[Declude.JunkMail] Strange X-Declude-Sender address
Title: Message Scott, here are the headers from a recent spam message, and I am wondering how "X-Declude-Sender" came up with [EMAIL PROTECTED]as the sender address: = Received: from gw2.pointshare.com [204.189.38.3] by intramail01.pointshare.net with ESMTP (SMTPD32-7.13) id AB612CE50110; Tue, 11 Feb 2003 00:59:13 -0800Received: from gw2.pointshare.com (user-vc8fopa.biz.mindspring.com [216.135.227.42])by gw2.pointshare.com (Mail Gateway) with SMTP id 661DCADE90for [EMAIL PROTECTED]; Tue, 11 Feb 2003 00:59:11 -0800 (PST)From: "QuickQuestion" Date: Tue, 11 Feb 2003 00:59:02To: fake@example.comSubject: A Quick Question For YouMIME-Version: 1.0Content-Type: multipart/related; boundary="=_NextPart_SWMHBPEXTP"Content-Transfer-Encoding: 7bitMessage-ID: PM200012:59:02 AMX-RAV-Bulk: RAV AntiVirus classifies this e-mail as spam (accuracy very high)X-RAV-Signature: 5774C890693CEA130620D65BBB38FC28X-CYBERsitter-SpamManager-In: FAILED - Score Adult: 0 (Req: 17) Spam: 24 (Req: 20) Tot: 24 (Req: 23)X-CYBERsitter-SpoolFile: Dbb612ce50110cbac.SMDX-RBL-Warning: FIVETEN-SRC: 42.227.135.216.blackholes.five-ten-sg.com.X-RBL-Warning: SPAMCOP: Blocked - see http://spamcop.net/bl.shtml?216.135.227.42X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8040800e].X-RBL-Warning: IPNOTINMX: X-RBL-Warning: RAV-FILTER: Message failed RAV-FILTER test (4)X-RBL-Warning: WORDFILTER: Message failed WORDFILTER test (745)X-RBL-Warning: SPAMMANAGER: Message failed SPAMMANAGER: 24.X-RBL-Warning: SPAMSNIFFER: Message failed SPAMSNIFFER: 63.X-Declude-Sender: [EMAIL PROTECTED] [216.135.227.42]X-Note: This e-mail was filtered for spam by Pointshare's JunkMail ServiceX-Spam-Tests-Failed: FIVETEN-SRC, SPAMCOP, BADHEADERS, IPNOTINMX, RAV-FILTER, WORDFILTER, SPAMMANAGER, SPAMSNIFFER, WEIGHT16-35X-Note: Total spam test weight: 32 = I know that the sending MTA impersonated one of our gateway servers, but that "X-Declude-Sender" came up with [EMAIL PROTECTED] as the sender address is very strange, and this is the first time I have seen this happen. Regards, Bill
Re: [Declude.JunkMail] Strange X-Declude-Sender address
Scott, here are the headers from a recent spam message, and I am wondering how X-Declude-Sender came up with mailto:[EMAIL PROTECTED][EMAIL PROTECTED] as the sender address: The X-Declude-Sender: header reports the return address of the E-mail. The return address is what the remote mailserver sends in the MAIL FROM: SMTP command. If you look at the IMail SMTP log file, you'll see a line MAIL FROM: [EMAIL PROTECTED]. The return address is often different from the address(es) in the From: or Reply-To: headers. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Getting Started With Declude JunkMail
Scott, et.al., According to the instructions I was given below I have (supposedly) configured Declude JunkMail to only work on the NEXUSTECHGROUP.COM domain name. In the $default$.JunkMail file in the /declude/ folder I have set all of the actions to IGNORE. The $default$.JunkMail in the /declude/nexustechgroup.com/ folder is a copy of the original $default$.JunkMail from the download site. It seemed to be working and after I turned it on yesterday I didn't receive any indication from our customers, i.e. complaints from non-NEXUSTECHGROUP.COM domains, that something was amiss. However, this morning I received a complaint from one of our outside web developers that e-mail messages that are being generated from one of our customer web sites to recipients who sign up for a trial on that web site have the term SPAM in the subject. That is the action that I configured NEXUSTECHGROUP.COM for but neither the sender of the e-mail nor the recipient of the e-mail are a NEXUSTECHGROUP.COM user so I don't understand why Declude JunkMail is even bothering with the message. I know it's not much but here is the visible header with confidential specifics remove... From: CustomerService@sender.com [mailto:CustomerService@sender.com] Sent: Tuesday, February 11, 2003 2:00 AM To: sjf@recipient.com Subject: SPAM: Trial Signup for snip You'll have to trust me that neither the sender or the recipient is NEXUSTECHGROUP.COM. We do allow our web hosting customers to bounce e-mail off of our IMail Server that is destined for the Internet. But why would Declude JunkMail even touch the e-mail if it doesn't have NEXUSTECHGROUP.COM as the sender or recipient? I'm interested in your feedback. Thanks, Much! Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 10, 2003 3:50 PM Subject: Re: [Declude.JunkMail] Getting Started With Declude JunkMail Is there a way that I can immediately configure Declude JunkMail to only work on one domain, NEXUSTECHGROUP.COM, right after installing it? Yes. To do that, first copy the \Imail\Declude\$default$.JunkMail file to \Imail\Declude\nexustechgroup.com\$default$.JunkMail. This file will be used to determine the settings for the NEXUSTECHGROUP.COM domain. Then, replace all instances of WARN in the \IMail\Declude\$default$.JunkMail file to IGNORE. That will set up the default so that no action will be taken on spam. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Getting Started With Declude JunkMail
However, this morning I received a complaint from one of our outside web developers that e-mail messages that are being generated from one of our customer web sites to recipients who sign up for a trial on that web site have the term SPAM in the subject. That is the action that I configured NEXUSTECHGROUP.COM for but neither the sender of the e-mail nor the recipient of the e-mail are a NEXUSTECHGROUP.COM user so I don't understand why Declude JunkMail is even bothering with the message. That is an outgoing message that is determined by the test actions defined in the Global.cfg at the bottom. You may want to change those actions to IGNORE for right now. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Getting Started With Declude JunkMail
Do you have IMail set up to send a copy of all E-mail to an account @nexustechgroup.com? If so, you can either set up a per-user configuration for that account (using the IGNORE action), or you can download the latest beta (1.67) which will automatically disable all spam checking on copyall accounts. -Scott From what I can tell IMail IS configured to send a copy of all e-mail to the account [EMAIL PROTECTED] I found this under IMail Administrator - localhost - SMTP Security. Under the section labeled Copy All Mail the Enable checkbox is checked. When you say that account are you referring to [EMAIL PROTECTED]? That is correct. Since you have a copy of all E-mail sent to [EMAIL PROTECTED], the actions for @nexustechgroup.com will be taken on the E-mail unless [EMAIL PROTECTED] has a per-user setting to use the IGNORE action. Does this mean that even though I took extra steps to make sure our e-mail hosting customers would not be affected by our Declude JunkMail testing that all of the domains on our IMail Server could be receiving SPAM in the subject? That is correct. For every incoming E-mail, IMail adds a recipient of [EMAIL PROTECTED], so Declude JunkMail will see two recipients, rather than just one. So I've read the Per-User Configuration section. It sounds like I have 2 options here: Option #1) Setup a Per-User Configuration for [EMAIL PROTECTED] Option #2) Setup a WHITELIST entry for [EMAIL PROTECTED] No -- if you whitelist E-mail to [EMAIL PROTECTED], the E-mail will pass all spam tests, so no action will be taken on the E-mail. For this address, you aren't looking to whitelist the E-mail or take any action -- you want Declude JunkMail to silently ignore it. To do that, you can use Option #1, or you can upgrade to the latest beta (where Declude JunkMail will detect that it is a copyall account and ignore it). This is one of the tricky cases where you have 2 or more recipients for an E-mail, and Declude JunkMail needs to determine the best course of action to take on the E-mail (as both recipients need to receive an identical copy of the E-mail). I would recommend upgrading to the latest beta in this case. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Getting Started With Declude JunkMail
Now this e-mail seems to imply that it's not because of Copy All Mail but instead is because this e-mail is an outgoing message and that I need to change something in GLOBAL.CFG. Which is it? If it's the latter why would Declude JunkMail be flagging outgoing e-mail as spam? The source of the problem is that all E-mail is addressed to an account on a domain that has spam control enabled. So in this case, you have the recipients as: [1] [EMAIL PROTECTED] [2] [EMAIL PROTECTED] [3] [EMAIL PROTECTED] For recipient #1, Declude JunkMail looks at the \IMail\Declude\nexustechtgroup.com\$default$.JunkMail file to determine what action to take (if the \IMail\Declude\nexustechtgroup.com\copybox.JunkMail file existed, that would be used instead). For recipient #2 (which is not a local user), Declude JunkMail looks at the \IMail\Declude\global.cfg file (which contains the actions to take on outgoing E-mail). For recipient #3 (which is not a local user), Declude JunkMail looks at the \IMail\Declude\global.cfg file (which contains the actions to take on outgoing E-mail). Declude JunkMail then works on the assumption that if the E-mail is going to these three users, and one of whom thinks it is spam, then it probably is spam (whereas if they were sent separately, the chances of it really being spam would be much less). By setting up a per-user configuration file for the [EMAIL PROTECTED] account, or by upgrading to the latest beta (which knows that [EMAIL PROTECTED] is a copyall account, and ignores it), Declude JunkMail would see that none of the recipients think it is spam, and would deliver it untouched. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Getting Started With Declude JunkMail
Scott, Thanks for all of your help. I have upgraded my DECLUDE.EXE to the latest Beta. This was such a hard issue to diagnose because it was an issue that only my customers were seeing. I'm going to put the word out to those who called in to complain that everything should be resolved now. Thanks, Again, Dan Geiser [EMAIL PROTECTED] - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 11, 2003 10:19 AM Subject: Re: [Declude.JunkMail] Getting Started With Declude JunkMail Do you have IMail set up to send a copy of all E-mail to an account @nexustechgroup.com? If so, you can either set up a per-user configuration for that account (using the IGNORE action), or you can download the latest beta (1.67) which will automatically disable all spam checking on copyall accounts. -Scott From what I can tell IMail IS configured to send a copy of all e-mail to the account [EMAIL PROTECTED] I found this under IMail Administrator - localhost - SMTP Security. Under the section labeled Copy All Mail the Enable checkbox is checked. When you say that account are you referring to [EMAIL PROTECTED]? That is correct. Since you have a copy of all E-mail sent to [EMAIL PROTECTED], the actions for @nexustechgroup.com will be taken on the E-mail unless [EMAIL PROTECTED] has a per-user setting to use the IGNORE action. Does this mean that even though I took extra steps to make sure our e-mail hosting customers would not be affected by our Declude JunkMail testing that all of the domains on our IMail Server could be receiving SPAM in the subject? That is correct. For every incoming E-mail, IMail adds a recipient of [EMAIL PROTECTED], so Declude JunkMail will see two recipients, rather than just one. So I've read the Per-User Configuration section. It sounds like I have 2 options here: Option #1) Setup a Per-User Configuration for [EMAIL PROTECTED] Option #2) Setup a WHITELIST entry for [EMAIL PROTECTED] No -- if you whitelist E-mail to [EMAIL PROTECTED], the E-mail will pass all spam tests, so no action will be taken on the E-mail. For this address, you aren't looking to whitelist the E-mail or take any action -- you want Declude JunkMail to silently ignore it. To do that, you can use Option #1, or you can upgrade to the latest beta (where Declude JunkMail will detect that it is a copyall account and ignore it). This is one of the tricky cases where you have 2 or more recipients for an E-mail, and Declude JunkMail needs to determine the best course of action to take on the E-mail (as both recipients need to receive an identical copy of the E-mail). I would recommend upgrading to the latest beta in this case. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. This E-mail is scanned and free from viruses. www.nexustechgroup.com This E-mail is scanned and free from viruses. www.nexustechgroup.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Getting Started With Declude JunkMail
From Scott's previous e-mail I was presuming that all of the hosts on our system are feeling the effects of Declude JunkMail because we have the Copy All Mail feature of IMail enabled. I am trying to fix that as we speak. Woops, my bad. I missed the line about have Copy All Mail enabled. Scott, I picked up your bad. :)) John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] quickie no negative weight.
Ok, I think I did this right, just looking for reassurance here. Ok, got my newtest running well, now I want to make a negative test to counter poorly created mail, like e-bay's confirm/etc mail. All mention credit cards and that's a key on my other CONTAINS test. So here's what I did, is it correct? Global.cfg: negweight filter d:\imail\declude\negweight.txt x 0 0 $Default: negweight WARN negweight.txt example: MAILFROM -13 IS [EMAIL PROTECTED] figure IS makes it match completely, better than contains. by this, mail from [EMAIL PROTECTED] will get a weight of -13 correct? Do I need a weight in Global.cfg? x -1 0? Obviously the weight will be added to the mail, hence the -1, but I want to make sure there's no problem leaving it at 0. Thanks for the input. Paul --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] quickie no negative weight.
Ok, got my newtest running well, now I want to make a negative test to counter poorly created mail, like e-bay's confirm/etc mail. All mention credit cards and that's a key on my other CONTAINS test. So here's what I did, is it correct? Global.cfg: negweight filter d:\imail\declude\negweight.txt x 0 0 $Default: negweight WARN negweight.txt example: MAILFROM -13 IS [EMAIL PROTECTED] figure IS makes it match completely, better than contains. That looks good. by this, mail from [EMAIL PROTECTED] will get a weight of -13 correct? Correct. Do I need a weight in Global.cfg? x -1 0? Obviously the weight will be added to the mail, hence the -1, but I want to make sure there's no problem leaving it at 0. Leaving it at 0 is fine. Declude JunkMail will add the weight for the test (in the test definition), plus a weight for each of the lines in the filter that match the E-mail. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Store and Forward w/JunkMail Question
Since late last year we have had our entire setup with virtual hosted domains with No Mail Relay. We are going to change our relay mode to 'relay for addresses' to filter email for about 10 or more Exchange Servers (thus, store and forward). However, we are going to still require all our other domains to SMTP Auth to us. My question is, with JunkMail, does all the filters and commands work just like they do under domains hosted on the IMail server itself. Previously, we always used the RouteTo a mailbox (same domain) for a 'little' admin to look at the spam email and thus forward it on to the necessary person, however, we won't be able to do that anymore with these domains since the domain isn't on the box. We were thinking of creating a bogus.com domain and RouteTo there. Thanks for allowing me to ramble here, just trying to see if I missed anything. I believe the Declude Virus should be fine with this as well. Thank you for the info. Keith +¨¥Á«,q©çy×è®ø«ºÇ¬o Þr[yX«ºÈm¶ÿà yÉnuç(8b°IWçë¢kax7ç^éä1¨¥¨¥x%ËS¢éì¹»®Þë-±éÝjqj)m¢)[+½×ç^rÛr¥ë§²æìr¸x7ç^éä1¨¥NÈb½ëjvÞ~§u«a¶Úÿ 0¨¥j·!÷¢
RE: [Declude.JunkMail] Store and Forward w/JunkMail Question
Instead of ROUTETO, you could use HOLD. Then, the files will be in Imail\spool\spam\hold folder. You can either open them with notepad or use SpamReveiw. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Keith Johnson Sent: Tuesday, February 11, 2003 7:10 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Store and Forward w/JunkMail Question Since late last year we have had our entire setup with virtual hosted domains with No Mail Relay. We are going to change our relay mode to 'relay for addresses' to filter email for about 10 or more Exchange Servers (thus, store and forward). However, we are going to still require all our other domains to SMTP Auth to us. My question is, with JunkMail, does all the filters and commands work just like they do under domains hosted on the IMail server itself. Previously, we always used the RouteTo a mailbox (same domain) for a 'little' admin to look at the spam email and thus forward it on to the necessary person, however, we won't be able to do that anymore with these domains since the domain isn't on the box. We were thinking of creating a bogus.com domain and RouteTo there. Thanks for allowing me to ramble here, just trying to see if I missed anything. I believe the Declude Virus should be fine with this as well. Thank you for the info. Keith NfƝ碻뱼yu u עdj)jgnr[xېƖf)+Nrz;渶uǩj)r[y jwퟀ�˱m r[xƕ8jqy ퟞ� f+rmw纶 Vry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Store and Forward w/JunkMail Question
spamreview rocks. Only wish it could do filters with wildcards. Hate the darn spammers that uses mail123.domain.tld mail124.domain.tld and so on do *.domain.tld and take care of them for good. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 - Your Full Time Professionals - eBay UserID : macahan -- JT Instead of ROUTETO, you could use HOLD. Then, the files will be in Imail\spool\spam\hold folder. You can either open them with notepad or use SpamReveiw. JT John Tolmachoff MCSE, CSSA JT IT Manager, Network Engineer JT RelianceSoft, Inc. JT Fullerton, CA 92835 JT www.reliancesoft.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Keith Johnson Sent: Tuesday, February 11, 2003 7:10 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Store and Forward w/JunkMail Question Since late last year we have had our entire setup with virtual hosted domains with No Mail Relay. We are going to change our relay mode to 'relay for addresses' to filter email for about 10 or more Exchange Servers (thus, store and forward). However, we are going to still require all our other domains to SMTP Auth to us. My question is, with JunkMail, does all the filters and commands work just like they do under domains hosted on the IMail server itself. Previously, we always used the RouteTo a mailbox (same domain) for a 'little' admin to look at the spam email and thus forward it on to the necessary person, however, we won't be able to do that anymore with these domains since the domain isn't on the box. We were thinking of creating a bogus.com domain and RouteTo there. Thanks for allowing me to ramble here, just trying to see if I missed anything. I believe the Declude Virus should be fine with this as well. Thank you for the info. Keith Nf???yu u ?dj)jgnr[x??f)+Nrz;?ukj)r[y jw???m r[x?8jqy ?? f+rmw? Vry JT --- JT [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] JT --- JT This E-mail came from the Declude.JunkMail mailing list. To JT unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JT type unsubscribe Declude.JunkMail. The archives can be found JT at http://www.mail-archive.com. JT --- JT [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.