L[1-5\s|HELO\s|SORBS\s|SPAMCOP\s|DNS\s){4,}) Here are examples PSKY IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB That is in the Delude Logs. BUT it only works if there are no breaks. SO PSKY NEWERDOMAIN ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO Only matches the first 4 but not BADHEADERS SORBS BADHELO PSKY ROUTING REVDNS IPNOTINMX MSGSIZE-0KB MSGSIZE-3KB ALLIGATETESTS SYMBOLSWORDSSUB BADHEADERS SORBS BADHELO DOES NOT WORK Finds no matches since it does not find 4 in a row of the above choices, even though the entire string contains 6 of the above choices. # This message is sent to you because you are subscribed to the mailing list. To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[MBF] Re: Help with PCRE
What is a sample of the actual string you are searching? Are there any separation characters we need to allow for? -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August 26, 2016 7:02 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Help with PCRE That is not working either. It is wanting them to be consecutive -Original Message- From: "David Barker" <david.bar...@mailsbestfriend.com> Sent: Friday, August 26, 2016 11:32am To: community@mailsbestfriend.com Subject: [MBF] Re: Help with PCRE Oooo, didn't think of doing it that way. Thought it only worked with letters. So test to be sure. Just to correct the syntax Declude, you want to use the following: (?:(LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,}) David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Andy Schmidt Sent: Friday, August 26, 2016 1:26 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Help with PCRE (?:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS){4,} Move the quantifier OUTSIDE your token list. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August 26, 2016 1:47 PM To: community@mailsbestfriend.com Subject: [MBF] Help with PCRE I am trying to create a Regex filter that will only trigger if 4 or more tests have failed. This is what I have so far but it is not working: (?i:LASHBACK|PSKY|NEWERDOMAIN|HEADERS|ROUTING|MAILSPIKE-L|HELO|SORBS|SPAMCOP|DNS{4,10}) It is triggering if only one has failed. I am trying to have it only trigger if 4 or more have failed. Any suggestions? John T eServices For You # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com> # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>
[MBF] Re: Odd attachment header for an Excel file
Hi John, Actually - the "filename" parameter is assigned to the "Content-Disposition" headers - and that's where I'm used to see it (however, I admit to seldomly having reason to look for it): http://www.iana.org/assignments/cont-disp/cont-disp.xhtml I never noticed that parameter being added to the Content-Type header - and haven't been able to find any reference that this is where an application should expect a file name. >> either a LF, CR, TAB or Space << It should NEVER be EITHER a "LF" or "CR". The only valid character sequence in a header MUST be a CRLF combination - they MUST NOT appear individually. If they do, this email structure is NOT MIME compliant which typically means it was created by some application programmer who knows his programming language, but is ignorant about the environment he is targeting. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Thursday, August 18, 2016 5:02 PM To: community@mailsbestfriend.com Subject: [MBF] Odd attachment header for an Excel file I have captured a valid email message with the following for an Excel attachment: --_42177162-4ccf-48c3-8dd6-dfe95c8acffa_ Content-Type: application/vnd.ms-excel Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="INV OFFER 081816.xls" What is ODD is that I have all ways seen after the Content-Type: Application/vnd.ms-excel immediately followed by a : (colon) then either a LF, CR, TAB or Space and then "name=filenamehere" Has any one else seen this? It is from an MSN email address and came properly through Hotmail.com servers. John T eServices For You # This message is sent to you because you are subscribed to the mailing list. To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[MBF] Re: Call external batch file from Declude
Hm - just consider the possibility that the problem is an INVALID "EOL" sequence. SMTP requires a CR/LF combination at the end of a line. But, some operating systems (like UNIX) just use a "LF", some just a "CR" (at some time MACs), and sometimes programmers accidentally code "LF/CR". There have been cases, where a software tries to "fix" invalid EOF sequences, by replacing a single "CR" (not followed by a LF) or a single "LF" (not preceded by a "CR"), with a CR/LF - and the fails in the case of a LF/CR sequence becoming a LF/CR/LF or a CR/LF/CR - which another application might interpret as two EOLs. My point - make sure you inspect the original file using a HEX editor for single CR or single LF characters - THIS might be the ultimate source of the problem and the trigger of all subsequent issues. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Don Winsauer Sent: Wednesday, May 11, 2016 1:22 AM To: community@mailsbestfriend.com Subject: [MBF] Re: Call external batch file from Declude Ok, Here ya go... For this customer of mine, I am scanning all their email for spam and viruses and then forwarding the email to their Exchange server. It appears when Microsoft's Office 365 Exchange servers find an attachment in the email, they are adding a header: x-microsoft-exchange-diagnostics: 1;CO1PR04MB554;5:uIPmx3dm3PK/UJjiWJfcZKKgooCYjfXMN/RlsoZaA9l50T3ppyfEZL7hV 0/b9lb2ameTAtuhrpdbSvHbPrOz6rkwXwybtN0NfVio9xbvrCXGemr4ElqtHO7qnlQgSVNFfs7 pQvr3Ik3TWCeV433olw==;24:8DgC4bge5fDd2sgE3gKjyQSudpsCI2J68HI5XChAq6H/evgOT mn6pKnNx0FQS6aorGkRqORLzQaFVhM43MyWtb0BfiaV29+KboF8dNmBWRE=;7:FH8DkU9P/vAA 2cZf0DCaqz5AJcXiy0ygl+Y8/LrpsGe5MAcP4A/EFx9j+hYJmORCaEjCtA/JWl80qdNRjjvo0h L4LnEt++q1KirBBcD5K1ervta5qLh42AsICnwR2hakHCxbOjf6EdMQtgxf/6M0Vj8JMmSuW08/ X0mL49SuD3kM8YHnljh4K8dAvOo+bCu3 It is being added by several of his vendors (different domains). All from *.outlook.com servers. The SMTP32.exe process of my IMail (v8.15) sees the data in this header and for some reason is adding a blank line after the header. This server has been in production since v8.15 was current. It has processed millions of emails and this is the first time I've had a problem like this. I grabbed the raw email in the D*.smd file and all looks good. In my email client, it looks good. When that file is processed and forwarded to my customer's Exchange server, it shows headers in the body of the email. It took me quite awhile removing headers until I figured out which one it was. With the help of a colleague, I had IMail send the email to their email server (non-Exchange). He grabbed the raw email file from their end and we saw the extra blank line that was throwing everything off. SMTP32.EXE is inserting a blank line after this header. While it is a long header, it is not the longest header in the email. I find that when I remove this header, all works fine. So that is what I am trying to do. I have been working on this issue for two weeks. It took me until tonight to determine that SMTP32.exe was at fault. During my research, I even removed Declude from the chain and things still failed. I am trying to fix the problem with the tools I have at hand. Don -- Original Message -- From: "David Barker | Mail's Best Friend | 1-866-919-2075"Reply-To: Date: Tue, 10 May 2016 17:34:23 -0500 >Lets start at the end and work backwards what is the reason for >removing the header line and secondly which headerline do you want to remove ? > >-Original Message- >From: community@mailsbestfriend.com >[mailto:community@mailsbestfriend.com] >On Behalf Of Don Winsauer >Sent: Tuesday, May 10, 2016 3:56 PM >To: community@mailsbestfriend.com >Subject: [MBF] Call external batch file from Declude > >I need to remove a header line from a set of emails. > >Can I use Declude to call an external batch file to modify the D*.smd file? >Possibly either as a Junkmail test or possibly a emulating a virus scanner? > >Anyone doing anything like this? > >Don > > > > > > >Sent via the WebMail system at net1media.com > > > > > ># >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: >To switch to the DIGEST mode, E-mail to > >To switch to the INDEX mode, E-mail to > >Send administrative queries to > > > ># >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to:
[MBF] Re: MAILFROM detects no MX/A, even though it exists?
Hi Dave, If you scroll down, I had included the local DNS's response in my message, to show how it responded to an MXLOOKUP. I am able to reproduce it ( for that domain ) at will. Best Regards, Andy -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Friday, October 23, 2015 11:48 PM To: community@mailsbestfriend.com Subject: [MBF] Re: MAILFROM detects no MX/A, even though it exists? Hi Andy, Could it be that your local DNS was reporting incorrectly ? Are you able to replicate this or was it just random ? David Barker Mails Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office : 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Andy Schmidt Sent: Thursday, October 22, 2015 7:52 AM To: community@mailsbestfriend.com Subject: [MBF] MAILFROM detects no MX/A, even though it exists? Hi, I'm baffled. Have been using this test for years without problems. Yesterday I encountered the following for this one domain: 10/15/2015 22:35:22.515 q76f2000826a3f7e4.smd Doing envfrom type test on mardee.com. 10/15/2015 22:35:22.515 q76f2000826a3f7e4.smd Looking up MX/A record for mardee.com at 127.0.0.1. 10/15/2015 22:35:22.515 q76f2000826a3f7e4.smd Looking for Mx Record 10/15/2015 22:35:22.719 q76f2000826a3f7e4.smd DNS Report: [ex=0 rcode=3 ancnt=0 suc=1]. 10/15/2015 22:35:22.719 q76f2000826a3f7e4.smd Looking for A Record 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd Msg failed MX; testing A (MAILFROM mardee.com) [0 1 3 ] 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd There were no MX/A records. 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd DNS Report: [ex=0 rcode=3 ancnt=0 suc=1]. 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd Done with MX or A record What is the meaning of: [ex=0 rcode=3 ancnt=0 suc=1] (I know that ancnt is the number of answer records returned) When I log into the mail server, use nslookup on 127.0.0.1 (a local caching name server), the domain has both an MX and an A record (see below). I even went as far as clearing the NS cache, restarting DNS (and later the entire server) to eliminate any "odd" transient data somewhere. I then repeated the test with the same Declude failure - while nslookup is successful? C:\WINDOWS>nslookup > server 127.0.0.1 > set type=mx > mardee.com. Address: 127.0.0.1 Non-authoritative answer: mardee.com MX preference = 10, mail exchanger = mx.mardee.com mx.mardee.com internet address = 64.26.60.153 > set type=a > mardee.com. Address: 127.0.0.1 Non-authoritative answer: Name:mardee.com Address: 64.71.33.133 # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>
[MBF] MAILFROM detects no MX/A, even though it exists?
Hi, I'm baffled. Have been using this test for years without problems. Yesterday I encountered the following for this one domain: 10/15/2015 22:35:22.515 q76f2000826a3f7e4.smd Doing envfrom type test on mardee.com. 10/15/2015 22:35:22.515 q76f2000826a3f7e4.smd Looking up MX/A record for mardee.com at 127.0.0.1. 10/15/2015 22:35:22.515 q76f2000826a3f7e4.smd Looking for Mx Record 10/15/2015 22:35:22.719 q76f2000826a3f7e4.smd DNS Report: [ex=0 rcode=3 ancnt=0 suc=1]. 10/15/2015 22:35:22.719 q76f2000826a3f7e4.smd Looking for A Record 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd Msg failed MX; testing A (MAILFROM mardee.com) [0 1 3 ] 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd There were no MX/A records. 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd DNS Report: [ex=0 rcode=3 ancnt=0 suc=1]. 10/15/2015 22:35:22.922 q76f2000826a3f7e4.smd Done with MX or A record What is the meaning of: [ex=0 rcode=3 ancnt=0 suc=1] (I know that ancnt is the number of answer records returned) When I log into the mail server, use nslookup on 127.0.0.1 (a local caching name server), the domain has both an MX and an A record (see below). I even went as far as clearing the NS cache, restarting DNS (and later the entire server) to eliminate any "odd" transient data somewhere. I then repeated the test with the same Declude failure - while nslookup is successful? C:\WINDOWS>nslookup > server 127.0.0.1 > set type=mx > mardee.com. Address: 127.0.0.1 Non-authoritative answer: mardee.com MX preference = 10, mail exchanger = mx.mardee.com mx.mardee.com internet address = 64.26.60.153 > set type=a > mardee.com. Address: 127.0.0.1 Non-authoritative answer: Name:mardee.com Address: 64.71.33.133 # This message is sent to you because you are subscribed to the mailing list. To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[MBF] Re: Outlook Virus
This vulnerability occurs when it appears as though a MIME segment is occurring after the end of the MIME body (specifically, a MIME segment with a boundary other than the one specified appears in the MIME postamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an E-mail to be sent like this. In other words, it's a flaw in Outlook how it handles the case when a MIME segment is not terminated with the same string as in the postamble. A virus scanner might decode the MIME structure correctly - while Outlook will treat this as a separate attachment. This allows a potential virus author to sneak a hidden attachment to Outlook, past any well-behaved virus scanner. So you're currently blocking (likely valid) emails, because they are formatted in a way that COULD be used by someone to send a virus. From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Scott Fosseen - Prairie Lakes AEA Sent: Monday, August 24, 2015 2:51 PM To: community@mailsbestfriend.com Subject: [MBF] Outlook Virus Declude Virus v4.12.05 caught the [Outlook 'MIME segment in MIME Postamble' Vulnerability] virus in [No attachment] from notif...@sender.rschooltoday.net mailto:notif...@sender.rschooltoday.net to: usermailto:user...@domain.org. I am getting this error from this specific domain. Any suggestions.
[MBF] Re: winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly
Winmail.dat is attached by Outlook when you choose Microsoft's legacy RICH TEXT as the message format, instead of HTML (or Plain Text.) It predates SMTP, when there was a pre-Windows 2000 Microsoft Mail system for LANs... If I remember correctly, there is even a setting buried inside the Outlook Contacts, where you can specify a preferred Email format for individual contacts. It's possible that (unknown to the user), some of his contacts have rich text... causing the same email to be formatted in different ways, yielding different results, for different recipients (but I'm vague on that one). -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Friday, August 21, 2015 2:43 PM To: community@mailsbestfriend.com Subject: [MBF] winmail.dat but Outlook opened it as an Excel spreadsheet XLSX correctly OK, here is one I do not understand. This has happened at least 6 times that I know of in the last 2 days. An email was received and processed by Declude. It contained an attachment winmail.dat. BUT the sender had attached an XLSX file. After talking to the intended recipient (who also talked to the sender) the sender has stated that when he attached the XLSX file to the email, the file appeared as an EXCEL ICON in the body of the email not where you would normally see it under the subject line. This is in Outlook. The version he is using is Outlook 2013. (15.0) What caught the attachment was ESET AV had a result code of 10 which is some files could not be scanned (may be threats) which I then treat as infected. # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: receiving issue
As you probably expected, this email apparently was SENT FROM mailto:it1...@abc.com it1...@abc.com TO mailto:di...@xyz.com di...@xyz.com - but the previous entries for 3b4d08cb6087 would confirm that. My first guess would be that you have Imail connection filters or spam filters turned on for your abc.com domain that prevent accepting emails from abc.com (per example, because of SPF or other rules). You can turn on debug mode for Imail SMTP logging and turn on the SPAM logging then scan for any lines with the first 3 octets of the web server's IP range. If there are no log entries at all in Imail for emails to abc.com, then it's likely an IP block. Imail has a list of blocked IP addresses you can clear, BUT that would have effected ANY recipient domain. Most importantly, what does the outgoing mail server/app log show on the WEB server. It will tell you instantly, if a connection HAD been made, if any SMTP conversation DID take place etc etc. THAT is the place to hunt for missing emails. For all I know you have a hosts file or a rogue DNS issue that prevents your web server from actually REACHING your Imail server. From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Wednesday, August 19, 2015 12:01 PM To: community@mailsbestfriend.com Subject: [MBF] Re: receiving issue 08:18 10:03 SMTP-(3b4d08cb6087) processing m:\IMail\spool\q3b4d08cb6087.smd 08:18 10:03 SMTP-(3b4d08cb6087) ldeliver xyz.com divey-main (1) it1...@abc.com mailto:it1...@abc.com 43717 08:18 10:03 SMTP-(3b4d08cb6087) finished m:\IMail\spool\q3b4d08cb6087.smd status=1 -Original Message- From: Randy Armbrecht [mailto:ra...@globalweb.us] Sent: Wednesday, August 19, 2015 11:55 AM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue Can you provide a snippet of those logs? Be sure to redact any sensitive info Sincerely, Randy A. From: community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Wednesday, August 19, 2015 9:53 AM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue When I check the imail sys log, I see where the message is accepted to one domain (xyz.com) but not the other domain (abc.com). The messages are then delivered to xyz.com but not abc.com. The messages are coming from a third party server but do have an abc.com from address. Daniel -Original Message- From: Randy Armbrecht [mailto:ra...@globalweb.us] Sent: Monday, August 17, 2015 5:27 PM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue Look at the imail sys logfile. And it won't hurt to have both running Randy A. Sent from my mobile device. Please excuse any brevity or misspellings Original message From: Daniel Ivey d...@gcrcompany.com mailto:d...@gcrcompany.com Date: 08/17/2015 4:53 PM (GMT-05:00) To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue Which IMAIL log do I need to turn on, POP3 or SMTP or will it hurt to have them both on? -Original Message- From: Randy Armbrecht [mailto:ra...@globalweb.us] Sent: Monday, August 17, 2015 3:39 PM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue What do the IMAIL logs (not delude logs) show as far as the movement/processing of the message thru the system? Normally the IMAIL logs will show message coming in, then going to declude, then coming back to IMAIL for delivery completion Randy A. Sent from my mobile device. Please excuse any brevity or misspellings Original message From: Daniel Ivey d...@gcrcompany.com mailto:d...@gcrcompany.com Date: 08/17/2015 3:27 PM (GMT-05:00) To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue When I turn on DEBUG for the Declude logs, I see where the message is scanned by Declude for one domain, but not the domain that needs to receive the email. Daniel -Original Message- From: Randy Armbrecht [mailto:ra...@globalweb.us] Sent: Monday, August 17, 2015 11:18 AM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: receiving issue What do the imail logs say? Randy A. Sent from my mobile device. Please excuse any brevity or misspellings Original message From: Daniel Ivey d...@gcrcompany.com mailto:d...@gcrcompany.com Date: 08/17/2015 10:50 AM (GMT-05:00) To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] receiving issue Greetings, I have an odd issue with one domain on my Imail server. We are running Declude with integrated Message Sniffer
[MBF] Re: What new features would you like to see in Declude?
Send BOUNCE(IFYOUMUST), virus notifications, and other messages from null sender to avoid bounce loops. Test sender alignment: MAIL FROM different than From: mail header Address book whitelisting that does NOT rely on Registry Keys HLM\software\softalk\WorkgroupShare\setup\DBType HLM\software\softalk\WorkgroupShare\setup\dataFolder It should use (or at least fall back on) an ODBC DSN. Test for to indicate the width of IP4 mask in a SPF records, +all would be 31, +IP4:./2 would be 29, +IP4:./24 would be 7. No use of masks would be 0. At minimal a test to check existence of DMARC policy (possibly even honor policy as much as applicable to Declude)
[MBF] Re: SPF Records
SPAM with good SPF records are actually helpful too. Since the spammer has now tied a certain IP address to a certain domain name, both the domain name and the IP address can now be added to blacklists which can be used in connection-level checks to refuse future emails outright. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Darin Cox Sent: Wednesday, April 01, 2015 3:11 PM To: community@mailsbestfriend.com Subject: [MBF] Re: SPF Records Soft fail can still be useful to prevent forged spam sent to your users where the from address is also the user's address. Darin. # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: SPF Records
Hi Dave, We absolutely block on -all before we check anything else. And almost daily I encounter some third party mail server that rejects a registration email or a mailing list email form one of our clients, because the recipient is forwarding email between two email services. So there are countless servers like ours that are standards compliant. I have to assume that you've been extraordinary lucky with your circumstances until today. It's possible that until now your end users haven't been connecting through hotel room WiFi networks, or haven't used greeting card sites etc etc. - or they always set up SMTP AUTH to connect to your MX while travelling. The whole IDEA behind SPF is that the domain owner can CHOOSE to add an SPF records, but if one exists, that it is the ultimate authority on how email should be handled. If you wanted your emails to be permitted from ANY server, then you have the option to forego an SPF record, or use the proper rule of: v=spf1 mx ~all Flame onWhy on earth would anyone set up a rule that explicitly states that all email absolutely must come from their own MX and NEVER-EVER-EVER from another mail server, if they really don't want the recipient to respect those very explicit instructions?/Flame Off Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Dave Beckstrom Sent: Tuesday, March 31, 2015 6:54 PM To: community@mailsbestfriend.com Subject: [MBF] SPF Records I received an email from a customer because an email he sent to someone in Canada was rejected due to SPF checking. Our DNS server automatically sets an SPF record for each domain with the value v=spf1 mx -all Been that way since SPF first became available and I've never had a problem. I'm curious if anyone here rejects (bounces) email strictly off of an SPF check? I think that's ridiculous. Moreover, I'm pretty certain our SPF record is correct. I'm thinking the yahoo's in Canada are the ones who don't know what they are doing. Thoughts?
[MBF] Sender Whitelist
Hi, I have started to assign higher points to several tests, and then use some sender whitelists to offset the negative increase to hopefully prevent catching legitimate IP blocks who just happen to suffer abuse because of the nature of their business (including aol, google, hotmail and many others): BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10 -40 IADB ip4riadb.isipp.com 127.0.0.1 -20 HULip4rhul.habeas.com * -20 SWL-DYNA ip4rswl.spamhaus.org* -20 MAILSPIKE-WL ip4rwl.mailspike.net * -30 DNSWL ip4rlist.dnswl.org * 0 0 DNSWL30ip4rlist.dnswl.org 127.0.3.0 -10 DNSWL31ip4rlist.dnswl.org 127.0.3.1 -20 DNSWL32ip4rlist.dnswl.org 127.0.3.2 -30 DNSWL33ip4rlist.dnswl.org 127.0.3.3 -40 DNSWL50ip4rlist.dnswl.org 127.0.5.0 -10 DNSWL51ip4rlist.dnswl.org 127.0.5.1 -20 DNSWL52ip4rlist.dnswl.org 127.0.5.2 -30 DNSWL53ip4rlist.dnswl.org 127.0.5.3 -40 DNSWL80ip4rlist.dnswl.org 127.0.8.0 -10 DNSWL81ip4rlist.dnswl.org 127.0.8.1 -20 DNSWL82ip4rlist.dnswl.org 127.0.8.2 -30 DNSWL83ip4rlist.dnswl.org 127.0.8.3 -40 DNSWLB0ip4rlist.dnswl.org 127.0.11.0 -10 DNSWLB1ip4rlist.dnswl.org 127.0.11.1 -20 DNSWLB2ip4rlist.dnswl.org 127.0.11.2 -30 DNSWLB3ip4rlist.dnswl.org 127.0.11.3 -40 DNSWL-ACLip4rlist.dnswl.org 127.0.0.255 0 0 SPAMHAUS-DWL rhsbl _vouch.dwl.spamhaus.org * -20 From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar Sent: Saturday, January 03, 2015 11:38 PM To: community@mailsbestfriend.com Subject: [MBF] Re: whitelist FROM address Oops sorry you are right. I was thinking REVDNSREVDNSEXISTS x x 10 0 Now I remember. I did comment out all the 3rd party mailer entries in GOOD_REVDNS.txt because frankly as soon as this was put in place for me (by Linda attempting to help me at the end of October), things got worse. Despite what you might think, much of what comes from these 3rd party mailers is considered spam by my customers. Complaints about too much spam slowed down after I edited GOOD_REVDNS. I guess you'd be right in telling me that if I want your help with this issue I shouldn't be messing with it but I was desperate. Don't get me wrong. Things are working fairly well after this kind of tuning. Except for this issue of FROM not being FROM and whitelisting not 'working'. Most of the problem here is that I've allowed certain IT-knowledgeable customers to configure their own WHITELISTFILE and they are now complaining that it doesn't work. It doesn't work because of 3rd party mailers and Declude-Sender being accurate but unhelpful. It's a pain. But based on what you are telling me, I will just continue to put in manual entries when problems are encountered. Thanks. Carl J. Carl Wagar EntreNet Communications Inc www.entrenet.com www.thehostingservice.com 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada Email: jcwa...@entrenet.com, skype: jcwagar Tel: +1 613-737-7327, Fax: +1 613-737-5801 Cel: +1 613-818-8898 From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Saturday, January 3, 2015 10:55 PM To: community@mailsbestfriend.com Subject: [MBF] Re: whitelist FROM address Not sure what you mean by lower the weight of GOOD-REVDNS ?? The GOOD-REVDNS provides credit for good senders, I am not sure I understand how people would be losing their email because of it. If anything it should allow good senders to get to the users inbox. The other option you have is to add the domain/email address to the trusted sender list (or online address book) in SM. Anything located there will be whitelisted by Declude. David On 1/3/2015 10:04 PM, Carl Wagar wrote: Ok
[MBF] Re: Gaunlet - using MS Resource Kit SRVANY tool
Hi John, We are running this on a 32bit box and now I'm wondering if we need to wait until David gets the 32 bit version out Oh - yes, absolutely. Until they compile the little, but functionally crucial, DRGoutflow under 32-bit, there is nothing those of us can do. Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Sent: Wednesday, November 19, 2014 12:27 AM To: community@mailsbestfriend.com Subject: [MBF] Re: Gaunlet - using MS Resource Kit SRVANY tool Andy Thanks for this. It helps to see this example I saw your post on the 32bit question. We are running this on a 32bit box and now I'm wondering if we need to wait until David gets the 32 bit version out. thanks again john On 11/18/2014 11:07 AM, Andy Schmidt wrote: Hi John, Here the steps to set up the Gauntlet service without the XYNTservice third party software. Download DRGOutflow.exe, e.g. to: \IMail\declude\Tools\DRGOutflow.exe Windows Command Line: . MkDir \IMail\Spool\Gauntlet . C:\Program Files\Windows Resource Kits\Tools\InstSrv.exe Gauntlet C:\Program Files\Windows Resource Kits\Tools\SrvAny.exe Start RegEdit . Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gauntlet . Add Key: Parameters . Add Value: Application . Data Type : REG_SZ . String : C:\Imail\Declude\Tools\DRGOutflow.exe i=C:\Imail\Spool\Gauntlet o=C:\Imail\Spool\Proc d=60 Or, you can import those same settings from a text file: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gauntlet\Parameters] Application=C:\\Imail\\Declude\\Tools\\DRGOutflow.exe i=C:\\Imail\\Spool\\Gauntlet o=C:\\Imail\\Spool\\Proc d=60 Start the Services management console . Start the Gauntlet service . Make sure Gauntlet service starts up and stays started. Set up the Gauntlet filter, global.cfg and $junkmail$.default files (see the original instructions for suggestions). Best Regards, Andy
[MBF] Re: DRGoutflow - system requirements?
Hi Dave, What type of minimum processor and/or operating system is required? Is it a 64-bit application? D:\IMail\declude\Tools\drgoutflow.exe Results in: The image file D:\IMail\declude\Tools\DRGOutflow.exe is valid, but is for a machine type other than the current machine. I would have thought it's the most basic file system application that doesn't need to be bound to any particular minimum Windows or processor capabilities? It certainly doesn't have any memory requirements that would demand a 64-bit app? Best Regards, Andy # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: Declude Host Name Variables
Hi David, Let me make sure I understand correctly how these values are determined. Given: Connecting from: 100.1.2.3 3.2.1.100.in-addr.arpa = rdnshost.subdomain.rndsdom.com HELO helohost.subdomain.helodom.com MAIL FROM: mail...@mailhost.maildom.com What precisely would then be: %REVDNS% = rdnshost.subdomain.rndsdom.com %HELO% = helohost.subdomain.helodom.com %MAILFROM% = mail...@mailhost.maildom.com %REMOTEHOST% = mailhost.maildom.com ? %SENDERHOST% = ?
[MBF] Re: Thoughts on how to deal with the current SPAM campaigns
Dito! -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Tuesday, November 04, 2014 8:29 AM To: community@mailsbestfriend.com Subject: [MBF] Re: Thoughts on how to deal with the current SPAM campaigns That all being said, I have some clients that have been using Sendio Appliances (it uses C/R) for years and to them the thing walks on water and makes cotton candy, too. For the right price, it would be an instant sell to many of my customers who primarily use mobile devices. The Sendio appliance isn't cheap, I hear (from them). Hence the line of questioning. If it makes my customers happy and they're eager to pay for it, then hey. My opinion doesn't necessarily need to override theirs. :) Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs
Hi David, No difference, even in latest verison. Since the early days of Declude, alia have ALWAYS been stored as REG_SZ items here: [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\TheDomainName.com\Users\ _aliases] postmaster=some@email.address hostmaster=another@email.address etc. However, I THOUGHT Imail was resolving aliases and storing them in the Q file? Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Wednesday, September 24, 2014 12:17 PM To: community@mailsbestfriend.com Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs Hi Andy, Declude only checks on user email address. With the changes in IMail the alias seems not to be stored in the database as previously or even stored in the database at all. We are working to confirm where the latest version of IMail stores aliases. As for Address whitelist for mailto:a...@sender.com a...@sender.com, originally the implementation used the txt file which was accessible by the user to add this option. However since IMail moved to a database in later versions we are unclear as to where IMail is now storing this information. Obviously using the Declude whitelist options is a way to circumvent this. If anyone has insight into the storing of the alias information within IMail latest versions this would be helpful. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 866.919.2075 cid:image001.png@01CE2B2E.8B3E9EF0 From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Wednesday, August 27, 2014 6:49 PM To: community@mailsbestfriend.com Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs Hi Andy, Got it. Will have dev look at it and give you some feedback based on findings. David On 8/26/2014 11:06 AM, Andy Schmidt wrote: Hi, Address-book whitelisting is a crucial feature, as it puts the user in control to decide which individual senders or which domains they want to trust. After spending a lot of time with customers and THEIR clients, them insisting that the whitelisting is not working no matter WHAT they tried, I've confirmed the following two bugs: 1. Addressbook Whitelisting attempts to find address book under the IMAIL ALIAS name, instead of resolving aliases to the proper IMAIL USER name! Example: a...@userdomain.com is configured as an ALIAS for anthony_cu...@userdomain.com Emails addressed to aec@... will NOT be whitelisted, but emails addressed to Anthony_Cuomo will be whitelisted: Did not find [ liup...@sender.com ] in [ a...@userdomain.com ] address book Finish Address Book WhiteList Vs. Skipping4 E-mail from liup...@sender.com; whitelisted [liup...@css-group.net]. Finish Address Book WhiteList Obviously, Declude must NOT use the ALIAS name to attempt finding (non-existing) Address Books, it must use the Q file to learn the final delivery USER name, and use THAT for Addressbook validation! 2. The original implementation of the Addressbook Whitelist (by Scott) had allowed for a generic domain whitelist, by using: a...@sender.com to whitelist ANY email addresses ending with @sender.com. When the addressbook lookup was converted to the current Imail Contact Database, someone forgot to implement the proper SQL query that checks the recipient's address book for the FULL match of EITHER, individual_senderl mailto:individual_send...@sender.com @sender.com OR a...@sender.com Since whitelisting is so critical in any blacklisting solution (like Declude), I would ask that both these bugs be addressed - and certainly am willing to put my money where my mouth is - whether through purchasing additional support tickets or whatever other requirements you have. Best Regards, Andy
[MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs
Hi David, Actually, THAT only comes into play if an alias exceeds a certain number of ENTRIES (I forgot how many). That has ALSO always been this way. If an alias points to MULTIPLE email addresses, and it's more than x number of addresses, then it's automatically converted to a list (with the corresponding .LST file). Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Wednesday, September 24, 2014 12:44 PM To: community@mailsbestfriend.com Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs Version 12.4.0.66 seems to be storing the alias in the root domain folders aliasname.lst - there could be legacy structures that are involved with IMail upgrades as opposed to IMail new installs. I will pass along the information to our engineer. Thanks for the feedback. From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Andy Schmidt Sent: Wednesday, September 24, 2014 12:30 PM To: community@mailsbestfriend.com Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs Hi David, No difference, even in latest verison. Since the early days of Declude, alia have ALWAYS been stored as REG_SZ items here: [HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\TheDomainName.com\Users\ _aliases] postmaster=some@email.address hostmaster=another@email.address etc. However, I THOUGHT Imail was resolving aliases and storing them in the Q file? Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Wednesday, September 24, 2014 12:17 PM To: community@mailsbestfriend.com Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs Hi Andy, Declude only checks on user email address. With the changes in IMail the alias seems not to be stored in the database as previously or even stored in the database at all. We are working to confirm where the latest version of IMail stores aliases. As for Address whitelist for mailto:a...@sender.com a...@sender.com, originally the implementation used the txt file which was accessible by the user to add this option. However since IMail moved to a database in later versions we are unclear as to where IMail is now storing this information. Obviously using the Declude whitelist options is a way to circumvent this. If anyone has insight into the storing of the alias information within IMail latest versions this would be helpful. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 866.919.2075 cid:image001.png@01CE2B2E.8B3E9EF0 From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Wednesday, August 27, 2014 6:49 PM To: community@mailsbestfriend.com Subject: [MBF] Re: DECLUDE vs. Address Book WhiteListing - Two bugs Hi Andy, Got it. Will have dev look at it and give you some feedback based on findings. David On 8/26/2014 11:06 AM, Andy Schmidt wrote: Hi, Address-book whitelisting is a crucial feature, as it puts the user in control to decide which individual senders or which domains they want to trust. After spending a lot of time with customers and THEIR clients, them insisting that the whitelisting is not working no matter WHAT they tried, I've confirmed the following two bugs: 1. Addressbook Whitelisting attempts to find address book under the IMAIL ALIAS name, instead of resolving aliases to the proper IMAIL USER name! Example: a...@userdomain.com is configured as an ALIAS for anthony_cu...@userdomain.com Emails addressed to aec@... will NOT be whitelisted, but emails addressed to Anthony_Cuomo will be whitelisted: Did not find [ liup...@sender.com ] in [ a...@userdomain.com ] address book Finish Address Book WhiteList Vs. Skipping4 E-mail from liup...@sender.com; whitelisted [liup...@css-group.net]. Finish Address Book WhiteList Obviously, Declude must NOT use the ALIAS name to attempt finding (non-existing) Address Books, it must use the Q file to learn the final delivery USER name, and use THAT for Addressbook validation! 2. The original implementation of the Addressbook Whitelist (by Scott) had allowed for a generic domain whitelist, by using: a...@sender.com to whitelist ANY email addresses ending with @sender.com. When the addressbook lookup was converted to the current Imail Contact Database, someone forgot to implement the proper SQL query that checks the recipient's address book for the FULL match of EITHER, individual_senderl mailto:individual_send...@sender.com @sender.com OR a...@sender.com Since whitelisting is so critical in any blacklisting solution (like Declude), I would ask that both these bugs be addressed - and certainly am willing
[MBF]Reminder: AHBL shut down
http://www.ahbl.org/content/changes-ahbl Changes In The AHBL So, this has been a long time coming, but figured I'd make the announcement. I'm winding down the public DNSbl services of the AHBL. This means the dnsbl.ahbl.org, ircbl.ahbl.org, rhsbl.ahbl.org lists are all going away, as is the public lookup/removal tool. There's a few reasons why this is coming about - one of them being that I feel that I've accomplished what I set out to do with the AHBL. We had an 11 year run - quite good IMHO. We've been sued (and won), DDoS'd, Real Life(tm) stalked, had other people in this community turn their backs on us because we made some hard decisions they didn't agree with... List could go on for a while. =-=-=-= I expect that over the next few days (Sat. at the latest) I'll be clearing out the three main zones of data, and removing their NS records shortly after. I'm planning Jan 1st, 2015 to wildcard the DNSbl zones for anyone that doesn't bother to maintain their mail services. The website isn't going anywhere, neither is any of our docs and things like the kook mail. We do have some private services that will keep running - and I'm likely going to be offering invitations to our private DNSbl list at some point in the near future. There is a good chance that I'll be reopening the RHSbl under a new name down the line as well. -- Brielle
[MBF]Re: New Version of Declude
Sorry - running 32 bit. Is the problem ONLY when you launch InvURIBL from within Declude - or do you have a problem just testing InvURIBL from a the Windows commandline? -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of johnl...@eservicesforyou.com Sent: Friday, November 22, 2013 1:41 PM To: community@mailsbestfriend.com Subject: [MBF]Re: New Version of Declude Andy, have you been able to get InvURIBL to work on Windows Server 2008 64 bit? # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: CommTouch
We just need to get Sniffer back into API mode instead of the costly command line mode. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Thursday, November 21, 2013 9:53 AM To: community@mailsbestfriend.com Subject: [MBF]Re: CommTouch Unfortunately not. We can provide Commtouch through SM but that’s it. However I have seen that Message Sniffer is a good rival for Commtouch, and in several tests done actually performs better. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Thursday, November 21, 2013 9:42 AM To: community@mailsbestfriend.com Subject: [MBF]CommTouch One of my favorite things about the previous iteration of Declude was CommTouch, which I had paid for. There really isn't an affordable way to add this back into the arsenal, is there? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]8.3 file names not created
John – NOT reproducible on 2008 R2! One possible explanation is – someone turned off the 8.3 filename creation for performance reasons for THAT partition at some LATER date. That will NOT REMOVE any “old” 8.3 filenames created prior, but will not cease to create any NEW 8.3 filenames for newly added files/folders. Take a look at the directories that DO have 8.3 filenames – when were they created? At that time, that feature was still active on THAT partition. Now, compare that other directories on the SAME partition that do lack 8.3 filenames – do they have NEWER creation dates? image001.png
[MBF]Re: Working on using NOD32 as a scanner for Declude
Hi John, I know you tried the Dir /X and you saw spaces where the 8.3 should appear. Can you please elaborate? I just want to make sure you didn't accidentally try: DIR /X C:\Program Files\ESET NOD32 Antivirus\ecls.exe Naturally THAT would result in a blank field for ecls.exe, because THAT file name is LESS than 8 characters... Did you actually try ONLY: DIR /X C:\ In THAT directory list, look up the 8.3 name for program Files. Then do ONLY: DIR /X C:\Program Files In THAT directory list, look up the 8.3 name for ESET NOD32 Antivirus. # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Working on using NOD32 as a scanner for Declude
Hi John, But that's to be expected!? If you ran DIR /X from within the ESET NOD32 Antivirus directory then it will indeed display a blank short name for ecls.exe because THAT name truly is LESS than 8+3 characters. If you are trying to find the short name for \ESET NOD32 Antivirus\, you have to run the DIR /X in the PARENT directory of THAT subdirectory. So, DIR /X C:\Program Files will tell you the short name for the ESET NOD32 Antivirus subfolder (something like 'ESETNO~1'). Then, DIR /C C:\ will tell you the short name for the Program Files subfolder (something like 'Progra~1' or 'Progra~2'). THEN you string those short names together and get something like: C:\Progra~1\ESETNO~1\ecls.exe (that's just a for instance, NOT your actual path). You CANNOT get the full path by looking at a single DIR output of the final subdirectory itself. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of johnl...@eservicesforyou.com Sent: Tuesday, November 12, 2013 2:38 PM To: community@mailsbestfriend.com Subject: [MBF]Re: Working on using NOD32 as a scanner for Declude Andy, running DIR /X in the ESET directory (with the only directory within that being the one in question) resulted in the BLANK short name. # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Working on using NOD32 as a scanner for Declude
Hi John, I may be asking the obvious: But given that this is a new 64 bit system, any chance that you or some other admin had disabled 8.3 file name creation for that NTFS volume for performance reasons? THAT would explain how you could possibly have a LONG directory name but NO 8.3 equivalent. Other than that, I suppose one of your earlier messages left out the ESET subdirectory bit. Here's what you had written: I am working on using NOD32 as an additional scanner for Declude Virus but am running into a problem with spaces in the path. Setting Scan File 2 to C:\Program Files\ESET NOD32 Antivirus\ecls.exe ... Obviously, the above path would INCORRECT, if the REAL path was NOT: C:\Program Files\ESET NOD32 Antivirus\ecls.exe but instead is: C:\Program Files\ESET\ESET NOD32 Antivirus\ecls.exe Best Regards, Andy # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Working on using NOD32 as a scanner for Declude
John, Rather than guessing, just use the command link DIR command with the /X option. Start at the C: drive and then work your way through the two subfolders. The /X option will tell you the 8.3 MSDOS style name for each folder/file. Best Regards, Andy -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of johnl...@eservicesforyou.com Sent: Monday, November 11, 2013 6:45 PM To: community@mailsbestfriend.com Subject: [MBF]Re: Working on using NOD32 as a scanner for Declude Did not work. Your virus scanner DOES NOT EXIST (at C:\Progra~1\ESETNO~1\ecls.exe # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Caution on using ZEN dnsbl.
Yes, you'd have to use the -DYNA in the test name for specific return codes to let Declude know NOT to check past the most recent hop, e.g.: SBL ip4rzen.spamhaus.org127.0.0.2 7 0 CBL-DYNAip4rzen.spamhaus.org127.0.0.4 1 0 PBL-DYNAip4rzen.spamhaus.org127.0.0.10 2 0 SWL-DYNAip4rswl.spamhaus.org* -2 0 SPAMHAUS-DWL rhsbl _vouch.dwl.spamhaus.org * -1 0 The advantage of using ZEN is of course, that a single DNS lookup can be used and then evaluated for the different return codes by Declude. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of johnl...@eservicesforyou.com Sent: Tuesday, November 05, 2013 11:40 AM To: community@mailsbestfriend.com Subject: [MBF]Caution on using ZEN dnsbl. If you are checking mulitple hops in Declude, do not use ZEN as that includes PBL. PBL is a database of end user IP addresses that you should not be receiving email from, but if you are checking multiple hops declude will check that user IP and will then fail a ZEN test, even if the email came through a correct proper email server. From Spamhaus: Caution: Because ZEN includes the XBL and PBL lists, do not use ZEN on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers). Do not use ZEN in filters that do any ‘deep parsing’ of Received headers, or for other than checking IP addresses that hand off to your mailservers. John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: declude stops working
Hi Daniel, I've had problems in the past - specially when larger mass mailings lead to thousands of vacation, bounce and delay messages hitting the server in a short time span. But there had also been times where individual emails caused crashes in either Imail or Declude. I had created a small batch procedures that I would quickly run to move pending work to a hold folder I had created, similar to this: move /Y D:\IMail\spool\q*.gsc D:\IMail\Spool\Hold\ move /Y D:\IMail\spool\q*.vac D:\IMail\Spool\Hold\ move /Y D:\IMail\spool\q*.gse D:\IMail\Spool\Hold\ move /Y D:\IMail\spool\q*.lst D:\IMail\Spool\Hold\ move /Y D:\IMail\spool\q*.rst D:\IMail\Spool\Hold\ I would have to rerun this a few times over 10 minutes before things quieted down and then I'd be able to work through the logs to figure out any problem in Imail, Declude, etc. Also, I would check for large number of files in: \IMail\spool\proc \IMail\spool\proc\work and, if necessary, temporarily move them to a \IMail\spool\proc\hold folder. None of this might apply in your case - but I've always found it helpful to temporarily set aside any current emails because often the culprit was amongst those. The I would drag 5% of the files back to spool or proc and make sure they process successful before moving to the next batch... Best Regards, Andy -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Monday, November 04, 2013 2:55 PM To: community@mailsbestfriend.com Subject: [MBF]Re: declude stops working I had to play that game a long time ago. Declude would get overwhelmed when we were experiencing a spam wave. Putting an Alligate in front of the Declude server pretty much ended it permanently. Before I did that I played with balancing my THREADS, and examining what my third party applications were doing, fine-tuning their config to speed them up, or commenting them out entirely. You don't have to reboot. (or at least, I didn't) You can just kill the decludeproc and it will restart. I vaguely remember something about looking for mail that was being held during the lock-up and resubmitting it, but it's been a while. - Michael Cummins -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Darin Cox Sent: Monday, November 04, 2013 8:39 AM To: community@mailsbestfriend.com Subject: [MBF]Re: declude stops working Hi Daniel, Are you certain it is the Declude process that stopped? We've had issues with IMail's SMTP and POP server stopping, but not with Declude. Darin. -Original Message- From: Daniel Ivey Sent: Monday, November 04, 2013 7:55 AM To: community@mailsbestfriend.com Subject: [MBF]declude stops working I have an issue that has been going on for a few weeks. I have 2 Windows 2003 Imail 8.22 servers running the latest version of Declude with Message Sniffer. For some reason, Declude just stops working for no reason. The process is still running, but the threads are not changing and no messages are being processed. If I reboot the server, the issue is resolved for about another few days. Has anyone else had this problem or have any ideas on what to check? Daniel # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to
[MBF]Declude Addressbook Whitelist
Hi, I remember others discussing / running into problems with the Imail Addressbook Whitelist feature (“AutoWhitelist ON”) of Declude – so I wanted to share the final outcome. After we solved the problem of Declude not using the proper ODBC DNS, but rather relying on a certain Registry Path to locate the WorkgroupShare MDB file we successfully eliminated the SQL errors in the log files. But, eventually we realized that the whitelist function still was not working as intended. The end users of our clients had been taught to add a...@domain.tld to their Webmail address books/contacts as a “wildcard” to allow any emails from “domain.tld” based on how that feature had been implemented by Scott Perry. We only NOW learned that THIS particular Declude feature become obsolete, supposedly with Imail 9. Apparently until then, the contacts were kept/searched in each users’s “aliases.txt” file. But whoever at Declude added the database query against the new MDB file apparently omitted the necessary “ OR email = ‘a...@domain.tld’ “ clause – effectively disabling the domain wildcard function. I still find it hard to believe that I had never heard about this previously – or that this supposedly had not been working for that many years. But I figured I share the “status quo” with those who too might be scratching their heads… Best Regards, Andy
[MBF]Re: Declude Addressbook Whitelist
Hi Todd, So you’re saying the “all@” wildcard DOES work correctly for SmarterMail? (I didn’t make this clear before: the whitelist of individual email addresses DOES work under Imail – just not using the “all@” domain wildcard). If all@ works for SmarterMail, then that would be an even stronger indication that this is truly a BUG in the Imail implementation, rather than a “design” decision to remove that function. Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Todd Hunter Sent: Friday, November 01, 2013 10:51 AM To: community@mailsbestfriend.com Subject: [MBF]Re: Declude Addressbook Whitelist We use SmarterMail 11.6 and the feature works there. I was looking through the logs and couldn’t figure out why so many emails were being whitelisted. Traced it to the email address existing in the users contacts. I know this doesn’t help you Andy, but thought the SM users might want to know. Todd
[MBF]DNSBLchile
Unfortunately, this is another activist black list that thrives to better the world against any practical considerations. The rule is that it's more important for valid emails to reach the intended sender than to block spam. For a list to be useful, we can't simply block Microsoft's servers. Below their response to a false positive report: #DNSBLCL-ZOMBIE ip4rdnsblchile.org 127.0.0.5 0 -Original Message- From: DNSBL Chile [mailto:dnsblmas...@dnsblchile.org] Sent: Tuesday, October 29, 2013 8:40 AM Cc: conta...@dnsblchile.org Subject: Re: 207.46.163.237 - MS Support Case 1221619700 Hello, Chilean Microsoft Office 365 users have been using the service to send spam. This started several months ago and Microsoft has already delisted the IPs once. The spammers were apparently kept as customers, which prompted a second round of listings. The Chilean spammers use domains @vidatres.cl and @forexchile.cl. If you need more information for locating the spammers please visit http://www.dnsblchile.org/microsoft.html. We will not delist the IPs until the service of these spammers have been terminated. Greetings, DNSBL Chile Master On Tue, 29 Oct 2013, Tim Johnson wrote: IP address 207.46.163.237 owned by Microsoft is being blacklisted by your site Chile DNSBL http://www.dnsblchile.org/. This IP address sends mail for Microsoft?s Office 365 users. What do we need to do to whitelist this IP 207.46.163.237?
[MBF]Addressbook Whitelist fails SQLSetConnectAttr
Hi Dave, I just bought two support incidents - so I'd like to use ONE incident to debug this issue. Here the problem: - Declude v4.12.02 for Imail - Log message recurring through the day: DataBase Error = [Could not find file '(unknown)'. Driver's SQLSetConnectAttr failed ] Finish Address Book WhiteList - Result: Whitelisted email addresses are no longer recognized by Declude Here the facts established thus far: 1. The MS Access database with the Address Whitelists is present, can be opened and accessed and maintained with Imail's 12.2 Webmail. Consequently, the path/configuration WITHIN Imail is indeed value, as Imail itself CAN get to the MDB file. 2. The MS Access database CAN be accessed by running a simple command line Jscript I quickly wrote (using standard MDAC/ADO methods) on the same server. The script uses the existing DSN=WorkgroupShare, and successfully opens the contacts table. Consequently, the ODBC DSN is set up correctly and the database can be opened from a batch process. 3. There is no SQL Server or SQL Express involved. Imail's account information is maintained in the registry. Imail's Webmail contacts etc are maintained in the same MDB file that's been in use for many years (when there was much higher load than today). Imail's collaboration features have been turned off/uninstalled. The next step might be to use the source code and investigate how/where Declude is obtaining the connection string information, possibly reporting someplace what string it is attempting to use - so that we can see where Declude is out of synch with Imail and ODBC. Best Regards, Andy -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Thursday, May 02, 2013 10:53 PM To: community@mailsbestfriend.com Subject: Re: Addressbook Whitelist - what MS Access db is used? The feedback I got from the developer was: Declude could not find the IMail address book SQL DB Which means it is not a connection issue but a path or configuration issue with IMail . David Barker Mails Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office : 1.866.919.2075 # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: anti-spam solutions for ms-exchange
ORF You can even integrate it with Sniffer! From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar Sent: Tuesday, July 02, 2013 11:31 AM To: community@mailsbestfriend.com Subject: [MBF]anti-spam solutions for ms-exchange Does anyone have a recommendation for anti-spam with MS Exchange? We are using Declude and Sniffer with iMail due to historical reasons and price. I have a number of customers though who have enquired about MS-Exchange and one customer who has installed it to get outlook integration and can get MS-Exchange cheap because he is an MS partner of some kind. I have not used exchange. Can anyone recommend a 'best' lower-cost anti-spam solution for MS-Exchange? The customer said he was going to use MS-Forefront until explained that that was firewall and would require a dedicated server for it (or am I wrong?) and would normally be quite expensive (though an MS-Partner might get the software free). Any insights? If this is not the best place to ask, sorry for the intrusion. Thanks. Carl J. Carl Wagar EntreNet Communications Inc http://www.entrenet.com www.entrenet.com http://www.thehostingservice.com www.thehostingservice.com 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada Email: mailto:jcwa...@entrenet.com jcwa...@entrenet.com, skype: jcwagar Tel: +1 613-737-7327, Fax: +1 613-737-5801 Cel: +1 613-818-8898
[MBF]Re: Great News!!
Hi Dave, What a relieve! Let us know about your business plan and how we can pay our share to facilitate bug fixes and advances. Best Regards, Andy From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Tuesday, July 02, 2013 10:22 PM To: community@mailsbestfriend.com Subject: [MBF]Great News!! Today is a good day for the Mail's Best Friend community. Thanks to Pete McNeil of http://www.microneil.com www.microneil.com and MBF we have secured the Intellectual property rights and assets of Declude. What this means is: 1. MBF has the rights to distribute all versions of Declude and users are free to run Declude versions up to 4.12.02 without restriction 2. We have the Declude source code and will be able to provide updates and fixes in the future. 3. All current downloads can be found here http://www.mailsbestfriend.com/downloads/ http://www.mailsbestfriend.com/downloads/ We welcome suggestions from the MBF community as to the future of the Declude product. If you have any questions please let me know. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 1.866.919.2075 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 image001.png