[Declude.JunkMail] WHITELISTFILE Logging issue
Scott, I noticed the following error in my log file today. I am running LOGLEVEL HIGH 06/13/2003 09:54:56 Q01dd03c7027e1f3c Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 06/13/2003 09:54:56 Q01dd03c7027e1f3c Skipping E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 06/13/2003 09:54:56 Q01dd03c7027e1f3c Warning: misconfiguration in following line in configuration file (D:\IMail\Declude\Whitelist.txt is not an ACTION). May be a duplicate test definition? This is the line in the $default$.junkmail WHITELISTFILE D:\IMail\Declude\Whitelist.txt Looking at this log fragment the whitelist is working but the pass checking actions does not like the WHITELISTFILE line in the .junkmail file. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
And I have nothing for the recip.eml file, so I would like suggestions on that one as well. (I screwed up earlier in the week and deleted them all... I should know better than to do work when I have the flu...). At the moment I can't find any other virusname to skip. For the recip.eml I've set SKIPIFVIRUSNAMEHAS Vulnerability And I've creted a new vulnerability.eml with SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability So I can send out two different warnings for a real virus and a vulnerability warning. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] spam domains shaw.ca?
Customer emails do not get through and they blame me for it... This happens mostly with hosted domains on their system. This has been going on for about 2 years. Emails have never been responded to. Very frustrating! Gotcha, sites hosted with them. I have heard only good things about their Internet Access. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
At the moment I can't find any other virusname to skip. For the recip.eml I've set SKIPIFVIRUSNAMEHAS Vulnerability And I've creted a new vulnerability.eml with SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability So I can send out two different warnings for a real virus and a vulnerability warning. Same here. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] WHITELISTFILE Logging issue
This is the line in the $default$.junkmail WHITELISTFILE D:\IMail\Declude\Whitelist.txt Looking at this log fragment the whitelist is working but the pass checking actions does not like the WHITELISTFILE line in the .junkmail file. I am not familiar with this test yet, but unless WHITELISTFILE is a predetermined test in declude, you need to have it in Global.cfg. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WHITELISTFILE Logging issue
Sounds like you may have duplicate entries in your global.cfg file for: WHITELISTFILE D:\IMail\Declude\Whitelist.txt Bill - Original Message - From: Kevin Bilbee [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 13, 2003 11:34 PM Subject: [Declude.JunkMail] WHITELISTFILE Logging issue Scott, I noticed the following error in my log file today. I am running LOGLEVEL HIGH 06/13/2003 09:54:56 Q01dd03c7027e1f3c Using [incoming] CFG file D:\IMAIL\Declude\$default$.junkmail. 06/13/2003 09:54:56 Q01dd03c7027e1f3c Skipping E-mail from [EMAIL PROTECTED]; whitelisted [EMAIL PROTECTED] 06/13/2003 09:54:56 Q01dd03c7027e1f3c Warning: misconfiguration in following line in configuration file (D:\IMail\Declude\Whitelist.txt is not an ACTION). May be a duplicate test definition? This is the line in the $default$.junkmail WHITELISTFILE D:\IMail\Declude\Whitelist.txt Looking at this log fragment the whitelist is working but the pass checking actions does not like the WHITELISTFILE line in the .junkmail file. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] WHITELISTFILE Logging issue
06/13/2003 09:54:56 Q01dd03c7027e1f3c Warning: misconfiguration in following line in configuration file (D:\IMail\Declude\Whitelist.txt is not an ACTION). May be a duplicate test definition? There is an issue where this warning could appear even though it shouldn't -- the next release will take care of it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Junkmail hiccup
So, just wanted to let you know that you can get messages that skip Junkmail processing if they come in as you are going down for maint. Perhaps for scheduled things, there should be a recommended procedure to shut down the IMAIL services for a few minutes first, until the queue is all delivered (not that it will help during random or emergency shutdowns -- power outages here sometimes result in unscheduled reboots). That actually is the recommend procedure, although I haven't seen anyone discuss it. Simply stopping the IMail SMTP service will prevent new E-mail from arriving, but won't cause Declude or the SMTP32.exe delivery process to stop. If you shut down without waiting, some unusual things can happen (without Declude, it would typically be duplicate E-mails, 1 or 2 hour delivery delays, and possibly corrupt E-mails). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT - Challenge/Response Systems
Here is something for your weekend list of things to ponder... I heard from a potential customer (small ISP) yesterday that tried a Challenge/Response system for 4 hours. Here is what happened (as best as I can explain it). He implements the Challenge/Response system. A few of his users send emails to others whose ISPs are also using a (presumably different) Challenge/Response system. The remote systems receive the messages his users sent, and send out Challenge messages. His server received the Challenge messages and it sent out Challenge messages of its own back to the address on remote server that sent the Challenge message. No human ever sees any of the messages. This is bad enough, but it also works in reverse, and this is how he found about the problem. Users of some remote system using Challenge/Response send his users messages and his system generates Challenge messages. The remote server receives the Challenge messages and sends new Challenge messages back to his server. His server sends back bounce messages because his Challenge messages were sent from a no-reply account. Then his server receives Challenge messages to the bounce messages and generates bounce messages of it's own. He notices that there are several hundred Challenge and bounce messages going both ways repeatedly after a few hours, and he has to shut it down and kill the reply accounts to stop the loop. Don't know if it actually stopped any spam ;) Brian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OT - Challenge/Response Systems
Users of some remote system using Challenge/Response send his users messages and his system generates Challenge messages. The remote server receives the Challenge messages and sends new Challenge messages back to his server. His server sends back bounce messages because his Challenge messages were sent from a no-reply account. Then his server receives Challenge messages to the bounce messages and generates bounce messages of it's own. He notices that there are several hundred Challenge and bounce messages going both ways repeatedly after a few hours, and he has to shut it down and kill the reply accounts to stop the loop. HAHAHAHAHAHAHOHOHOHOHOHOHOHO LOL ROFLOL Sorry, but it serves them right. This whole Challenge/Response system all automated is not well enough thought out. It's like taking the lazy mans way of doing things. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
At the moment I can't find any other virusname to skip. For the recip.eml I've set SKIPIFVIRUSNAMEHAS Vulnerability And I've creted a new vulnerability.eml with SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability So I can send out two different warnings for a real virus and a vulnerability warning. I have seen it discussed as something some wanted, but I never saw anything talking about being able to use a vulnerability.eml file in a release of Declude. I tried searching the archives but vulnerability.eml actually shows every email with vulnerability in it which is a lot of mail. Also I didn't see anything on declude.com/Virus/manual.htm about it. Is this in 1.70beta ? Is it new? -Josh --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
I have seen it discussed as something some wanted, but I never saw anything talking about being able to use a vulnerability.eml file in a release of Declude. I tried searching the archives but vulnerability.eml actually shows every email with vulnerability in it which is a lot of mail. Also I didn't see anything on declude.com/Virus/manual.htm about it. Is this in 1.70beta ? Is it new? It is not new, but included as of about 1.65 I think. I use it quite successfully. Here is my vulnerability.eml file: ___ SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability From: [EMAIL PROTECTED] To: %ALLRECIPS%,[EMAIL PROTECTED] Subject: We blocked an e-mail sent to you! Delivery blocked: %ALLRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, SPAM (Junk Mail) and e-mail vulnerabilities. We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid e-mail that you want or should have received, please let us know. Otherwise, the e-mail will be deleted after 3 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% ___ John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spamdomains lookup timeout
Hi all, I'm not sure about this, but I've seen some spam messages coming from domains contained in our sd-file. (hotmail.com) However the messages hasn't failed the SPAMDOMAINS test. For example from the Sender-IP: 218.25.255.18 Can it be, because it's not possible to finish the REVDNS-query? http://www.dnsstuff.com/tools/ptr.ch?ip=218.25.255.18 Question? If it's so, that a timeout in a REVDNS-query doesn't trigger the test, can we change this, so that a timeout triggers the test? What if a query for a legit sender-IP times out? Why a REVDNS-query can time out? Isn't so, that any reachable IP is assigned to someone? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spamdomains lookup timeout
Markus, The idea is, that we don't want to block VALID email. So, if a reverse lookup times out, there is no way to determine if there is no valid match and we can't just assume that it is SPAM. Time-outs could be temporary problems with a particular DNS server, it could be a routing problem on the Internet - any number of reasons. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Saturday, June 14, 2003 09:22 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spamdomains lookup timeout Hi all, I'm not sure about this, but I've seen some spam messages coming from domains contained in our sd-file. (hotmail.com) However the messages hasn't failed the SPAMDOMAINS test. For example from the Sender-IP: 218.25.255.18 Can it be, because it's not possible to finish the REVDNS-query? http://www.dnsstuff.com/tools/ptr.ch?ip=218.25.255.18 Question? If it's so, that a timeout in a REVDNS-query doesn't trigger the test, can we change this, so that a timeout triggers the test? What if a query for a legit sender-IP times out? Why a REVDNS-query can time out? Isn't so, that any reachable IP is assigned to someone? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS
I decided against notifying the recipient for Vulnerabilities. Apparently, vulnerabilities are essentially spam - and notifying the recipient would mean that they end up getting an unwanted message after all. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, June 14, 2003 03:33 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] SKIPIFVIRUSNAMEHAS I have seen it discussed as something some wanted, but I never saw anything talking about being able to use a vulnerability.eml file in a release of Declude. I tried searching the archives but vulnerability.eml actually shows every email with vulnerability in it which is a lot of mail. Also I didn't see anything on declude.com/Virus/manual.htm about it. Is this in 1.70beta ? Is it new? It is not new, but included as of about 1.65 I think. I use it quite successfully. Here is my vulnerability.eml file: ___ SKIPIFVIRUSNAMEDOESNOTHAVE Vulnerability From: [EMAIL PROTECTED] To: %ALLRECIPS%,[EMAIL PROTECTED] Subject: We blocked an e-mail sent to you! Delivery blocked: %ALLRECIPS% The mail server for %LOCALHOST% scans each e-mail for Viruses, SPAM (Junk Mail) and e-mail vulnerabilities. We caught an e-mail addressed to you that is formatted with %VIRUSNAME%, and have quarantined it for your protection. If you recognize the below information as a valid e-mail that you want or should have received, please let us know. Otherwise, the e-mail will be deleted after 3 days. FROM: %MAILFROM% TO: %ALLRECIPS% SUBJECT: %SUBJECT% Remote IP: %REMOTEIP% DATE: %DATE% @ %TIME% SPOOL FILE: %QUEUENAME% Headers of the e-mail in question: %HEADERS% ___ John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
DSN:Re: [Declude.JunkMail] Spamdomains lookup timeout
Here is a comment on the web site www.dnsreport.com When you check a site on this web site the first revdns check can fail and the explanation is as follow -- Reverse DNS entries for MX records This may be a false positive due to the nasty BIND bug (client side) that causes reverse DNS entries to fail the first time (if you ever see long delays in reverse DNS lookups, that's because of this bug). You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site. I have too many timeout when cheking the first time REVDNS for non-existing revdns . Rifat Levis - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 15, 2003 4:21 AM Subject: [Declude.JunkMail] Spamdomains lookup timeout Hi all, I'm not sure about this, but I've seen some spam messages coming from domains contained in our sd-file. (hotmail.com) However the messages hasn't failed the SPAMDOMAINS test. For example from the Sender-IP: 218.25.255.18 Can it be, because it's not possible to finish the REVDNS-query? http://www.dnsstuff.com/tools/ptr.ch?ip=218.25.255.18 Question? If it's so, that a timeout in a REVDNS-query doesn't trigger the test, can we change this, so that a timeout triggers the test? What if a query for a legit sender-IP times out? Why a REVDNS-query can time out? Isn't so, that any reachable IP is assigned to someone? Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.