[MBF] Declude and DKIM
Does Declude evaluate DKIM signatures for pass/fail validity? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com>. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com> Send administrative queries to <community-requ...@mailsbestfriend.com>
[MBF] Declude and DMARC
Does Declude offer any interactivity/configuration with DMARC? - Michael Cummins
[MBF] Re: Using Declude and SmarterMail effectively
Thanks! I could apply this to my hosted domains, but I support a number of domains that are store and forward relays using SM “incoming gateways”. I presume those are a different story, yes? - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Dean Lawrence Sent: Monday, February 8, 2016 5:09 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Using Declude and SmarterMail effectively Sure. In the Antspam Administration, click on the "Options" tab and make sure to check the "Allow domains to override filter weights and actions". Then when you manage a domain, expand the "filtering" section and click on the "Spam Filtering" option. From there, click on the "Override spam settings for this domain" and edit the weights and actions any way you would like. <http://www.idatatech.com/images/email-profile.jpg> Dean Lawrence President Internet Data Technology Phone: 888-438-4381 x701 Web: www.idatatech.com <http://www.idatatech.com/> Email: d...@idatatech.com <mailto:d...@idatatech.com> Programming | Database | Consulting | Training On Feb 8, 2016, at 4:57 PM, Michael Cummins <mich...@wddx.net <mailto:mich...@wddx.net> > wrote: > If you want to use Declude per-domain setting, you can still certainly do so. What I mean by that is – some of my customers want the subject line to be marked at different values, and some don’t want the subject line rewritten at all. If SM was the one marking the subject line, I wouldn’t be able to take those actions per domain, or could I? Thanks! - Michael Cummins From: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> [mailto:community@mailsbestfriend.com] On Behalf Of Dean Lawrence Sent: Monday, February 8, 2016 4:46 PM To: community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> Subject: [MBF] Re: Using Declude and SmarterMail effectively Michael, I use a combination of both. In Declude, I only either just warn or delete, I do not change the subject line or move to any other folders. The delete value that I use is fairly high, so a message would have to fail a good number of tests in Declude to be deleted. If a message fails this many tests, there really isn't any reason to push it through the SmarterMail tests as well (at least in my opinion). The DKIM, DomainKeys, and DMARC tests are just that, additional tests. There's really nothing overly special about them. So if a message passes through Declude without being deleted, it's Declude test weight is added to all my additional SmarterMail test values. I then use the SmarterMail filters to determine what to do with the message based on it's final weight value. If you want to use Declude per-domain setting, you can still certainly do so. <http://www.idatatech.com/images/email-profile.jpg> Dean Lawrence President Internet Data Technology Phone: 888-438-4381 x701 Web: <http://www.idatatech.com/> www.idatatech.com Email: <mailto:d...@idatatech.com> d...@idatatech.com Programming | Database | Consulting | Training On Feb 8, 2016, at 4:07 PM, Michael Cummins < <mailto:mich...@wddx.net> mich...@wddx.net> wrote: What is the best way to synergize the benefits of both Declude and SmarterMail? If I understand correctly, by having all of the subject marking and deleting taking place inside of Declude, then I can easily have per-domain configuration. If I take it out of Declude and set everything to Warn, then I can no longer configure things per domain, but I am perhaps missing out on some of the features SmarterMail brings to the table, yes? I mean, if it was deleted by Declude, then it doesn't benefit from the DKIM, DomainKeys, DMARC you can play with in SmarterMail. Am I thinking correctly? Thanks! - Michael Cummins # This message is sent to you because you are subscribed to the mailing list < <mailto:community@mailsbestfriend.com> community@mailsbestfriend.com>. To unsubscribe, E-mail to: < <mailto:community-...@mailsbestfriend.com> community-...@mailsbestfriend.com> To switch to the DIGEST mode, E-mail to < <mailto:community-dig...@mailsbestfriend.com> community-dig...@mailsbestfriend.com> To switch to the INDEX mode, E-mail to < <mailto:community-in...@mailsbestfriend.com> community-in...@mailsbestfriend.com> Send administrative queries to < <mailto:community-requ...@mailsbestfriend.com> community-requ...@mailsbestfriend.com>
[MBF] Re: Using Declude and SmarterMail effectively
> If you want to use Declude per-domain setting, you can still certainly do so. What I mean by that is - some of my customers want the subject line to be marked at different values, and some don't want the subject line rewritten at all. If SM was the one marking the subject line, I wouldn't be able to take those actions per domain, or could I? Thanks! - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Dean Lawrence Sent: Monday, February 8, 2016 4:46 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Using Declude and SmarterMail effectively Michael, I use a combination of both. In Declude, I only either just warn or delete, I do not change the subject line or move to any other folders. The delete value that I use is fairly high, so a message would have to fail a good number of tests in Declude to be deleted. If a message fails this many tests, there really isn't any reason to push it through the SmarterMail tests as well (at least in my opinion). The DKIM, DomainKeys, and DMARC tests are just that, additional tests. There's really nothing overly special about them. So if a message passes through Declude without being deleted, it's Declude test weight is added to all my additional SmarterMail test values. I then use the SmarterMail filters to determine what to do with the message based on it's final weight value. If you want to use Declude per-domain setting, you can still certainly do so. <http://www.idatatech.com/images/email-profile.jpg> Dean Lawrence President Internet Data Technology Phone: 888-438-4381 x701 Web: www.idatatech.com <http://www.idatatech.com/> Email: d...@idatatech.com <mailto:d...@idatatech.com> Programming | Database | Consulting | Training On Feb 8, 2016, at 4:07 PM, Michael Cummins <mich...@wddx.net <mailto:mich...@wddx.net> > wrote: What is the best way to synergize the benefits of both Declude and SmarterMail? If I understand correctly, by having all of the subject marking and deleting taking place inside of Declude, then I can easily have per-domain configuration. If I take it out of Declude and set everything to Warn, then I can no longer configure things per domain, but I am perhaps missing out on some of the features SmarterMail brings to the table, yes? I mean, if it was deleted by Declude, then it doesn't benefit from the DKIM, DomainKeys, DMARC you can play with in SmarterMail. Am I thinking correctly? Thanks! - Michael Cummins # This message is sent to you because you are subscribed to the mailing list <community@mailsbestfriend.com <mailto:community@mailsbestfriend.com> >. To unsubscribe, E-mail to: <community-...@mailsbestfriend.com <mailto:community-...@mailsbestfriend.com> > To switch to the DIGEST mode, E-mail to <community-dig...@mailsbestfriend.com <mailto:community-dig...@mailsbestfriend.com> > To switch to the INDEX mode, E-mail to <community-in...@mailsbestfriend.com <mailto:community-in...@mailsbestfriend.com> > Send administrative queries to <community-requ...@mailsbestfriend.com <mailto:community-requ...@mailsbestfriend.com> >
[MBF] Re: Utilities
A greatly needed ability with SmarterMail is Integrated PGP encryption, perhaps using https://keybase.io/ But that's a horse of a different color :) (Still, that would be an awesome add on if you wanted to develop it) - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Martin Margheim Sent: Thursday, July 23, 2015 8:37 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Utilities David: A greatly needed ability with SmarterMail is SMS. Whether the capability falls within parameters of what you are hoping to do or if such development needs be done by SmarterTools, SMS is becoming a much sought after method of communication. It makes sense. Outlook on Exchange will send text messages. It has been too long in coming but the SM V.14.x capability to add Google Drive, One Drive and Dropbox is another welcome functionality. It would also be welcome to provide a capability to retrieve from Own Cloud or ShareFile or virtually any storage point in order to send links to content. Martin Margheim Independent PC Consultant mailto:ad...@kodot.com ad...@kodot.com 727-365-3372 From: community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Thursday, July 23, 2015 12:01 PM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: Utilities MBF is considering creating some utilities (small programs/scripts) that would help Mail Administrators achieve a specific task/s. We have a developer available to us which we can use for this purpose and are looking for some ideas on what may be useful to you. We are not looking to create a complex application but perhaps if you share some of what you have difficulty doing, something that you think a script could help you achieve, we would like to hear about it. David Barker Mail's Best Friend Email : mailto:david.bar...@mailsbestfriend.com david.bar...@mailsbestfriend.com Web : http://www.mailsbestfriend.com/ www.mailsbestfriend.com Office: 866.919.2075 image001.png Description: Binary data
[MBF] Re: Outgoing filtering
It would not be listed as a locally hosted domain, only in the definitions for inbound gateways configured for domain forwarding. (different XML file) From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Monday, December 15, 2014 12:09 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Outgoing filtering If the domain is found on the server Declude will consider it INBOUND even if it does go out again. Would have to test to verify. On 12/15/2014 11:50 AM, Michael Cummins wrote: If the domain is a configured incoming gateway (domain forward) on a SmarterMail server, is it considered to be configured on the box? Store and Forward scenarios like the above would those be considered INBOUND or OUTBOUND processing? From: community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Monday, December 15, 2014 10:50 AM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Re: Outgoing filtering The way Declude knows whether an email is INBOUND or OUTBOUND is if the recipient domain is on the server it is INBOUND if the recipient domain is not on the server it is OUTBOUND, also I believe forwards start as INBOUND but end up being OUTBOUND. I think there must be a other options to look at if performance is the issue. David On 12/14/2014 8:57 AM, Martin Schaible wrote: Hello To avoid performance issues, I disabled outgoing filtering for declude in SmarterMail. In some cases, i makes sense to pass outgoing mails through the filters. Is there a way, that declude can check, if a mail is incoming or outgoing? This would allow to run some filter files only for outgoing checking. I must avoid any delays and performance issues by using only a small set of filters for outgoing mails. Thanks! Freundliche Grüsse -- netfusion GmbH | Martin Schaible Mittelfeldstrasse 27 | CH-8700 Küsnacht | Switzerland Tel.: +41 44 391 30 00 E-Mail: mailto:mar...@netfusion.ch mar...@netfusion.ch Internet: http://www.netfusion.ch/ www.netfusion.ch | http://wiki.netfusion.ch/ wiki.netfusion.ch Helpdesk: http://helpdesk.netfusion.ch/ helpdesk.netfusion.ch Wird sind auch auf Facebook präsent: http://www.facebook.com/NetfusionGmbH www.facebook.com/NetfusionGmbH -- -- David Barker Mails Best Friend Email : david.bar...@mailsbestfriend.com mailto:david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com Office: 866.919.2075 Mobile : 978.518.6461 -- David Barker Mails Best Friend Email : david.bar...@mailsbestfriend.com mailto:david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com Office: 866.919.2075 Mobile : 978.518.6461 image001.png Description: Binary data
[MBF] Manual Upgrade
So manually upgrading 4.12.02 to 4.12.05 Do I just shut down the decludeproc service and copy over decludeproc.exe asapsdk.dll avgcorex.dll avgsdk.dll mingwm10.dll pcre3.dll snfmulti.dll and then start the service back up again?
[MBF] NOMX
My Alligate (up stream of Declude) adds NOMX to the header if the sender's mail from address has no MX. Does Declude have a similar test? Some spam is getting by my Declude / Message Sniffer, and I'm trying to find ways to affect it. I see Alliagte's NOMX in the header for just about all of them. If I put NOMX in a custom Declude filter to take advantage of Alligate's homework, how many false positives do you think I'd get? Does much legitimate mail come in without an MX? For those who chime in, thanks! - Michael Cummins
[MBF] Dumb Question
Is there a magic word I can insert into the header of an e-mail or something that will cause an e-mail to automatically be caught by Outlook's heuristics and deposited in the junk mail folder? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: hijacked accounts
credentials. Andrew. -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Monday, July 21, 2014 6:27 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts 5) and fairly common in my experience: They compromise the account elsewhere, be it through a hacked online account with target, yahoo, etc etc, or a sniffed wifi transaction, or a direct connect to an evil twin server lurking around starbucks or something like xfinitiwfi / attwifi, and compounded by the fact that the end user uses the same passwords everywhere; reverse engineering known passwords associated with e-mail address domain names / reverse dns to guess mail settings is then fairly trivial. Think about it. That list from Target or Bob's Discount Golf Clubs probably has their password, or a hash that can be bounced off a rainbow table, and the customer's e-mail address. Follow the MX trail of that e-mail account back to your mail server. Where they use the same password. I see a compromised account every other week or so, and when I research the SMTP logs, I see that it almost always wasn't brute forced (brute forcing is so passé these days) - it was guessed correctly on the first try (they already HAD it from SOMEWHERE) and then passed around a RU/TR/IN botnet until I shut it down. This kind of compromised account info is bought and sold on the internet in large lists, and then mined over time by bots. I find the SmarterMail high volume sender notifications pretty handy in these cases, letting me shut the offending account down before I get blacklisted. I change their password immediately and advise the client to check their systems for malware, tell them that they might have gotten the password from another online account, advise them to use different passwords everywhere, tell them about services like LastPass, yada yada. Things y'all probably already do yourselves. When they assure me their system has been checked out I give them a new password. Also, some people use hijack to help out, but hijack would nab my own customers as they spam their industry peers with brokerage listings and whatnot. Hope my rambling was useful to someone. It's late, and I'm tired. :) -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of John Tolmachoff Sent: Monday, July 21, 2014 5:30 PM To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts Sounds like you have a larger problem than you think. The only way they can log onto an account is to know the password. There are only 4 ways that they would know the password: 1) Brute Force on the account in question. Highly unlikely in this case if it is happening to so many accounts. 2) The accounts in question have the same password or very weak passwords like in the top 25 of known passwords. 3) They have access to an admin account and are changing passwords. 4) Your server itself is compromised and they are obtaining the passwords from the registry. If you do not have logs enabled, might as well pack your bags. You will need the logs to determine what is going on, where they are logging on from, and how to stop it. -Original Message- From: Daniel Ivey d...@gcrcompany.com Sent: Sunday, July 20, 2014 5:22am To: community@mailsbestfriend.com Subject: [MBF] Re: hijacked accounts I am running Imail 8.22 on Windows Server 2003. These are different accounts each time, as once I identify one account, I disable that account to fix the issue for the time being. I do not have my logs enabled. Daniel -Original Message- From: Heimir Eidskrem [mailto:hei...@i360.net] Sent: Friday, July 18, 2014 5:06 PM To: community@mailsbestfriend.com Subject:[MBF] Re: hijacked accounts Are you using smartermail or Imail? Version? Are they using the same account every time? What does your log files say? Cordially, Heimir Eidskrem i360 Consulting 11152 Westheimer Suite 147 Houston, TX 77042 Ph: 713-981-4900 hei...@i360.net www.i360.net www.smart-it-services.com Houston's Leading Internet Consulting Company -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Daniel Ivey Sent: Friday, July 18, 2014 3:42 PM To: community@mailsbestfriend.com Subject: [MBF] hijacked accounts I am having an issue with one of my mail servers where a SPAMMER is hijacking an email account and then is causing my webmail interface to quit working because they are logged in X number of times sending SPAM. I have HiJack turned on and the thresholds set very low and these SPAMMERS keep getting under my thresholds. Has anyone else had this issue and if so, what was the fix? Thanks, Daniel # This message is sent to you because you are subscribed to the mailing list
[MBF] No SPF
I see these: SPFFAIL SPFFAILx 80 SPFPASS SPFPASSx -10 How do I ding people that don't even have an SPF record? # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Whitelist not invoked
Our per-domain whitelisting generally works. I have an example recently however, after reviewing the Spam.log, the whitelist is not mentioned. I assume that it was not checked. Are there any circumstances in which the whitelist would NOT be checked? We run into this from time to time. Nice feature: it would be great if the SpamXXX.log could reference the .junkmail file it is using when processing a message, much as it does the various filters, etc. - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF] Re: Whitelist not invoked
I'll see if I can't arrange a test during debug mode. I have a copy of the message header. Is that a reliable resource for who it appears to be coming from? As always, THANKS! - Michael Cummins -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Tuesday, June 17, 2014 2:29 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Whitelist not invoked Hi Michael, If the whitelist is no checked it is because the email sender or recipient is most likely not who you think it is. We would need the entries from a DEBUG log to verify what the problem may be. As for your feature the log does reference the .junkmail file being checked. You would need to run in DEBUG mode. An example would be: 912 06/17/2014 00:02:32.265 40648498 Autowhitelist check 913 06/17/2014 00:02:32.265 40648498 Domain Trusted Sender check 914 06/17/2014 00:02:32.265 40648498 User Trusted Sender check 915 06/17/2014 00:02:32.265 40648498 Domain name = receivingdomain.com, User name = crawford. 916 06/17/2014 00:02:32.265 40648498 1 Tried C:\SMARTERMAIL\Declude\ receivingdomain.com \crawford.junkmail: 0. 917 06/17/2014 00:02:32.265 40648498 2 Tried C:\SMARTERMAIL\Declude\ receivingdomain.com \$default$.junkmail: 4629d0. 918 06/17/2014 00:02:32.265 40648498 Final C:\SMARTERMAIL\Declude\ receivingdomain.com \$default$.junkmail: 4629d0. 919 06/17/2014 00:02:32.265 40648498 Using [incoming] CFG file C:\SMARTERMAIL\Declude\receivingdomain.com \$default$.junkmail. David Barker Mail’s Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com Office: 1.866.919.2075 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Tuesday, June 17, 2014 2:07 PM To: community@mailsbestfriend.com Subject: [MBF] Whitelist not invoked Our per-domain whitelisting generally works. I have an example recently however, after reviewing the Spam.log, the whitelist is not mentioned. I assume that it was not checked. Are there any circumstances in which the whitelist would NOT be checked? We run into this from time to time. Nice feature: it would be great if the SpamXXX.log could reference the .junkmail file it is using when processing a message, much as it does the various filters, etc. - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Global.CFG
I’d really love to be able to start commenting like this if it is possible. Does anyone know? - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Thursday, February 13, 2014 9:10 AM To: community@mailsbestfriend.com Subject: [MBF]Global.CFG Can you use a hashtag inline when you are whitelisting IPs, for commenting? Like this: WHITELIST IP XXX.XXX.XXX.XXX #Customer Name, ISP
[MBF]Re: MBF releases new build of Declude 4.12.05
Thanks! That sounds great! Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of David Barker Sent: Monday, February 24, 2014 11:37 AM To: community@mailsbestfriend.com Subject: [MBF]MBF releases new build of Declude 4.12.05 New files available from http://mailsbestfriend.com/downloads/ 4.12.05 FIX - Removed Key check for Declude, no need to hack the Host file. Declude no longer requires a key to run. 4.12.04 ADD - Created new test NOHIT 4.12.03 ADD - Improved Hijack by monitoring the Authenticated user rather than the mailfrom address The NOHIT test is used to determine which tests did NOT trigger. The main purpose of this implementation was to create a feedback system to Message Sniffer ARM research to improve spam catch rates on new spam. The new test syntax below and is located in the global.cfg TEST-NAME1 NOHIT TEST-NAME2 WEIGHT 0 0 TEST-NAME1 Your given name of the test NOHIT Test Type TEST-NAME2 The name of the test you are tracking that did NOT trigger WEIGHT The weight = when you would like this test to trigger Example of use (This test will trigger if SNIFFER is NOT triggered for emails over 30 points): SNF-FEEDBACK NOHIT SNIFFER 30 0 0 Using this test we can identify messages that scored more than 30 points and did NOT trigger sniffer. We then use either a COPYTO or ROUTETO Action in the $default$.junkmail file to have these messages go to a specific inbox where ARM research periodically retrieves these messages and writes new rules to distribute to other Message Sniffer users. The entry in the $default$.junkmail would be: SNF-FEEDBACK ROUTETOmailto:x...@example.com x...@example.com Where is your license key for Message Sniffer. Be sure to setup an email user with mailto:x...@example.com x...@example.com on your server and provide ARM research supp...@armresearch.com with the POP account details to access the account to retrieve messages. I am sure there are other great ways the NOHIT test can be used. Let us know if you have some ideas. David Barker Mail's Best Friend Email : david.bar...@mailsbestfriend.com Web : www.mailsbestfriend.com http://www.mailsbestfriend.com/ Office: 866.919.2075 Mobile : 978.518.6461 cid:image001.png@01CE2B2E.8B3E9EF0 image001.png
[MBF]SmarterMail 12
They've released SM12 now ; can we still use Declude with it? Anything we should be aware of?
[MBF]Global.CFG
Can you use a hashtag inline when you are whitelisting IPs, for commenting? Like this: WHITELIST IP XXX.XXX.XXX.XXX #Customer Name, ISP
[MBF]Manually invoking Declude
Is there some way that I can manually invoke Declude to check an IP address to see if it is on an RBL? I’d like to be able to keep an eye on my clients to give them advanced warning. That might be a cool way to do it. - Michael Cummins
[MBF]Re: Manually invoking Declude
Because I want to automate checking about a hundred IPs a day or so. If I do it through a DNS RBL query, I’m using the RBLs more-or-less how they were intended to be used and won’t be blackballed for automating their web based lookups. If I can use a manual invoke of Declude instead of building a script to do each thing manually, I won’t be reinventing the wheel, and doing a poor job of it, likely. It would be efficient, as I do those checks for many pieces of mail each day. Or am I imagining this all wrong? - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Darin Cox Sent: Wednesday, February 12, 2014 8:45 AM To: community@mailsbestfriend.com Subject: [MBF]Re: Manually invoking Declude Why don’t you use one of the web-based blacklist checks? Senderbase.org, for example, or mxtoolbox.com. Darin. From: mailto:mich...@wddx.net Michael Cummins Sent: Wednesday, February 12, 2014 8:01 AM To: mailto:community@mailsbestfriend.com community@mailsbestfriend.com Subject: [MBF]Manually invoking Declude Is there some way that I can manually invoke Declude to check an IP address to see if it is on an RBL? I’d like to be able to keep an eye on my clients to give them advanced warning. That might be a cool way to do it. - Michael Cummins
[MBF]Re: Manually invoking Declude
Thanks! That was what I was imagining if I couldn’t use Declude manually. I think I alraedy have dig set up on one of my windows servers. Since Declude is already rigged to do the tests, it would have been awesome if that was an option. - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Pete McNeil Sent: Wednesday, February 12, 2014 10:33 AM To: community@mailsbestfriend.com Subject: [MBF]Re: Manually invoking Declude On 2014-02-12 09:13, Michael Cummins wrote: Because I want to automate checking about a hundred IPs a day or so. You need a simple DNS query tool and a bit of scripting. On a *nix box I will use dig. On a win* box the analog would be nslookup or you could get dig from here: http://www.isc.org/downloads/bind/ http://www.isc.org/downloads/bind/ (ok, a lot more than just dig but it's in there). Once you have nslookup or dig you can query and DNS based RBL directly. Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC http://www.armresearch.com www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Manually invoking Declude
Does this http://multirbl.valli.org/detail/sa.senderbase.org.html mean that we could use sa.senderbase.org 127.0.0.2 as a test in declude? Does anyone else use senderbase? It looks like it works, manually (see below). What other RBLs are popular with other Declude users? C:\digdig xxx.xxx.xxx.xxx.sa.senderbase.org ; DiG 9.9.0 xxx.xxx.xxx.xxx.sa.senderbase.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 5132 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ; xxx.xxx.xxx.xxx.sa.senderbase.org. IN A ;; Query time: 138 msec ;; SERVER: xxx.xxx.xxx.xxx #53(xxx.xxx.xxx.xxx) ;; WHEN: Wed Feb 12 15:27:19 2014 ;; MSG SIZE rcvd: 61 C:\dig From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Michael Cummins Sent: Wednesday, February 12, 2014 11:59 AM To: community@mailsbestfriend.com Subject: [MBF]Re: Manually invoking Declude Thanks! That was what I was imagining if I couldn’t use Declude manually. I think I alraedy have dig set up on one of my windows servers. Since Declude is already rigged to do the tests, it would have been awesome if that was an option. - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Pete McNeil Sent: Wednesday, February 12, 2014 10:33 AM To: community@mailsbestfriend.com Subject: [MBF]Re: Manually invoking Declude On 2014-02-12 09:13, Michael Cummins wrote: Because I want to automate checking about a hundred IPs a day or so. You need a simple DNS query tool and a bit of scripting. On a *nix box I will use dig. On a win* box the analog would be nslookup or you could get dig from here: http://www.isc.org/downloads/bind/ http://www.isc.org/downloads/bind/ (ok, a lot more than just dig but it's in there). Once you have nslookup or dig you can query and DNS based RBL directly. Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC http://www.armresearch.com www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list mailto:community@mailsbestfriend.com community@mailsbestfriend.com. To unsubscribe, E-mail to: mailto:community-...@mailsbestfriend.com community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to mailto:community-dig...@mailsbestfriend.com community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to mailto:community-in...@mailsbestfriend.com community-in...@mailsbestfriend.com Send administrative queries to mailto:community-requ...@mailsbestfriend.com community-requ...@mailsbestfriend.com
[MBF]Re: New Version of Declude
Mine is commented out right now, but my last log file is for SEP 16, 2013, so I have definitely had this running on Win2k8R2 64 bit. I think I killed it because I was running Clam AV, Sniffer and INVURIBL all at the command line and it choked during a spam wave, so I started cutting 3rd party apps. Like Andy said earlier - would love to see these sewn these into Declude as an API call. INVURIBL (since it's another defunct product) could literally become part of Declude (as a concept), so we could configure Declude for URIBL the same way we do other RBLs. - Michael Cummins -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of johnl...@eservicesforyou.com Sent: Friday, November 22, 2013 1:41 PM To: community@mailsbestfriend.com Subject: [MBF]Re: New Version of Declude Andy, have you been able to get InvURIBL to work on Windows Server 2008 64 bit? -Original Message- From: Andy Schmidt andy_schm...@hm-software.com Sent: Thursday, November 21, 2013 11:06am To: community@mailsbestfriend.com Subject: [MBF]Re: New Version of Declude Hi, Ideally I'd like to get away from having to use the command line version of Sniffer - and figure out a way to get the API version of Sniffer working again. The code's already in Declude, so should be primarily a matter of figuring out the logistics so that each client can use their own SNIFFER license. The same is true for the API version of some virus scanner - whether AVG or ClamAV. We should eliminate the command line interface in favor of using the API version - then the client can choose to obtain the proper license of ClamAV or AVG. It doesn't have to handle the signature updates or any of those things, I'm fine that this is the customer's responsibility. InvURIBL works just fine here - although there is some overlap with Sniffer as far results. But both ARE using entirely different methology - so having the ability to check URI black lists is a very desirable option, of course - but to me less critical than getting away from command line scanners for Sniffer and Anti-Virus. Best Regards, Andy John T eServices For You # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: New Version of Declude
As for INVURIBL it does not seem to be supported anymore so we would not spend any time integrating into Declude. It still works Declude right now, I just meant the functionality: harvesting URLs out of the message content and then bouncing them off URIBL lists. (I think that's how INVURIBL works, no?) That looks like something that could be in Declude's wheelhouse, yes? Feel free to tap me around if I'm clueless. I would not say that INVURIBL is redundant, however Message Sniffer is a far superior product to INVURIBL. Love Message Sniffer. I'm a happy customer. But if INVURIBL is a waste of time because of Message Sniffer, I'd love to know so I can drag it all into an archive folder or something and never use it again. If it *isn't* duplicated by Message Sniffer, I'd also love to know so I can fine tune it again. I've ignored it for a long time, but back in the day it was one of my most effective tests. - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]CommTouch
One of my favorite things about the previous iteration of Declude was CommTouch, which I had paid for. There really isn't an affordable way to add this back into the arsenal, is there? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]New Version of Declude
Are you working on a new version of Declude? If so, could you include the INVURIBL functionality in the Declude product itself, so we don't have to call a third party application? Or do you see that as redundant to what Message Sniffer offers? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: CryptoLocker
Presently I ban: BANEXTBAT BANEXTCMD BANEXTEXE BANEXTEXIP BANEXTPIF BANEXTSCR BANEXTSHS BANEXTVBS And I re-enabled: BANEXT EZIP Does MessageSniffer detect the CryptoLocker in zip attachments? I'm under the impression that I can't use NOD32 because I'm simply a gateway for my clients. I'm also under the impression that I can't use AVG because there is no longer a licensing server (used to be at Declude) that authorized me to do so. Is Clam AV the only thing I can use without a huge investment? -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Markus Gufler | Limitis Sent: Thursday, November 21, 2013 8:39 AM To: community@mailsbestfriend.com Subject: [MBF]AW: CryptoLocker Nothing more than blocking certain zipped extensions. Having a lot of it in our virus folder. Markus -Ursprüngliche Nachricht- Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von Michael Cummins Gesendet: Donnerstag, 21. November 2013 13:53 An: community@mailsbestfriend.com Betreff: [MBF]CryptoLocker Anyone doing anything special to combat the CryptoLocker virus? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: CryptoLocker
I stopped blocking encrypted zip files a while back at the request of a customer. Does CryptoLocker use this vector, or is it just exe files? -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Markus Gufler | Limitis Sent: Thursday, November 21, 2013 8:39 AM To: community@mailsbestfriend.com Subject: [MBF]AW: CryptoLocker Nothing more than blocking certain zipped extensions. Having a lot of it in our virus folder. Markus -Ursprüngliche Nachricht- Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von Michael Cummins Gesendet: Donnerstag, 21. November 2013 13:53 An: community@mailsbestfriend.com Betreff: [MBF]CryptoLocker Anyone doing anything special to combat the CryptoLocker virus? - Michael Cummins # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Just FYI - My Declude Testresults...
What is your INVURIBL configured to use? - Michael Cummins From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Andy Schmidt Sent: Monday, November 11, 2013 2:47 AM To: community@mailsbestfriend.com Subject: [MBF]Just FYI - My Declude Testresults... BARRACUDA 48.06% SPAMCOP 30.15% SPAMHAUS-DBL 29.80% REVDNS 27.15% INV-URIBL 26.49% URIBL-MULTI 24.66% CBL-DYNA 22.55% SORBS-SPAM 22.32% SORBS 19.69% MAILSPIKE-BL 18.79% SURBL-FROM 18.09% GBUDB 17.71% LASHBACK 17.30% SNIFFER-GENERAL 15.59% SNIFFER-SNAKEOIL 15.52% SORBS-NEW 13.77% SEM-BLACK 8.70% SORBS-WEB 8.58% SNIFFER-CREDIT 7.10% SORBS-DUHL 5.64% SNIFFER-PORN 5.56% SNIFFER-TRUNC 5.22% SBL 5.07% URIBL-WHITE 3.96% SNIFFER-SCAMS 3.93% SNIFFER-INSURANCE 3.40% SNIFFER-MALWARE 3.01% SPFFAIL 2.98% SNIFFER-SPAM 2.40% PBL-DYNA 2.12% MAILSPIKE-WL 1.73% SNIFFER-TRAVEL 1.32% SNIFFER-SCHEME 1.07% SORBS-HTTP 0.64% SORBS-SOCKS 0.64% SORBS-MISC 0.64% SNIFFER-GAMBLING 0.40% SNIFFER-OBFUSC 0.24% SNIFFER-ADVERTISING 0.04% SNIFFER-AV-PUSH 0.02% BONDEDSENDER 0.02% DNSBLCL 0.02% DNSBLCLI-DYNA 0.02% SNIFFER-SPAMWARE 0.01% SNIFFER-IP-RULES 0.01% SNIFFER-WAREZ 0.01% SORBS-ZOMBIE 0.01%
[MBF]Re: HiJack/Proc Warning
I used ColdFusion scripts on timers to do it across UNC paths for a while, and IP Monitor, presently. If you have a CF server on the LAN with your Declude box, can create shares and what not, happy to share example code, though I imagine that's a bit esoteric. Michael Cummins -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Brandon Rowlett Sent: Friday, October 25, 2013 9:09 AM To: community@mailsbestfriend.com Subject: [MBF]HiJack/Proc Warning Does anyone have a decent snippet of code that will check on the proc or hold directory that will send an email to alert the administrator if it becomes overrun? A long time ago we used IMail1.exe that would use the built in SMTP server to send out an email but that has long since been discontinued due to security issues. Thanks, Brandon Rowlett CONFIDENTIALITY NOTICE: This message, and any attachments, contains information which may be confidential and privileged. Unless you are the intended recipient (or authorized to receive this message for the intended recipient), you may not use, copy, disseminate or disclose to anyone the message or any information contained in the message. Any opinions or views expressed which are of a personal nature are not necessarily those of the company. The company reserves the right to monitor all e-mail communications. # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Outdated Blacklists
I re-installed DLAnalyzer on an old 2003 box I am still running, ported over 3 days of logs and a junkmail file to config it with, and this is what I see for my traffic. Message Sniffer is the most effective external test by far, and my best RBLs seem to be Barracuda, SURBL, and HostKarma-Black. -Michael Cummins TEST FAILED PERCENTAGE IPNOTINMX 158,078 86.05% FILTER-SPAM 118,638 64.58% NOLEGITCONTENT 118,145 64.31% SPFPASS 105,927 57.66% WEIGHT10 96,001 52.26% WEIGHT15 85,956 46.79% WEIGHT20 79,819 43.45% SNIFFER 75,592 41.15% WEIGHT25 72,988 39.73% WEIGHT30 67,124 36.54% FROMNOMATCH 64,492 35.11% WEIGHT35 59,775 32.54% SUBCHARS-55 52,418 28.53% WEIGHT45 46,947 25.56% SUBCHARS-60 41,931 22.83% FILTER-SUBJECT 34,971 19.04% SUBCHARS-65 32,822 17.87% BARRACUDA 29,855 16.25% SURBL 28,105 15.30% HOSTKARMA-BLACK 23,956 13.04% GOOD-REVDNS 23,866 12.99% REVDNS 22,943 12.49% SURRIEL 21,007 11.44% SEM-15 19,975 10.87% SEM-10 16,568 9.02% GBUDB 14,556 7.92% UBL 13,850 7.54% SUBSPACE-12 13,833 7.53% IX 13,026 7.09% UCEPROTECT-2 10,992 5.98% BACKSCATTER 10,542 5.74% UCEPROTECT-1 9,695 5.28% SPAMCOP 8,960 4.88% NONENGLISH 8,825 4.80% SIZE-300K 8,328 4.53% IADB 7,266 3.96% WDDX-FILTER 7,161 3.90% BASE64 5,956 3.24% BADHEADERS 5,578 3.04% SORBS-RECENT 5,350 2.91% HELOBOGUS 5,018 2.73% SIZE-500K 4,786 2.61% BONDEDSENDER 4,749 2.59% SUBSPACE-15 4,711 2.56% FILTER-COUNTRY 4,681 2.55% SEM-BL 3,151 1.72% SORBS 2,895 1.58% SUBSPACE-17 2,573 1.40% SIZE-1MB 2,522 1.37% SORBS-NEW 2,022 1.10% FILTER-MEDICAL 1,991 1.08% FILTER-ADULT 1,934 1.05% SPAMHEADERS 1,807 0.98% FILTER-DRUGS 1,739 0.95% SEM-URIBL 1,314 0.72% SEM-URIRED 1,305 0.71% UCEPROTECT-3 1,223 0.67% SENDERSCORE 1,168 0.64% SPFFAIL 1,101 0.60% ROUTING 1,093 0.59% ZEN 818 0.45% SORBS-DUL 754 0.41% CBL 650 0.35% DYNHELO 627 0.34% AHBL-DOMAINS 604 0.33% SPAMRATS 484 0.26% MAILFROM 422 0.23% COMMENTS 285 0.16% CONTSPACES 85 0.05% SEM-BS 79 0.04% CMDSPACE 4 0.00% BCC 3 0.00% DNSBL 3 0.00% From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Todd Hunter Sent: Wednesday, October 23, 2013 10:43 PM To: community@mailsbestfriend.com Subject: [MBF]Outdated Blacklists Going through my Declude config and found some test I am removing. FIVETEN-DUL offline http://whatismyipaddress.com/blacklist/five-ten-sg In the last week we have had 0 hits from RU-DUL and SORBS-NOMAIL and 2 hits on DNSBL. Anyone else using these with any effect? Still going through my config so there may be more. Todd Hunter The Smart IT Group Smart IT Services Smart-Mail Law IT Services Your Smart Cloud Partner
[MBF]Re: Declude reporting
What version of Declude are you running? Mine generates a blklst*.txt file. I am running 4.12.02, and they appear in my SmarterMail/Spool directory. I would have to write something to parse this file myself, unless something else already does? - Michael Cummins -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Kamran Razvan Sent: Thursday, October 24, 2013 7:02 AM To: community@mailsbestfriend.com Subject: [MBF]Re: Declude reporting Markus, Does this work for you? I recall this discussion and I have it in our declude.cfg but it does not generate any such file. Here is our setting: CODE BLKLST ON INVITEFIX ON AUTOREVIEW ON THREADS 150 WAITFORMAIL 2500 AVGUPDATEFREQHRS 3 No blklst.txt has ever been created in the spool directory. Regards, CP:\ kam...@clickandpledge.com / 540.961.9811 x3211 -Original Message- From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Markus Gufler | Limitis Sent: Thursday, October 24, 2013 2:46 AM To: community@mailsbestfriend.com Subject: [MBF]AW: Declude reporting I can confirm that the newer versions of Declude has brought some changes in the Log-Levels. They does contain heavily more information on the MID level, bumping up logfiles without containing necessary data for MDLP reporting. On LOW level the Subject and MFrom-lines are missing. David Barker on my request suggested What may be of use to you is using the following in the \Declude\declude.cfg file. BLKLSTON This will create a file in the \spool everyday e.g. blklst0919.txt which contains 1 line for every email with all the information you need. It's important to not misunderstand the BLK as black. It seems more meaning block These are the fields of this logfiles Date| Time | Spool # | IP | Final Weight | Final Action | Recipients | Date| Sender | Subject | Tests Triggered Markus -Ursprüngliche Nachricht- Von: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] Im Auftrag von Pete McNeil Gesendet: Mittwoch, 23. Oktober 2013 19:52 An: community@mailsbestfriend.com Betreff: [MBF]Re: Declude reporting On 2013-10-23 12:42, Darin Cox wrote: We use a combination of home-grown log analysis and Arm Research Lab’s MDLP product to both weed out ineffective filters and tweak weights on the rest. Not sure if it has been abandoned, but it works fine for us. I’d contact Pete McNeil to see if it is still available. At the time he was giving it away. I haven't touched MDLP in a while -- though I've thought about it. If I recall correctly there were changes in Declude's log format that broke it's analysis... though I might be mistaken. Please let us know how you're working around that or if I've missed a step. If there is enough interest in MDLP we may pick it up again. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com # This message is sent to you because you are subscribed to the mailing list community@mailsbestfriend.com. To unsubscribe, E-mail to: community-...@mailsbestfriend.com To switch to the DIGEST mode, E-mail to community-dig...@mailsbestfriend.com To switch to the INDEX mode, E-mail to community-in...@mailsbestfriend.com Send administrative queries to community-requ...@mailsbestfriend.com
[MBF]Re: Anyone still use INVURIBL?
=URI_Bitmask_BitValue_4_Weight_URIBL_List6 value=0 / add key=URI_Bitmask_BitValue_8_Weight_URIBL_List6 value=0 / add key=URI_Bitmask_BitValue_16_Weight_URIBL_List6 value=0 / add key=URI_Bitmask_BitValue_32_Weight_URIBL_List6 value=0 / add key=URI_Bitmask_BitValue_64_Weight_URIBL_List6 value=0 / add key=URI_Bitmask_BitValue_128_Weight_URIBL_List6 value=0 / After that there's this URI NAME SERVER thing, seems there is only one there. add key=Enable_URI_Name_Server_Check value=true / add key=Max_Name_Servers_To_Check value=3 / add key=Name_Server_RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_Name_Server_RBL1 value=2 / add key=Name_Server_Return_Code_RBL1 value=* / add key=Name_Server_Weight_RBL1 value=2 / Later on I have these 4 RBL lists configured add key=RBL1 value=sbl.spamhaus.org / add key=Bitmask_Skip_Options_RBL1 value=2 / add key=Return_Code_RBL1 value=* / add key=WEIGHT_RBL1 value=5 / add key=RBL2 value=cn.countries.nerd.dk / add key=Bitmask_Skip_Options_RBL2 value=0 / add key=Return_Code_RBL2 value=* / add key=WEIGHT_RBL2 value=3 / add key=RBL3 value=kr.countries.nerd.dk / add key=Bitmask_Skip_Options_RBL3 value=0 / add key=Return_Code_RBL3 value=* / add key=WEIGHT_RBL3 value=3 / add key=RBL4 value=ru.countries.nerd.dk / add key=Bitmask_Skip_Options_RBL4 value=0 / add key=Return_Code_RBL4 value=* / add key=WEIGHT_RBL4 value=3 / It looks like it supports URI Senderbase lookups, but both are set to false. add key=Enable_URI_Senderbase_Magnitude_Check value=false / add key=URI_Senderbase_Magnitude_Threshold value=50 / add key=URI_Senderbase_Magnitude_Weight value=0 / add key=Enable_RemoteMailServer_Senderbase_Magnitude_Check value=false / add key=RemoteMailServer_Senderbase_Magnitude_Threshold value=50 / add key=RemoteMailServer_Senderbase_Magnitude_Weight value=0 / Maybe I should use those? Are any of those RBLs ir URIBLs configured defunct? Am I running too many? I had this test comment out for some time becuse one of my clients was being hit by a Joe Job (getting by the Alligate) and I simply forgot to turn it back on. Any advice would be greatly aprpeciated. - Michael Cummins
