RE: [Declude.JunkMail] Increased SPAM not being blocked.
Sadly, we too have seen a sudden influx of spam using the standard edition. >>> >>RE: [Declude.JunkMail] Increased SPAM not being blocked. >>Thanks for all the responses. First Kami we don't have the Pro version so we >>can't use customized filters but I can use your from files in addition to >>the ones that I am already using. I use a from file that I update manually --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Increased SPAM not being blocked.
I do have a whitelist with about 50 entries but these are known domain names and email addresses that I have verified personally. Are any of them your domains? For example, if we were to whitelist @declude.com, we would receive a lot more spam (because many spammers know that people whitelist their own domain). Scott we don't have a backup mail server so I don't need to use IPBYPASS do I? No, you only need to use IPBYPASS if a "good" mailserver will be receiving the spam and passing it on to you (typically either a gateway mailserver or backup mailserver). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Increased SPAM not being blocked.
Thanks for all the responses. First Kami we don't have the Pro version so we can't use customized filters but I can use your from files in addition to the ones that I am already using. I use a from file that I update manually and I also update it using the killlistgen utility from imagefxonline. I haven't tried using spamchk yet but I'll look into it. Regarding the content blocking on URL's, is that a customized test because I don't believe it is included in declude. I do have a whitelist with about 50 entries but these are known domain names and email addresses that I have verified personally. Scott we don't have a backup mail server so I don't need to use IPBYPASS do I? I'll get together some headers to send to you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Karen D. Oland Sent: Monday, August 18, 2003 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Increased SPAM not being blocked. > >There are a few people who are receiving over 30 spams a day and that is > >just unacceptable considering we are running antispam software. Also, what do you have whitelisted? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Increased SPAM not being blocked.
Maybe start using the BLACKLIST option. I've been doing that for a little while, and it seems to cut back on a lot of spam. I have them setup with a 20 weight and a ROUTETO my spam account so I can review and see if they're legit or not.. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Increased SPAM not being blocked.
> >There are a few people who are receiving over 30 spams a day and that is > >just unacceptable considering we are running antispam software. Also, what do you have whitelisted? --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Increased SPAM not being blocked.
Over the past several weeks our level of spam has doubled and a good majority of it isn't failing enough tests to be blocked based on my settings. The problem is that a good deal of it isn't failing ANY tests or only helobogus and ipnotinmx. Are you sure that the other tests are running (for example, mail from a backup won't be scanned properly unless you use an IPBYPASS line in the global.cfg file)? There are a few people who are receiving over 30 spams a day and that is just unacceptable considering we are running antispam software. It sounds like they are being targeted for some reason; most likely, there is a pattern to the spams they are receiving (for example, almost all may be advertising the same product or service), which means that you'll need to come up with filtering for that user. But, my guess would be a simple configuration issue (such as not having a backup listed in the IPBYPASS option). Another option is to send me the complete headers of several spams that aren't getting caught; from that, I can often tell if a configuration change is necessary. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Increased SPAM not being blocked.
Have you tried content blocking on the URL's in the body? Or checked the from or RDNS ranges to see if they have anything in common? Usually, when I've seen this, it is one new spammer, shoving out as many as possible before their new IP is known and blocked. K > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Karl Hentschel > Sent: Monday, August 18, 2003 1:23 PM > To: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Increased SPAM not being blocked. > > > Over the past several weeks our level of spam has doubled and a good > majority of it isn't failing enough tests to be blocked based on my > settings. The problem is that a good deal of it isn't failing ANY tests or > only helobogus and ipnotinmx. I can't really block on helobogus > or ipnotinmx > alone because I would have a great deal of false positives. One > test that a > few of the emails fail is SBL. Is anyone effectively blocking on > SBL alone? > Are there any other methods being used other than the declude > tests? I have > tried using keywords but it tends to generate too many false positives. > There are a few people who are receiving over 30 spams a day and that is > just unacceptable considering we are running antispam software. Any > suggestions would be appreciated. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Increased SPAM not being blocked.
Over the past several weeks our level of spam has doubled and a good majority of it isn't failing enough tests to be blocked based on my settings. The problem is that a good deal of it isn't failing ANY tests or only helobogus and ipnotinmx. I can't really block on helobogus or ipnotinmx alone because I would have a great deal of false positives. One test that a few of the emails fail is SBL. Is anyone effectively blocking on SBL alone? Are there any other methods being used other than the declude tests? I have tried using keywords but it tends to generate too many false positives. There are a few people who are receiving over 30 spams a day and that is just unacceptable considering we are running antispam software. Any suggestions would be appreciated. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] DLAnalyzer Released
Last month many of the list members asked to test the beta version of DLAnalyzer... I wanted to say thank you to everyone that tested DLAnalyzer while it was in Beta. There were many excellent suggestions that resulted in new features in this current release. The release version is now available from http://www.dlanalyzer.com. If you have any questions about this log processing tool let me know. Darrell Darrell [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is there still a limit on number ofwhitelisted emails?
Can you also whitelist IPs in that file? Not at this time. IPs need to be whitelisted in the global.cfg file with the "WHITELIST IP" option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Is there still a limit on number of whitelisted emails?
Scott:
Can you also whitelist IPs in that file?
Chuck Schick
Warp 8, Inc.
303-421-5140
www.warp8.com
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
> Sent: Monday, August 18, 2003 9:24 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Declude.JunkMail] Is there still a limit on number of
> whitelisted emails?
>
>
>
> >I know at one time you could only enter 200 whitelist
> entries into the
> >Global.cfg file. Is that still the case?
>
> Yes. However, there is a new WHITELISTFILE option in the
> latest release
> that lets you have unlimited whitelist entries if necessary
> (as well as
> per-user/per-domain whitelisting). To use it, you would add
> a line such as
> "WHITELISTFILE C:\IMail\Declude\whitelist.txt" to any config
> files that
> need it (just the \IMail\Declude\$default$.JunkMail file, if
> you do not
> have per-user or per-domain settings). The whitelist.txt
> file would then
> contain one entry per line, with either a return address
> ("[EMAIL PROTECTED]") or a domain ("@example.com").
>
> -Scott
> ---
> Declude JunkMail: The advanced anti-spam solution for IMail
> mailservers.
> Declude Virus: Catches known viruses and is the leader in mailserver
> vulnerability detection.
> Find out what you have been missing: Ask for a free 30-day evaluation.
>
> ---
> [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Is there still a limit on number ofwhitelisted emails?
I know at one time you could only enter 200 whitelist entries into the
Global.cfg file. Is that still the case?
Yes. However, there is a new WHITELISTFILE option in the latest release
that lets you have unlimited whitelist entries if necessary (as well as
per-user/per-domain whitelisting). To use it, you would add a line such as
"WHITELISTFILE C:\IMail\Declude\whitelist.txt" to any config files that
need it (just the \IMail\Declude\$default$.JunkMail file, if you do not
have per-user or per-domain settings). The whitelist.txt file would then
contain one entry per line, with either a return address
("[EMAIL PROTECTED]") or a domain ("@example.com").
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
[Declude.JunkMail] Is there still a limit on number of whitelisted emails?
I know at one time you could only enter 200 whitelist entries into the Global.cfg file. Is that still the case? Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IP address for REVDNS
Seems like that would be dependent on the timing of the test order and when that line was added. Scott, can a variable be used in a filter with an equation like this: HEADER 0 CONTAINS %REVDNS%=64.214.161.171 No, there is not. However, this is something that we will look into adding. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Getting Country Chain to work
Hi; I think you also need the all_list.dat file. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Dodell Sent: Monday, August 18, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Getting Country Chain to work I have the Country Chain defined in the global.cfg file but the only thing that shows up in the headers is: X-Country-Chain: No chain, even though I have the variable there. What am I missing? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Getting Country Chain to work
I have the Country Chain defined in the global.cfg file but the only thing that shows up in the headers is: X-Country-Chain: No chain, even though I have the variable there. What am I missing? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IP address for REVDNS
Seems like that would be dependent on the timing of the test order and when that line was added. Scott, can a variable be used in a filter with an equation like this: HEADER 0 CONTAINS %REVDNS%=64.214.161.171 John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Monday, August 18, 2003 4:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] IP address for REVDNS Scott: The header shows the IP address of REVDNS in the form of: X-Note: Sent from Reverse DNS: mail.maskofnoreturn.com([65.214.161.171]). Can the IP address be detected in the HEADER filter? I want to setup a filter if certain IP addresses are listed in the Header. Ideally I like to filter on the IP address of the REVDNS entry but since we can't it seems like the next best thing is to filter the header. Since we started keeping track of the REVDNS IP addresses we are finding quite a lot of spammers with the same IP address in their REVDNS but different domain names. I like to experiment with such a filter and evaluate the results. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP address for REVDNS
The header shows the IP address of REVDNS in the form of: X-Note: Sent from Reverse DNS: mail.maskofnoreturn.com([65.214.161.171]). Can the IP address be detected in the HEADER filter? I want to setup a filter if certain IP addresses are listed in the Header. Ideally I like to filter on the IP address of the REVDNS entry but since we can't it seems like the next best thing is to filter the header. Since we started keeping track of the REVDNS IP addresses we are finding quite a lot of spammers with the same IP address in their REVDNS but different domain names. I like to experiment with such a filter and evaluate the results. Although you can detect the IP address with the HEADER filter, you could instead use REMOTEIP: REMOTEIP 0 IS 65.214.161.171 or REMOTEIP 0 CONTAINS 65.214.161. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IP address for REVDNS
Title: Message Scott: The header shows the IP address of REVDNS in the form of: X-Note: Sent from Reverse DNS: mail.maskofnoreturn.com([65.214.161.171]). Can the IP address be detected in the HEADER filter? I want to setup a filter if certain IP addresses are listed in the Header. Ideally I like to filter on the IP address of the REVDNS entry but since we can't it seems like the next best thing is to filter the header. Since we started keeping track of the REVDNS IP addresses we are finding quite a lot of spammers with the same IP address in their REVDNS but different domain names. I like to experiment with such a filter and evaluate the results. Regards, Kami
