[Declude.JunkMail] External Spam Header
Hello! Our backup mail servers are located at our provider and run under Linux with Spamassassin. This program marks each mail as spam with an extra line in the header as X-SPAM-FLAG: YES. How can i use this flag on declude? The mail themself are not detected, because they came from the mailserver of out provider, and this mailserver show no signs of Spam. Hermann --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question Marks ignored
I am using a great 3rd-party Outlook add-on called PocketKnife Peek (http://www.xintercept.com/pkpeek.htm) --which I highly recommend to anyone, by the way--which allows me to view the plain text, html source and full headers of any message (so I can avoid viruses and also see why filtering on words doesn't always work for every message). Assuming I can see MIME headers, what would I look for? Most likely, you won't be able to see MIME headers (most mail clients let you see the standard E-mail headers, but I haven't seen any yet that display the MIME headers from the body of the E-mail). If so, you should see the full E-mail headers, followed by at least one blank line, followed by some other headers (the key being the blank line, that separates the standard headers from the body of the E-mail and/or headers in the body). If you see Content-Transfer-Encoding: base64, that would indicate that the E-mail (or part of it) is base64 encoded. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cannot whitelist
Anyone care to try to take a crack at this? I have unsuccessfully been trying to whitelist this weekly email for months. In my $default$.junkmail file, I have: WHITELISTFILE D:\IMail\Declude\Whitelist.txt Are you running v1.75 (which is required for the WHITELISTFILE option)? Is the E-mail that you are trying to whitelist using the $default$.JunkMail file (IE no per-user/per-domain settings, and not outgoing E-mail)? Are any E-mails being whitelisted by the test (if not, the test itself may not be set up properly; if so, it is probably the specific entries for this one E-mail that need to be changed)? And in the D:\IMail\Declude\Whitelist.txt file, I have these lines: sparklist.com .sparklist.com nova.sparklist.com @nova.sparklist.com angustel.ca @angustel.ca These have been added over time trying to get this thing to whitelist, with no luck. Any ideas why? X-Declude-Sender: [EMAIL PROTECTED] [216.91.57.182] There were reports on some versions of Declude JunkMail before 1.75 that whitelisting would not work properly on longer return addresses such as this. We haven't had any such reports with 1.75, so if you aren't on 1.75, I would recommend upgrading to it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] External Spam Header
Our backup mail servers are located at our provider and run under Linux with Spamassassin. This program marks each mail as spam with an extra line in the header as X-SPAM-FLAG: YES. How can i use this flag on declude? You could add a filter with a line HEADERS 0 CONTAINS X-SPAM-FLAG: YES. However: The mail themself are not detected, because they came from the mailserver of out provider, and this mailserver show no signs of Spam. Declude JunkMail can actually handle this -- if you add a line in the format IPBYPASS 192.0.2.25 to the \IMail\Declude\global.cfg file, Declude JunkMail will scan the E-mail as if Declude JunkMail was running on the backup mailserver. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] External Spam Header
You could add a filter with a line HEADERS 0 CONTAINS X-SPAM-FLAG: YES. However: OK. This is only possible in the Pro Version? Declude JunkMail can actually handle this -- if you add a line in the format IPBYPASS 192.0.2.25 to the \IMail\Declude\global.cfg file, Declude JunkMail will scan the E-mail as if Declude JunkMail was running on the backup mailserver. OK, i see. But what shoul i do if my provider has 30 or 40 outgoing mailservers, each of them can deliver the mail to me? Is it possible to bypass a complete subnet or an IP range? (I have this problem with web.de and gmx.de) Hermann --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] External Spam Header
You could add a filter with a line HEADERS 0 CONTAINS X-SPAM-FLAG: YES. However: OK. This is only possible in the Pro Version? Correct. Declude JunkMail can actually handle this -- if you add a line in the format IPBYPASS 192.0.2.25 to the \IMail\Declude\global.cfg file, Declude JunkMail will scan the E-mail as if Declude JunkMail was running on the backup mailserver. OK, i see. But what shoul i do if my provider has 30 or 40 outgoing mailservers, each of them can deliver the mail to me? Get another provider. :) However, note that you don't need to add all the IPs of all their mailservers, or all the IPs in their MX records -- just the IPs of the mailserver(s) that act as a backup for you. The most number of IPs I can recall seeing in an MX record is about 6 (with the exception of AOL, Hotmail, and some other very large E-mail processors). Note that Declude JunkMail has a limit of 20 IPBYPASS lines, so you wouldn't be able to do this with 30-40 mailservers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spamcop style RBL..
All I have to say is things have a way of coming around... That was a comment to you, and nobody here knows the B.S. Comments you've sent me off list because I don't send personal emails to lists. I am leaving the list after this email. I only came back on because I saw your email in the archives. Stop now and the argument stops here. Take that however you like. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cannot whitelist
At 07:52 AM 7/29/2003, R. Scott Perry wrote: Anyone care to try to take a crack at this? I have unsuccessfully been trying to whitelist this weekly email for months. In my $default$.junkmail file, I have: WHITELISTFILE D:\IMail\Declude\Whitelist.txt Are you running v1.75 (which is required for the WHITELISTFILE option)? Yes. Is the E-mail that you are trying to whitelist using the $default$.JunkMail file (IE no per-user/per-domain settings, and not outgoing E-mail)? Yes, it is incoming email, and it is not using per-user/per-domain settings. Are any E-mails being whitelisted by the test (if not, the test itself may not be set up properly; Yes, other emails are being whitelisted by the test. if so, it is probably the specific entries for this one E-mail that need to be changed)? That's what I was hoping someone might come up with. And in the D:\IMail\Declude\Whitelist.txt file, I have these lines: sparklist.com .sparklist.com nova.sparklist.com @nova.sparklist.com angustel.ca @angustel.ca These have been added over time trying to get this thing to whitelist, with no luck. Any ideas why? X-Declude-Sender: [EMAIL PROTECTED] [216.91.57.182] There were reports on some versions of Declude JunkMail before 1.75 that whitelisting would not work properly on longer return addresses such as this. We haven't had any such reports with 1.75, so if you aren't on 1.75, I would recommend upgrading to it. I'm definitely running 1.75. ___ Scott MacLean [EMAIL PROTECTED] ICQ: 9184011 http://www.nerosoft.com
[Declude.JunkMail] Reverse Lookup Delegation
Scott, I have a customer who hosts their web and DNS with me and their mail on SWBell DSL. SWBell would not create a custom PTR but will delegate the reverse zone of their IP's to my name server (which is cool). The problem is I do not think they did it correctly or my NS handles it in an odd way. The customer's CIDR Block: 65.69.21.192/27 Zone in my NS: 192/27.21.69.65.in-addr.arpa (this is from the SimpleDNS Plus reverse zone wizard) Mail server: smtp.gbltx.com [65.69.201.195] If I nslookup 65.69.201.195, all is fine, if I nslookup 195.201.69.65.in-addr.arpa, it only lists NS records (mine and swbell.net's). This is my first time dealing with reverse zones for anything other than /24 CIDR blocks. Thanks, Chuck Frolick ArgoNet, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question Marks ignored
SPUnfortunately, that can be difficult to determine. You would need to view SPthe raw source of the E-mail, which many mail clients don't support (you SPwould need to be able to see the MIME headers). MGI am using a great 3rd-party Outlook add-on called PocketKnife Peek MG(http://www.xintercept.com/pkpeek.htm) --which I highly recommend to anyone, MGby the way--which allows me to view the plain text, html source and full MGheaders of any message (so I can avoid viruses and also see why filtering on MGwords doesn't always work for every message). Assuming I can see MIME MGheaders, what would I look for? Mike, I use Outlook and Exchange as well, so I thought I'd point something out, and also check out your software tip. Outlook will cheerfully show you the decoded version of a BASE64 text attachment, such as when you get a HTML formatted message that is BASE64 encoded, and do a File, Save As you will get the decoded text. PocketPeek will do the same in the Plain Text and the HTML Source tabs. The Internet Header tab, though, will show Content-Transfer-Encoding: base64 as one of the last lines. I'll include a sanitized header below. I recommend the BASE64 test from the JunkMail manual. However, thanks to John Tolmachoff, I have some recommendations for JunkMail Pro users to counterbalance mail from servers that send BASE64 encoded text for no good reason: #Nov-29-2002 AC Cancel the BASE64 weight when the client was OWA for Exchange 2000 and Enterprise HEADERS -10 CONTAINS Microsoft Exchange V6.0.5762.3 HEADERS -10 CONTAINS Microsoft Exchange V6.0.6249.0 #Jan-21-2003 AC Cancel the BASE64 weight for other products that happen to encode body test as BASE64 HEADERS -10 CONTAINS QuickMail Pro Server for Mac Andrew 8) p.s. Similar to the way you use PocketPeek, I turn off all my rich content rendering in Internet Explorer so as to not trigger web bugs and advertisements in HTML messages. Sample Header from a spam with a BASE64 encoded text attachment: Received: from bestwaytogo.us [4.65.167.214] by mail.bentall.com (SMTPD32-7.13) id A8B47FD00E8; Tue, 29 Jul 2003 06:37:56 -0700 Message-ID: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: snip snip Subject: Are you prepared? xhl Date: Tue, 29 Jul 2003 17:40:15 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPartTM-000-8e9e28a5-514a-484e-ba23-aacca6b633b3 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. This is a multi-part message in MIME format. --=_NextPartTM-000-8e9e28a5-514a-484e-ba23-aacca6b633b3 Content-Type: multipart/alternative; boundary==_NextPart_3A7_4927_C43ED1B6.CFC72D31 --=_NextPart_3A7_4927_C43ED1B6.CFC72D31 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --=_NextPart_3A7_4927_C43ED1B6.CFC72D31 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: base64 --=_NextPart_3A7_4927_C43ED1B6.CFC72D31-- --=_NextPartTM-000-8e9e28a5-514a-484e-ba23-aacca6b633b3-- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question Marks ignored
Assuming I can see MIME headers, what would I look for? Most likely, you won't be able to see MIME headers (most mail clients let you see the standard E-mail headers, but I haven't seen any yet that display the MIME headers from the body of the E-mail). If so, you should see the full E-mail headers, followed by at least one blank line, followed by some other headers (the key being the blank line, that separates the standard headers from the body of the E-mail and/or headers in the body). If you see Content-Transfer-Encoding: base64, that would indicate that the E-mail (or part of it) is base64 encoded. I haven't seen that yet, but then I haven't been looking for it, either. In any case, I think I resolved the problem. Since I had only been viewing the message with PocketKnife Peek, I had not been seeing the unicode characters from it's original language, only question marks in their place. When viewing the message in Outlook it looks like this: ... and so on. Russian or Eastern European, I'm guessing.(If you don't view this message in unicode, you won't see what I pasted above, but perhaps question marks or something else instead). Hence, the filter on question marks doesn't catch it. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
Hi, Some providers will delegate a classless reverse lookup zone to you. That's what you expected. Some providers will NOT delegate the zone to you - instead they have THEIR name server act as secondary to your master name server for that zone, i.e., they do zone transfers from your master server to their name servers - and then their name servers answer the queries. The customer's CIDR Block: 65.69.21.192/27 If I nslookup 65.69.201.195 So which is it? 65.69.201.x or 65.69.21.x? http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.21.195 shows that there is a valid Reverse DNS - so why do you want to change it? It also indicates that there is NO delegation from the SWBELL name server to yours. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Frolick Sent: Tuesday, July 29, 2003 01:45 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Reverse Lookup Delegation Scott, I have a customer who hosts their web and DNS with me and their mail on SWBell DSL. SWBell would not create a custom PTR but will delegate the reverse zone of their IP's to my name server (which is cool). The problem is I do not think they did it correctly or my NS handles it in an odd way. The customer's CIDR Block: 65.69.21.192/27 Zone in my NS: 192/27.21.69.65.in-addr.arpa (this is from the SimpleDNS Plus reverse zone wizard) Mail server: smtp.gbltx.com [65.69.201.195] If I nslookup 65.69.201.195, all is fine, if I nslookup 195.201.69.65.in-addr.arpa, it only lists NS records (mine and swbell.net's). This is my first time dealing with reverse zones for anything other than /24 CIDR blocks. Thanks, Chuck Frolick ArgoNet, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Question Marks ignored
УникалÑÐ½Ð°Ñ Ð²Ð¾Ð·Ð¼Ð¾Ð¶Ð½Ð¾ÑÑÑ Ð²Ñего за неделÑ... and so on. Russian or Eastern European, I'm guessing.(If you don't view this message in unicode, you won't see what I pasted above, but perhaps question marks or something else instead). Hence, the filter on question marks doesn't catch it. One warning here for people that are looking to filter on text that has the high bit characters set -- make sure that you only do so with v1.75 or higher. Earlier versions would treat the high bit characters as the end of the text to filter on, so filtering on SÐ would catch anything with S in it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] External Spam Header
However, note that you don't need to add all the IPs of all their mailservers, or all the IPs in their MX records -- just the IPs of the mailserver(s) that act as a backup for you. One example: Received: from mx11.web.de [217.72.192.170] by hama.de with ESMTP (SMTPD32-6.06) id AAC53EAC02A6; Tue, 29 Jul 2003 00:59:17 +0200 So the IP (217.72.192.170) might actually be one of many different IPs? That is very unusual. If they only accept E-mail to one IP, it would be much more logical for them to send from that same IP. But if it really is the case that they have 30-40 different IPs that the mail may be coming from, my recommendation would be to remove them from the MX record. Even if Declude JunkMail could support that many backup IPs, it would still require a lot of time to keep up with changes to them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Reverse Lookup Delegation
The customer's CIDR Block: 65.69.21.192/27 Zone in my NS: 192/27.21.69.65.in-addr.arpa (this is from the SimpleDNS Plus reverse zone wizard) Mail server: smtp.gbltx.com [65.69.201.195] If I nslookup 65.69.201.195, all is fine, if I nslookup 195.201.69.65.in-addr.arpa, it only lists NS records (mine and swbell.net's). This is my first time dealing with reverse zones for anything other than /24 CIDR blocks. Actually, http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.21.192 shows that swbell isn't delegating authority for the reverse DNS to your servers -- it is simply reporting an answer of adsl-65-69-21-192.dsl.hstntx.swbell.net. You'll need to contact swbell.net to have them delegate authority for the reverse DNS to your servers. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New spamcop style RBL..
Apologies to the list for the noise, my bad! Bill - Original Message - From: Joshua Levitsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 6:28 AM Subject: Re: [Declude.JunkMail] New spamcop style RBL.. All I have to say is things have a way of coming around... That was a comment to you, and nobody here knows the B.S. Comments you've sent me off list because I don't send personal emails to lists. I am leaving the list after this email. I only came back on because I saw your email in the archives. Stop now and the argument stops here. Take that however you like. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude stats
Title: Declude stats I have seen a post about having declude listing percentages about what it has done and blocked. What were the command line options to have this done? Thanks
Re: [Declude.JunkMail] Declude stats
I have seen a post about having declude listing percentages about what it has done and blocked. What were the command line options to have this done? Thanks Declude JunkMail doesn't include a program to do this, but there are several tools listed at http://www.declude.com/tools that can help with stats. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
I typoed, it is 65.69.201.192/27, and my zone is 192/27.201.69.65.in-addr.arpa. And lookup of http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.201.192 shows: Asking d.root-servers.net for 192.201.69.65.in-addr.arpa PTR record: d.root-servers.net says to go to FIGWORT.arin.net. (zone: 65.in-addr.arpa.) Asking FIGWORT.arin.net. for 192.201.69.65.in-addr.arpa PTR record: figwort.arin.net says to go to NS2.SWBELL.NET. (zone: 69.65.in-addr.arpa.) Asking NS2.SWBELL.NET. for 192.201.69.65.in-addr.arpa PTR record: ns2.swbell.net says to go to argo21.argohouston.com. (zone: 192.201.69.65.in-addr.arpa.) Asking argo21.argohouston.com. for 192.201.69.65.in-addr.arpa PTR record: Got unknown response (rc=0 an=0 type= err=). But http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.201.195 shows: Asking b.root-servers.net for 195.201.69.65.in-addr.arpa PTR record: b.root-servers.net says to go to DILL.arin.net. (zone: 65.in-addr.arpa.) Asking DILL.arin.net. for 195.201.69.65.in-addr.arpa PTR record: dill.arin.net says to go to NS1.SWBELL.NET. (zone: 69.65.in-addr.arpa.) Asking NS1.SWBELL.NET. for 195.201.69.65.in-addr.arpa PTR record: Got CNAME referral to argo21.argohouston.com. (zone 195.192.201.69.65.in-addr.arpa.) Asking argo21.argohouston.com. for 195.192.201.69.65.in-addr.arpa. PTR record: Got unknown response (rc=0 an=0 type= err=). The CNAME response is weird to me. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, July 29, 2003 1:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Reverse Lookup Delegation Actually, http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.21.192 shows that swbell isn't delegating authority for the reverse DNS to your servers -- it is simply reporting an answer of adsl-65-69-21-192.dsl.hstntx.swbell.net. You'll need to contact swbell.net to have them delegate authority for the reverse DNS to your servers. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
I typoed, it is 65.69.201.192/27, and my zone is 192/27.201.69.65.in-addr.arpa. Actually, the swbell servers are just sending the request to your DNS servers, so DNS clients will look up 192.201.69.65.in-addr.arpa (without using any CNAMEs). Your DNS server is not returning any answers for that. If you add a PTR record for 192.201.69.65.in-addr.arpa, you should be all set. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
It's a bit unconventional - and not fool-proof - but functional for now. They added the following information to their name servers: A) for each IP address a CNAME to the delegated classless zone, e.g. In their 69.65.in-addr.arpa. 192.201 CNAME 192.192.201.69.65.in-addr.arpa. 193.201 CNAME 193.192.201.69.65.in-addr.arpa. 194.201 CNAME 194.192.201.69.65.in-addr.arpa. ... Etc 192.201 NS argo21.argohouston.com. 192.201 NS argo22.argohouston.com. B) To match their entries, you need to create your own zone on your name servers: Zone 192.201.69.65.in-addr.arpa. 192 PTR Host192.argohouston.com. 193 PTR Host193.argohouston.com. 194 PTR Host194.argohouston.com. (etc - pick whatever valid host names you desire.) Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Frolick Sent: Tuesday, July 29, 2003 04:22 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Reverse Lookup Delegation I typoed, it is 65.69.201.192/27, and my zone is 192/27.201.69.65.in-addr.arpa. And lookup of http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.201.192 shows: Asking d.root-servers.net for 192.201.69.65.in-addr.arpa PTR record: d.root-servers.net says to go to FIGWORT.arin.net. (zone: 65.in-addr.arpa.) Asking FIGWORT.arin.net. for 192.201.69.65.in-addr.arpa PTR record: figwort.arin.net says to go to NS2.SWBELL.NET. (zone: 69.65.in-addr.arpa.) Asking NS2.SWBELL.NET. for 192.201.69.65.in-addr.arpa PTR record: ns2.swbell.net says to go to argo21.argohouston.com. (zone: 192.201.69.65.in-addr.arpa.) Asking argo21.argohouston.com. for 192.201.69.65.in-addr.arpa PTR record: Got unknown response (rc=0 an=0 type= err=). But http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.201.195 shows: Asking b.root-servers.net for 195.201.69.65.in-addr.arpa PTR record: b.root-servers.net says to go to DILL.arin.net. (zone: 65.in-addr.arpa.) Asking DILL.arin.net. for 195.201.69.65.in-addr.arpa PTR record: dill.arin.net says to go to NS1.SWBELL.NET. (zone: 69.65.in-addr.arpa.) Asking NS1.SWBELL.NET. for 195.201.69.65.in-addr.arpa PTR record: Got CNAME referral to argo21.argohouston.com. (zone 195.192.201.69.65.in-addr.arpa.) Asking argo21.argohouston.com. for 195.192.201.69.65.in-addr.arpa. PTR record: Got unknown response (rc=0 an=0 type= err=). The CNAME response is weird to me. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, July 29, 2003 1:29 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Reverse Lookup Delegation Actually, http://www.dnsstuff.com/tools/ptr.ch?ip=65.69.21.192 shows that swbell isn't delegating authority for the reverse DNS to your servers -- it is simply reporting an answer of adsl-65-69-21-192.dsl.hstntx.swbell.net. You'll need to contact swbell.net to have them delegate authority for the reverse DNS to your servers. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
Thanks, For some reason I wasn't catching that they were referring to a zone named 192.201.69.65.in-addr.arpa instead of 192/27.201.69.65.in-addr.arpa as I had it. All works now. I guess I was expecting my server to need the CIDR notation to know that it needs to find the delegating server for the rest of the range. How does that work? I don't see any notation of the range in the zone file, does it assume the largest subnet from that IP? Just curious. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, July 29, 2003 3:59 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Reverse Lookup Delegation I typoed, it is 65.69.201.192/27, and my zone is 192/27.201.69.65.in-addr.arpa. Actually, the swbell servers are just sending the request to your DNS servers, so DNS clients will look up 192.201.69.65.in-addr.arpa (without using any CNAMEs). Your DNS server is not returning any answers for that. If you add a PTR record for 192.201.69.65.in-addr.arpa, you should be all set. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse Lookup Delegation
For some reason I wasn't catching that they were referring to a zone named 192.201.69.65.in-addr.arpa instead of 192/27.201.69.65.in-addr.arpa as I had it. All works now. I guess I was expecting my server to need the CIDR notation to know that it needs to find the delegating server for the rest of the range. How does that work? I don't see any notation of the range in the zone file, does it assume the largest subnet from that IP? Just curious. What swbell is doing is they are sending each IP separately. Rather than sending the whole /27 IP range to you as a whole, they are sending each IP individually. So you'll need to have: 192.201.69.65.in-addr.arpa PTR host192.example.com 193.201.69.65.in-addr.arpa PTR host193.example.com 194.201.69.65.in-addr.arpa PTR host194.example.com ... -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cannot whitelist
if so, it is probably the specific entries for this one E-mail that need to be changed)? That's what I was hoping someone might come up with. I just tested here, sending an E-mail with the same return address, and a WHITELISTFILE that had the exact same entries you posted, and the E-mail got caught. In this case, the only thing I can think of to find out what is happening is to use the debug mode (LOGLEVEL DEBUG) until it next happens. The debug log file information should track down the problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reverse Lookup Filter Not Resolving CNAMEs?
Hi Scott: This log entry shows that WEIGHTFILTER line 18 was triggered: 07/29/2003 17:29:11 Qe72424c300ae45b3 OSSRC:6 nIPNOTINMX:-2 nNOLEGITCONTENT:-3 WEIGHTFILTER:4 . Total weight = 5 07/29/2003 17:29:11 Qe72424c300ae45b3 Msg failed OSSRC ([1] IMGDirect, see http://spews.org/ask.cgi?S804). Action=WARN. 07/29/2003 17:29:11 Qe72424c300ae45b3 Msg failed WEIGHTFILTER (Message failed WEIGHTFILTER test (18)). Action=IGNORE. 07/29/2003 17:29:11 Qe72424c300ae45b3 Subject: Re: FW: you bounced my email as spam 07/29/2003 17:29:11 Qe72424c300ae45b3 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 208.237.120.134 ID: My Weightfilter line 18 is: REVDNS 4 ENDSWITH.in-addr.arpa However, DNSstuff resolves the DNS correctly to secnap2.secnap.net. It appears as if Declude 1.75 is not resolving PTR CNAMEs correctly? I thought we had fixed that problem in an earlier beta? http://www.dnsstuff.com/tools/ptr.ch?ip=208.237.120.132 Country: UNITED STATES Preparation: The reverse DNS entry for an IP is found by reversing the IP, adding it to in-addr.arpa, and looking up the PTR record. So, the reverse DNS entry for 208.237.120.132 is found by looking up the PTR record for 132.120.237.208.in-addr.arpa. All DNS requests start by asking the root servers, and they let us know what to do next. See How Reverse DNS Lookups Work for more information. How I am searching: Asking i.root-servers.net for 132.120.237.208.in-addr.arpa PTR record: i.root-servers.net says to go to EPAZOTE.arin.net. (zone: 208.in-addr.arpa.) Asking EPAZOTE.arin.net. for 132.120.237.208.in-addr.arpa PTR record: epazote.arin.net says to go to AUTH00.NS.UU.NET. (zone: 237.208.in-addr.arpa.) Asking AUTH00.NS.UU.NET. for 132.120.237.208.in-addr.arpa PTR record: auth00.ns.uu.net says to go to ns2.airface.com. (zone: 120.237.208.in-addr.arpa.) Asking ns2.airface.com. for 132.120.237.208.in-addr.arpa PTR record: Got CNAME referral to caerulus.cerintha.com. (zone 208.237.132.secnap.net.) Asking caerulus.cerintha.com. for 208.237.132.secnap.net. PTR record: Reports secnap2.secnap.net. Answer: 208.237.120.132 PTR record: secnap2.secnap.net. [TTL 3600s] [A=208.237.120.132] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Reverse Lookup Filter Not ResolvingCNAMEs?
However, DNSstuff resolves the DNS correctly to secnap2.secnap.net. It appears as if Declude 1.75 is not resolving PTR CNAMEs correctly? I thought we had fixed that problem in an earlier beta? This issue was supposed to have been fixed in 1.70 I believe, but it wasn't fully fixed. There is an interim release 1.75i1 at http://www.declude.com/release/175i/declude.exe that takes care of this. It doesn't happen with normal CNAMEs that appear in DNS lookups (which are often used to delegate IP ranges smaller than a Class C range), but happens when an authoritative server returns both a CNAME and the corresponding PTR record (instead of using the CNAME to refer to another server). There seems to be no logical reason to set up the reverse DNS this way, though. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] HOLD Question
I've been using a very effective (and quite aggressive) WEIGHT value of 12 and holding mail where the SPAMHEADERS test failed until now. I recently found out that certain pieces of my website, where email is supposed to go out and notify me, is being held due to JunkMail and the rules I've setup. So...since I'm really happy with the conservative approach I've taken with spam but I cannot get email that I should (just the one coming from my dynamic site), I was wondering how you all dealt with this. I'm sure some of you have run into a similar scenario. Any insight is much appreciated. TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] HOLD Question
Jose, is there any reason not to whitelist the IP addresses of your own servers, since they are in your control anyway? That way Declude will not block messages delivered to IMail, or through IMail, from your servers. Bill - Original Message - From: Jose Gosende [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 3:49 PM Subject: [Declude.JunkMail] HOLD Question I've been using a very effective (and quite aggressive) WEIGHT value of 12 and holding mail where the SPAMHEADERS test failed until now. I recently found out that certain pieces of my website, where email is supposed to go out and notify me, is being held due to JunkMail and the rules I've setup. So...since I'm really happy with the conservative approach I've taken with spam but I cannot get email that I should (just the one coming from my dynamic site), I was wondering how you all dealt with this. I'm sure some of you have run into a similar scenario. Any insight is much appreciated. TIA --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
