[Declude.JunkMail] SORBS
How are the false positive rates ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, August 28, 2003 12:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] OSRELAY question. Until a few days ago, I was using SORBSALL, but on checking out their home page, I found that it had grown quite a lot since I started using it. Since JunkMail will only incur the lookup once, I suggest that if you're using SORBS that you break it up into all the little tests to query the same rbl, and set your weights accordingly. I found that a) this is much more flexible and b) much more effective, very spammy sources are listed under multiple categories. Check out the bottom of the page for the description and usage of the individual tests and return codes, then set your weights and actions as you see fit: http://www.dnsbl.sorbs.net/using.html Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SORBS
So far, only 1 that cause a message to be held. On the other hand, I find considerable overlap with some of the other big name tests, so I'm catching more spam than I did, while also making the stuff I caught before score even higher. That is why I stopped using the DUL list; it's a list of dynamic subnets at various ISPs, not a list of confirmed IPs used by spammers. Using the DUL would be fine if I had the default HOP settings, because that would catch workstations that are sending directly to my mail gateway. However, I have HOPHIGH set to 2, which should give me a lot of false positives. For what it's worth, I hold on WEIGHT20, and have the WARN action for all the tests I indicated, except SORBS-ZOMBIE, for which I HOLD. Andrew 8) -Original Message- From: Omar K. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 5:03 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SORBS How are the false positive rates ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, August 28, 2003 12:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] OSRELAY question. Until a few days ago, I was using SORBSALL, but on checking out their home page, I found that it had grown quite a lot since I started using it. Since JunkMail will only incur the lookup once, I suggest that if you're using SORBS that you break it up into all the little tests to query the same rbl, and set your weights accordingly. I found that a) this is much more flexible and b) much more effective, very spammy sources are listed under multiple categories. Check out the bottom of the page for the description and usage of the individual tests and return codes, then set your weights and actions as you see fit: http://www.dnsbl.sorbs.net/using.html Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Another obfuscation technique
Similar to one noted earlier (by Bill?), slightly updated: `OPFd ``nhra``` ```laey`` ire`` `nm`s ``eanh``` cei`` `yxp` ```tp `i``` ``n`` ```g` It was heavily blocked; the spammer doesn't quite get the concept... because to achieve this visual effect, it was HTML, then obfuscated with a ton of bogus tags that lit up our COMMENTS test, plus heavily obfuscated the target URL to geocities by obfuscating it with... multiple geocities@ prefixes. It never had a chance! Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Another obfuscation technique
It really does get kind of silly after a while. The more they try to obfuscate the messages, the easier they are to pick out with filters. _M At 05:44 PM 8/27/2003 -0700, you wrote: Similar to one noted earlier (by Bill?), slightly updated: `OPFd ``nhra``` ```laey`` ire`` `nm`s ``eanh``` cei`` `yxp` ```tp `i``` ``n`` ```g` It was heavily blocked; the spammer doesn't quite get the concept... because to achieve this visual effect, it was HTML, then obfuscated with a ton of bogus tags that lit up our COMMENTS test, plus heavily obfuscated the target URL to geocities by obfuscating it with... multiple geocities@ prefixes. It never had a chance! Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IPNOTINMX
the manual say: It will be triggered when an E-mail is sent from an IP address that is not in its MX record 1-is this the mx record for the domain of the from adress ? if the from is empty the test will fail? 2-also, declude never uses the reply to adress, correct ? is there a variable (declude virus) for the reply to adress ?
[Declude.JunkMail] New spam house in town
www.consumerbase.com Our server have been receiving alot of spam from this company. Has any one else experienced this especially from 216.9.176.0/24 ip block. Does anyone know if they are legit? Their IP block has only been registered with ARIN since 7/30/2003 The domain names from these server were all registered with godaddy on 8/21/2003 Looks like a spammer outfit posing as a legitimate net marketing firm. Their full ip block range is OrgName: Mosaic Data Solutions OrgID: MDS-74Address: 1880 Oak Avenue, Second FloorCity: EvanstonStateProv: ILPostalCode: 60201Country: USNetRange: 216.9.176.0 - 216.9.191.255 CIDR: 216.9.176.0/20 NetName: INFORMATIONHOST-NET1NetHandle: NET-216-9-176-0-1Parent: NET-216-0-0-0-0NetType: Direct AssignmentNameServer: DNS01.EXODUS.NETNameServer: DNS02.EXODUS.NETComment: Informationhost 1880 Oak Avenue, Suite 250 Evanston, IL 60201 US Phone: 847-864-3900 Fax..: 847-864-9016 Email: [EMAIL PROTECTED]RegDate: 2003-07-30Updated: 2003-07-30TechHandle: RJT35-ARINTechName: Tindell, Richard JeffreyTechPhone: +1-571-434-6630TechEmail: [EMAIL PROTECTED] OrgTechHandle: RJT35-ARINOrgTechName: Tindell, Richard JeffreyOrgTechPhone: +1-571-434-6630OrgTechEmail: [EMAIL PROTECTED] Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of SergeSent: Wednesday, August 27, 2003 8:15 PMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] IPNOTINMX the manual say: It will be triggered when an E-mail is sent from an IP address that is not in its MX record 1-is this the mx record for the domain of the from adress ? if the from is empty the test will fail? 2-also, declude never uses the reply to adress, correct ? is there a variable (declude virus) for the reply to adress ?
Re: [Declude.JunkMail] OSRELAY question.
There was a report in the last few days about relays.osirusoft.com going sour in some way. I didn't pay much attention until I had a dozen OSRELAY false positives staring me in the face. I've turned off all relays.osirusoft.com based tests (I used two) Dan On Tuesday, August 26, 2003 17:14, Chuck Schick [EMAIL PROTECTED] wrote: In going thru the held mail I am finding some emails with this warning. X-RBL-Warning: OSRELAY: Please stop using relays.osirusoft.com This only shows up on a few emails but it causes the email to fail the OSRELAY test - meaning more false positives. Other emails either do not have the warning or they show a normal OSRELAY warming - X-RBL-Warning: OSRELAY: This E-mail came from XXX.27.65.23, a potential spam source listed in OSRELAY. I searched the archives but did I miss an announcement that we were suppose to quit using OSRELAY. Thanks. Chuck Schick Warp 8, Inc. 303-421-5140 www.warp8.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Setting MAX Testing Weight
My Declude config has grown since install. I am curious if it is possible determine a Weight at which Declude ceases running tests on an email. SayI have40 testsand after Declude runsthe first 10 of themit accumulates ascore of 300.IHOLD at 100.Further testing beyond 300uses additional resources to produce the same outcome with no additional benefits. Resources including processing, bandwidth, and un-needed additional queries to blacklist servers that are working hard tomaintain their services. In this scenario the order that Declude ran your tests would be a factor. You could place your tests in a specific order in the Declude configso that primacy tests like Spamcop were first, andadditional tests would onlybe run if needed. Or you couldrun tests like Spamcheck,Badheaders, Helobogus first and be able to HOLD messages with a minimum or noexternal DNS queries. Todd Hunter Progressive Systems
[Declude.JunkMail] OSRELAY Replacement..
So what are y'all beginning to use instead of the OSRELAY tests? I was using this and one of the other OS tests. Even though I still had 350 messages in my spam account this morning, I would like another test to replace these. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] header problem
attahed is a notification i received today notice the first 2 lines are supposed to be in the header but appears in the body please let me know what went wrong ---BeginMessage--- X-Declude version: 1.75 X-Note: This E-mail was sent from ([127.0.0.1]). La Protection anti-virus de CEFIB Internet a detecté un message que vous avez reçu de [Forged], et qui contient le virus : W32/[EMAIL PROTECTED] (corrupted) dans la pièce jointe CIRCUIT AVENTURIA.doc.scr. Le sujet du message était Discounts for Travel Agent employees. Le message contenant le virus à été envoyé à la quarantaine pour eviter tout dégat. CEFIB Internet anti-virus protection has reported that you were sent an E-mail from [Forged], containing the : W32/[EMAIL PROTECTED] (corrupted) virus in the CIRCUIT AVENTURIA.doc.scr attachment. The subject of the E-mail was Discounts for Travel Agent employees. The E-mail containing the virus has been quarantined to prevent further damage. Adresse IP: 216.226.209.48 Virus: : W32/[EMAIL PROTECTED] (corrupted) Pièce jointe: CIRCUIT AVENTURIA.doc.scr Version Declude: 1.75 Fichier IMAIL: Dd3480bb2026e7b9d.SMD Subject: Discounts for Travel Agent employees Host name of the recipient edmsa.net IP address of the remote mail server 216.226.209.48 --- Liste de discussion réservée aux membres de AFIM ---End Message---
Re: [Declude.JunkMail] Setting MAX Testing Weight
My Declude config has grown since install. I am curious if it is possible determine a Weight at which Declude ceases running tests on an email. No. It is something that we have given thought to, but there are a number of potential problems. As you point out, the order of the tests would now become a factor (which means serious re-working of the code, and slower delivery if DNS lookups are no longer done in parallel). Also, if you are not careful, negative weights could be an issue (for example, if you do not order the tests correctly, you may skip over a test that would reduce the weight to the point where processing should continue). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IPNOTINMX
It will be triggered when an E-mail is sent from an IP address that is not in its MX record 1-is this the mx record for the domain of the from adress ? if the from is empty the test will fail? Everything in Declude JunkMail uses the return address of the E-mail (MAIL FROM in the SMTP envelope). If it is empty, it will not fail (that would be , which is used for bounce messages and the like). 2-also, declude never uses the reply to adress, correct ? Correct. It also never uses the address from the From: header. is there a variable (declude virus) for the reply to adress ? No. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] .pif.htm attachments
Is anyone else seeing mails come through with a document_9446.pif.htm attachments intact? No. But then I do a delete using a WORD FILTER for document_9446. :) I also block attachments in iMail, so we trap a number of these types there as well as in JunkMail. Jeff --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Alligate
Is anyone using Alligate http://www.alligate.com ? I'm using message sniffer and was looking at adding alligate also. I'd appreciate any feedback.. Mark --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] header problem
This one is very strange -- it looks like there was a mail loop involved, it was scanned by several virus/spam scanners, it has highly unusual (and likely broken) To:/Cc: headers, and appears as though it may have been scanned twice on your server. From the Received: headers, it appears that you received this from fanga.afribone.net.ml, which added some of the Declude headers. -Scott At 07:43 AM 8/28/2003, serge wrote: attahed is a notification i received today notice the first 2 lines are supposed to be in the header but appears in the body please let me know what went wrong Received: from fanga.afribone.net.ml [216.147.136.2] by cefib.com with ESMTP (SMTPD32-8.02) id A40F6F50220; Thu, 28 Aug 2003 10:06:07 + Received: from spammail by fanga.afribone.net.ml with spam-scanned (Exim 3.36 #1) id 19sJep-0001Tv-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:06:06 + Received: from root by fanga.afribone.net.ml with scanned-ok (Exim 3.36 #1) id 19sJep-0001Ts-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:35 + Received: from majordomo by fanga.afribone.net.ml with local (Exim 3.36 #1) id 19sJep-0001Tk-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:35 + Received: from spammail by fanga.afribone.net.ml with spam-scanned (Exim 3.36 #1) id 19sJeJ-0001SO-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:34 + Received: from root by fanga.afribone.net.ml with scanned-ok (Exim 3.36 #1) id 19sJeJ-0001SL-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + Received: from [208.154.200.29] (helo=edmsa.net) by fanga.afribone.net.ml with esmtp (Exim 3.36 #1) id 19sJeI-0001P2-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + Subject: [afim] Attention: On vous a envoyé un virus Date: Thu, 28 Aug 2003 10:03:57 + Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 From: Postmaster [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] X-Mailer: IMail v8.02 X-RBL-Warning: IPNOTINMX: X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX X-weight: 0 Precedence: bulk Sender: majordomo [EMAIL PROTECTED] X-Virus-Scanned: by Antivirus X-Spam-Status: No, hits=2.1 required=8.0 tests=MIME_DEFICIENT_QP version=2.55 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-RBL-Warning: HELOBOGUS: Domain fanga.afribone.net.ml has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 216.147.136.2 with no reverse DNS entry. X-RBL-Warning: FIVETEN-SPAM: 2.136.147.216.blackholes.five-ten-sg.com. X-Declude-Sender: [EMAIL PROTECTED] [216.147.136.2] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: HELOBOGUS, REVDNS, FIVETEN-SPAM X-weight: 9 X-Declude version: 1.75 X-Note: This E-mail was sent from [No Reverse DNS] ([216.147.136.2]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 352740664 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blank messages
I have received two totally blank messages this morning that appear to be from this list--no body, subject, sender or recipient shown. Here's the header from one: We had an Internet outage overnight -- most likely, it was a result of that. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Blank messages
I have received two totally blank messages this morning that appear to be from this list--no body, subject, sender or recipient shown. Here's the header from one: Received: from declude.com [24.107.232.14] by mail.centraltx.com with ESMTP (SMTPD32-7.04) id A9285D9000E6; Thu, 28 Aug 2003 08:52:40 -0500 X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8c20]. X-Declude-Sender: [EMAIL PROTECTED] [24.107.232.14] X-Declude-Spoolname: D09280e6.SMD X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: BADHEADERS [9] X-UIDL: 353041979 Shayne Embry --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] OSRELAY Replacement..
Please review these archives - several people have been posting their replacement config files in the past 2 days. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, August 28, 2003 08:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] OSRELAY Replacement.. So what are y'all beginning to use instead of the OSRELAY tests? I was using this and one of the other OS tests. Even though I still had 350 messages in my spam account this morning, I would like another test to replace these. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Setting MAX Testing Weight
You do not want Declude to stop at a certain point. What if it stops, right before the next test which is a whitefilter type test? With the weighting system, it is important to run all tests to get the final weight. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd - Smart Mail Sent: Thursday, August 28, 2003 12:34 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Setting MAX Testing Weight My Declude config has grown since install. I am curious if it is possible determine a Weight at which Declude ceases running tests on an email. SayI have40 testsand after Declude runsthe first 10 of themit accumulates ascore of 300.IHOLD at 100.Further testing beyond 300uses additional resources to produce the same outcome with no additional benefits. Resources including processing, bandwidth, and un-needed additional queries to blacklist servers that are working hard tomaintain their services. In this scenario the order that Declude ran your tests would be a factor. You could place your tests in a specific order in the Declude configso that primacy tests like Spamcop were first, andadditional tests would onlybe run if needed. Or you couldrun tests like Spamcheck,Badheaders, Helobogus first and be able to HOLD messages with a minimum or noexternal DNS queries. Todd Hunter Progressive Systems
RE: [Declude.JunkMail] Alligate
Yes, many of us are using Alligate. Please see the discussion from last week: http://www.mail-archive.com/[EMAIL PROTECTED]/msg10255.html John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Mark Smith Sent: Thursday, August 28, 2003 7:09 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Alligate Is anyone using Alligate http://www.alligate.com ? I'm using message sniffer and was looking at adding alligate also. I'd appreciate any feedback.. Mark --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Alligate
We use both, and like the combination. Is anyone using Alligate http://www.alligate.com ? I'm using message sniffer and was looking at adding alligate also. I'd appreciate any feedback.. Mark === Rob www.iGive.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] FW: Attention mail server administrators
Your opinions? Markus -- From: No-IP Alerts [mailto:[EMAIL PROTECTED] To: xxx Subject: Attention mail server administrators Hello , NOTICE: Mail you send from your dynamic IP may not be reaching your customers. Many ISP's including AOL,Road Runner have started rejecting mail sent from residential dynamic IP address blocks in attempt to reduce the amount of unsolicited email that travels through their networks. No-IP.com has been working around the clock to provide a solution, Alternate-Port SMTP. Altnerate-Port SMTP solves a couple of problems our users encounter when trying to send mail from a residential service such as blocked outbound port 25, AOL and other ISPs rejecting mail based on ip, and inability to send mail from email addresses @yourdomain.com For detailed information about this service please visit: http://www.no-ip.com/svc/mail/smtp Some providers that restrict outbound port 25 include - NetZero - Mindspring - MSN - Earthlink - Flashnet - MediaOne - ATT - Verizon - Bell Canada - Cox Note that Alternate-Port SMTP is for outbound mail only. Should your ISP block inbound port 25 you will need our Mail Reflector service (http://www.no-ip.com/svc/mail/reflector). If you are unsure what service you need or have questions please open a support ticket at http://www.no-ip.com/ticket/ Regards, No-IP.com Alerts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: Attention mail server administrators
My father was just blocked by Cox from reaching my SMTP server the other day. They did it without any warning/notice. Their resolution was to use their own mail server for SMTP, but he could still reach my server by way of POP3. It does introduce another potential point of failure into the mix that then becomes more problematic to troubleshoot for E-mail providers, but it's not terrible to have to do. I did ask the customer service rep at Cox why they blocked everyone instead of just the spammers, and he of course didn't have a good answer. Seems these guys don't want to police their network. Naturally the way around this is to set up SMTP on a port other than 25, however IMail I think only has one setting for the entire server. Matt Markus Gufler wrote: Your opinions? Markus -- From: No-IP Alerts [mailto:[EMAIL PROTECTED] To: xxx Subject: Attention mail server administrators Hello , NOTICE: Mail you send from your dynamic IP may not be reaching your customers. Many ISP's including AOL,Road Runner have started rejecting mail sent from residential dynamic IP address blocks in attempt to reduce the amount of unsolicited email that travels through their networks. No-IP.com has been working around the clock to provide a solution, Alternate-Port SMTP. Altnerate-Port SMTP solves a couple of problems our users encounter when trying to send mail from a residential service such as blocked outbound port 25, AOL and other ISPs rejecting mail based on ip, and inability to send mail from email addresses @yourdomain.com For detailed information about this service please visit: http://www.no-ip.com/svc/mail/smtp Some providers that restrict outbound port 25 include - NetZero - Mindspring - MSN - Earthlink - Flashnet - MediaOne - ATT - Verizon - Bell Canada - Cox Note that Alternate-Port SMTP is for outbound mail only. Should your ISP block inbound port 25 you will need our Mail Reflector service (http://www.no-ip.com/svc/mail/reflector). If you are unsure what service you need or have questions please open a support ticket at http://www.no-ip.com/ticket/ Regards, No-IP.com Alerts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: Attention mail server administrators
Your opinions? It's very unfortunate that people are starting to do this. It only started at the end of May, when someone got the idea of blocking all dynamic IPs and static IPs with reverse DNS entries that look similar to those of dynamic IPs. We get hit by this occasionally -- we have a static IP on a commercial connection (where we are allowed to run servers). For RoadRunner, we just added an entry to our HOSTS file on the mailserver that points to our Internet provider's mailserver. We also added a per-domain configuration for rr.com in Declude JunkMail to add a header letting all rr.com recipients know that their Internet provider is blocking legitimate E-mail. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Setting MAX Testing Weight
John, As I mentioned, the order that you ran the tests would affect the outcome. Tests that generate a negative weight would need to be run first, such as IPNOTINMX, BONDEDSENDER, and other whitelist type of tests. Also the reason I suggested stopping testing at weigh 3x my HOLD weight. This gives some margin where test would continue to run. Todd - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 9:36 AM Subject: RE: [Declude.JunkMail] Setting MAX Testing Weight You do not want Declude to stop at a certain point. What if it stops, right before the next test which is a whitefilter type test? With the weighting system, it is important to run all tests to get the final weight. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd - Smart MailSent: Thursday, August 28, 2003 12:34 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Setting MAX Testing Weight My Declude config has grown since install. I am curious if it is possible determine a Weight at which Declude ceases running tests on an email. SayI have40 testsand after Declude runsthe first 10 of themit accumulates ascore of 300.IHOLD at 100.Further testing beyond 300uses additional resources to produce the same outcome with no additional benefits. Resources including processing, bandwidth, and un-needed additional queries to blacklist servers that are working hard tomaintain their services. In this scenario the order that Declude ran your tests would be a factor. You could place your tests in a specific order in the Declude configso that primacy tests like Spamcop were first, andadditional tests would onlybe run if needed. Or you couldrun tests like Spamcheck,Badheaders, Helobogus first and be able to HOLD messages with a minimum or noexternal DNS queries. Todd Hunter Progressive Systems
RE: [Declude.JunkMail] FW: Attention mail server administrators
Yeah, I've had a number of people calling saying they can receive messages from our server, but get server time-outs when trying to send messages. Trying to talk to these non-IT type people is a pain. Trying to explain to them that it's not our server, but their internet provider and to call them for a solution (the classic question: But aren't you our internet provider?; Uh, we just host your e-mail and web site; But isn't that the same?). As you stated, most of the time just changing their SMTP server settings to the provider usually fixes the problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, August 28, 2003 10:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] FW: Attention mail server administrators My father was just blocked by Cox from reaching my SMTP server the other day. They did it without any warning/notice. Their resolution was to use their own mail server for SMTP, but he could still reach my server by way of POP3. It does introduce another potential point of failure into the mix that then becomes more problematic to troubleshoot for E-mail providers, but it's not terrible to have to do. I did ask the customer service rep at Cox why they blocked everyone instead of just the spammers, and he of course didn't have a good answer. Seems these guys don't want to police their network. Naturally the way around this is to set up SMTP on a port other than 25, however IMail I think only has one setting for the entire server. Matt Markus Gufler wrote: Your opinions? Markus -- From: No-IP Alerts [mailto:[EMAIL PROTECTED] To: xxx Subject: Attention mail server administrators Hello , NOTICE: Mail you send from your dynamic IP may not be reaching your customers. Many ISP's including AOL,Road Runner have started rejecting mail sent from residential dynamic IP address blocks in attempt to reduce the amount of unsolicited email that travels through their networks. No-IP.com has been working around the clock to provide a solution, Alternate-Port SMTP. Altnerate-Port SMTP solves a couple of problems our users encounter when trying to send mail from a residential service such as blocked outbound port 25, AOL and other ISPs rejecting mail based on ip, and inability to send mail from email addresses @yourdomain.com For detailed information about this service please visit: http://www.no-ip.com/svc/mail/smtp Some providers that restrict outbound port 25 include - NetZero - Mindspring - MSN - Earthlink - Flashnet - MediaOne - ATT - Verizon - Bell Canada - Cox Note that Alternate-Port SMTP is for outbound mail only. Should your ISP block inbound port 25 you will need our Mail Reflector service (http://www.no-ip.com/svc/mail/reflector). If you are unsure what service you need or have questions please open a support ticket at http://www.no-ip.com/ticket/ Regards, No-IP.com Alerts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] header problem
i have a couple of issues i'm trying to understand this email was originaly generated by my server (from the subject line) 1- why was it sent to fanga.afribone.net.ml ? i do not send notification to remote users ( ONLYSENDIFLOCALSENDER in sender.eml, and ONLYSENDIFLOCALRECIPIENT in recep.eml) It was NOT sent there. It was RECEIVED from there. 2- how come the from adress is on my server and the mail came from fanga.afribone.net.ml The E-mail came from fanga.afribone.net.ml because they sent it to you. I can't explain why it had your address in the From: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] header problem
i have a couple of issues i'm trying to understand this email was originaly generated by my server (from the subject line) 1- why was it sent to fanga.afribone.net.ml ? i do not send notification to remote users ( ONLYSENDIFLOCALSENDER in sender.eml, and ONLYSENDIFLOCALRECIPIENT in recep.eml) 2- how come the from adress is on my server and the mail came from fanga.afribone.net.ml - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 2:09 PM Subject: Re: [Declude.JunkMail] header problem This one is very strange -- it looks like there was a mail loop involved, it was scanned by several virus/spam scanners, it has highly unusual (and likely broken) To:/Cc: headers, and appears as though it may have been scanned twice on your server. From the Received: headers, it appears that you received this from fanga.afribone.net.ml, which added some of the Declude headers. -Scott At 07:43 AM 8/28/2003, serge wrote: attahed is a notification i received today notice the first 2 lines are supposed to be in the header but appears in the body please let me know what went wrong Received: from fanga.afribone.net.ml [216.147.136.2] by cefib.com with ESMTP (SMTPD32-8.02) id A40F6F50220; Thu, 28 Aug 2003 10:06:07 + Received: from spammail by fanga.afribone.net.ml with spam-scanned (Exim 3.36 #1) id 19sJep-0001Tv-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:06:06 + Received: from root by fanga.afribone.net.ml with scanned-ok (Exim 3.36 #1) id 19sJep-0001Ts-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:35 + Received: from majordomo by fanga.afribone.net.ml with local (Exim 3.36 #1) id 19sJep-0001Tk-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:35 + Received: from spammail by fanga.afribone.net.ml with spam-scanned (Exim 3.36 #1) id 19sJeJ-0001SO-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:34 + Received: from root by fanga.afribone.net.ml with scanned-ok (Exim 3.36 #1) id 19sJeJ-0001SL-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + Received: from [208.154.200.29] (helo=edmsa.net) by fanga.afribone.net.ml with esmtp (Exim 3.36 #1) id 19sJeI-0001P2-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + Subject: [afim] Attention: On vous a envoyé un virus Date: Thu, 28 Aug 2003 10:03:57 + Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 From: Postmaster [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] X-Mailer: IMail v8.02 X-RBL-Warning: IPNOTINMX: X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX X-weight: 0 Precedence: bulk Sender: majordomo [EMAIL PROTECTED] X-Virus-Scanned: by Antivirus X-Spam-Status: No, hits=2.1 required=8.0 tests=MIME_DEFICIENT_QP version=2.55 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-RBL-Warning: HELOBOGUS: Domain fanga.afribone.net.ml has no MX or A records. X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 216.147.136.2 with no reverse DNS entry. X-RBL-Warning: FIVETEN-SPAM: 2.136.147.216.blackholes.five-ten-sg.com. X-Declude-Sender: [EMAIL PROTECTED] [216.147.136.2] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: HELOBOGUS, REVDNS, FIVETEN-SPAM X-weight: 9 X-Declude version: 1.75 X-Note: This E-mail was sent from [No Reverse DNS] ([216.147.136.2]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 352740664 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just
RE: [Declude.JunkMail] FW: Attention mail server administrators
Yeah, I've had a number of people calling saying they can receive messages from our server, but get server time-outs when trying to send messages. Trying to talk to these non-IT type people is a pain. Actually, there are two separate issues here: [1] Dialup accounts where the ISP blocks outgoing SMTP E-mail. This is very, very common, and has been done for years. To handle this, E-mail must be sent through the ISP's mailserver. [2] People (companies, ISPs, whatever) that block *incoming* E-mail from IPs that they think *might* be dynamic IPs. There is no way around this, except to re-route the E-mail from your mailserver to another mailserver that the recipient will like. However, there is no way of knowing what the recipient will like. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spoofed Subjects
Heads up to anyone using undeliverable subjects for whitelisting, pharmacysale.biz is trying to sneak around, some more subtle than others: Subject: Returned mail: see transcript for details Subject: Undeliverable: Online Pharmacy - Lowest Prices - Prozac and More! Subject: Delivery Status Notification (Failure) Subject: Undeliverable: Spending TOO MUCH on Prescriptions? Subject: failure notice Subject: Message status - undeliverable Subject: Mail System Error - Returned Mail Subject: Delivery Notification: Delivery has failed Subject: Undeliverable: Refill Your VIAGRA Prescription Online Subject: Undelivered Mail Returned to Sender Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Alligate
Im already using Message Sniffer with Declude. What would Alligate do that Message Sniffer doesn't? Thanks, Bill Newberg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: Attention mail server administrators
Scott, add to your list broadband cable providers that are also now starting to block port 25 outgoing. That was the issue with my father, and his IP doesn't change that often, though RR doesn't hardly ever change, maybe they know how to monitor appropriately? Matt R. Scott Perry wrote: Yeah, I've had a number of people calling saying they can receive messages from our server, but get server time-outs when trying to send messages. Trying to talk to these non-IT type people is a pain. Actually, there are two separate issues here: [1] Dialup accounts where the ISP blocks outgoing SMTP E-mail. This is very, very common, and has been done for years. To handle this, E-mail must be sent through the ISP's mailserver. [2] People (companies, ISPs, whatever) that block *incoming* E-mail from IPs that they think *might* be dynamic IPs. There is no way around this, except to re-route the E-mail from your mailserver to another mailserver that the recipient will like. However, there is no way of knowing what the recipient will like. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] FW: Attention mail server administrators
The ISP can also use it as selling factor to get businesses to host on Their servers rather than an outside provider that is now perceived as having difficulties getting the customers email to function properly. Todd - Original Message - From: Jeff Maze - Hostmaster [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 10:14 AM Subject: RE: [Declude.JunkMail] FW: Attention mail server administrators Yeah, I've had a number of people calling saying they can receive messages from our server, but get server time-outs when trying to send messages. Trying to talk to these non-IT type people is a pain. Trying to explain to them that it's not our server, but their internet provider and to call them for a solution (the classic question: But aren't you our internet provider?; Uh, we just host your e-mail and web site; But isn't that the same?). As you stated, most of the time just changing their SMTP server settings to the provider usually fixes the problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, August 28, 2003 10:59 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] FW: Attention mail server administrators My father was just blocked by Cox from reaching my SMTP server the other day. They did it without any warning/notice. Their resolution was to use their own mail server for SMTP, but he could still reach my server by way of POP3. It does introduce another potential point of failure into the mix that then becomes more problematic to troubleshoot for E-mail providers, but it's not terrible to have to do. I did ask the customer service rep at Cox why they blocked everyone instead of just the spammers, and he of course didn't have a good answer. Seems these guys don't want to police their network. Naturally the way around this is to set up SMTP on a port other than 25, however IMail I think only has one setting for the entire server. Matt Markus Gufler wrote: Your opinions? Markus -- From: No-IP Alerts [mailto:[EMAIL PROTECTED] To: xxx Subject: Attention mail server administrators Hello , NOTICE: Mail you send from your dynamic IP may not be reaching your customers. Many ISP's including AOL,Road Runner have started rejecting mail sent from residential dynamic IP address blocks in attempt to reduce the amount of unsolicited email that travels through their networks. No-IP.com has been working around the clock to provide a solution, Alternate-Port SMTP. Altnerate-Port SMTP solves a couple of problems our users encounter when trying to send mail from a residential service such as blocked outbound port 25, AOL and other ISPs rejecting mail based on ip, and inability to send mail from email addresses @yourdomain.com For detailed information about this service please visit: http://www.no-ip.com/svc/mail/smtp Some providers that restrict outbound port 25 include - NetZero - Mindspring - MSN - Earthlink - Flashnet - MediaOne - ATT - Verizon - Bell Canada - Cox Note that Alternate-Port SMTP is for outbound mail only. Should your ISP block inbound port 25 you will need our Mail Reflector service (http://www.no-ip.com/svc/mail/reflector). If you are unsure what service you need or have questions please open a support ticket at http://www.no-ip.com/ticket/ Regards, No-IP.com Alerts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
AW: [Declude.JunkMail] Blank messages
There was an interesting thing with these two messages: The Declude.Virus footer was written in the mail header. So sorry, I did not keep them. Michael -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von R. Scott Perry Gesendet: Donnerstag, 28. August 2003 16:17 An: [EMAIL PROTECTED] Betreff: Re: [Declude.JunkMail] Blank messages I have received two totally blank messages this morning that appear to be from this list--no body, subject, sender or recipient shown. Here's the header from one: We had an Internet outage overnight -- most likely, it was a result of that. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Dieses E-Mail wurde von Declude.Virus auf Virusfreiheit geprueft Ein Service von interactiveaustria --- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Strange Headers...
Title: Message Hi; Has anyone else seen this in the header: X-TRANSFER-STAMP: 8rn1gnyu X-TRANSFER-NUMBER: SA X-transfer-number: 5898 X-transfer-stamp: NLOLD X-transfer-stamp: TCDYNQ Each of the above headers have characters that are over 200 characters wide.. the header of the spam email had 50+ lines of the above lines.. Real strange header. If you think it is a good idea to post the message to the list let me know.. but this is the strangest header. Does anyone know where such headers could come from? I have added thefollowing to ourfilters for a holdweight to simply follow and see if anything else comes through with such characteristics. X-transfer-stamp: X-TRANSFER-NUMBER: Any ideas? Regards, Kami
[Declude.JunkMail] osirusoft
Hello... My apologies if this has already been discussed. I'm not normally a member here, and the archives seem only to go up thru Aug. 25th. With the news of Osirusoft's troubles, Do I need to disable them in Declude? What are the repercussions of having Osirusoft enabled right now? Thanks, D. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft
With the news of Osirusoft's troubles, Do I need to disable them in Declude? Absolutely. What are the repercussions of having Osirusoft enabled right now? Legit E-mail failing their tests and slowdowns in processing E-mail. The word is that they are blacklisting the world...if you can reach their servers. Matt Dale McDiarmid wrote: Hello... My apologies if this has already been discussed. I'm not normally a member here, and the archives seem only to go up thru Aug. 25th. With the news of Osirusoft's troubles, Do I need to disable them in Declude? What are the repercussions of having Osirusoft enabled right now? Thanks, D. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Alligate
Please see the link to the archives in my earlier post on this. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of bill.maillists Sent: Thursday, August 28, 2003 8:28 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Alligate Im already using Message Sniffer with Declude. What would Alligate do that Message Sniffer doesn't? Thanks, Bill Newberg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] header problem
1- why was it sent to fanga.afribone.net.ml ? i do not send notification to remote users ( ONLYSENDIFLOCALSENDER in sender.eml, and ONLYSENDIFLOCALRECIPIENT in recep.eml) RSP: It was NOT sent there. It was RECEIVED from there. sorry, i'm slow today, but i still do not get it :) the subject line Attention: On vous a envoyé un virus is defenitly our notification. and also the first received in the header is showing our server adress (non-virtual secondary host) doesn't this mean it was generated by our server and sent to fanga ? Received: from [208.154.200.29] (helo=edmsa.net) by fanga.afribone.net.ml with esmtp (Exim 3.36 #1) id 19sJeI-0001P2-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 3:19 PM Subject: Re: [Declude.JunkMail] header problem i have a couple of issues i'm trying to understand this email was originaly generated by my server (from the subject line) 1- why was it sent to fanga.afribone.net.ml ? i do not send notification to remote users ( ONLYSENDIFLOCALSENDER in sender.eml, and ONLYSENDIFLOCALRECIPIENT in recep.eml) It was NOT sent there. It was RECEIVED from there. 2- how come the from adress is on my server and the mail came from fanga.afribone.net.ml The E-mail came from fanga.afribone.net.ml because they sent it to you. I can't explain why it had your address in the From: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft
yes, you'd better disable them otherwise, the server will slow down considerably (waiting for replies, timout is 10s for each test) you will also start to get false positives, as osirusoft is blacklisting everybody retry again the archives, you should be able to find a replacement i compiled what was posted here, attached is what i came up with - Original Message - From: Dale McDiarmid [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 3:56 PM Subject: [Declude.JunkMail] osirusoft Hello... My apologies if this has already been discussed. I'm not normally a member here, and the archives seem only to go up thru Aug. 25th. With the news of Osirusoft's troubles, Do I need to disable them in Declude? What are the repercussions of having Osirusoft enabled right now? Thanks, D. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. #OSDUL ip4rrelays.osirusoft.com127.0.0.3 5 0 #OSFORM ip4rrelays.osirusoft.com127.0.0.8 6 0 #OSLIST ip4rrelays.osirusoft.com127.0.0.7 5 0 #OSPROXYip4rrelays.osirusoft.com127.0.0.9 7 0 #OSRELAYip4rrelays.osirusoft.com127.0.0.2 5 0 #OSSMARTip4rrelays.osirusoft.com127.0.0.5 5 0 #OSSOFT ip4rrelays.osirusoft.com127.0.0.6 5 0 #OSSRC ip4rrelays.osirusoft.com127.0.0.4 10 0 #OSDIPS ip4rrelays.osirusoft.com127.0.0.3 5 0 BLITZEDALL ip4ropm.blitzed.org * 5 0 DSBLip4rlist.dsbl.org * 6 0 EASYNET-DNSBL ip4rblackholes.easynet.nl 127.0.0.2 5 0 EASYNET-PROXIES ip4rproxies.blackholes.easynet.nl * 5 0 EXSILIA-SPAMip4rspam.exsilia.net* 3 0 IPWHOIS ip4ripwhois.rfc-ignorant.org* 5 0 MONKEYFORMMAIL ip4rformmail.relays.monkeys.com * 7 0 MONKEYPROXIES ip4rproxies.relays.monkeys.com * 7 0 ORDBip4rrelays.ordb.org * 5 0 SPAMHAUSip4rsbl.spamhaus.org* 3 0 SPAMCOP ip4rbl.spamcop.net 127.0.0.2 10 0 SBL ip4rsbl.spamhaus.org127.0.0.2 5 0 DSN rhsbl dsn.rfc-ignorant.org127.0.0.2 3 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 3 0 NOPOSTMASTERrhsbl postmaster.rfc-ignorant.org 127.0.0.3 3 0 BADHEADERS badheaders x x 8 0 HELOBOGUS helovalid x x 6 0 MAILFROMenvfrom x x 12 0 PERCENT percent x x 9 0 REVDNS revdnsexistsx x 3 0 ROUTING spamrouting x x 4 0 SPAMHEADERS spamheaders x x 3 0 SPAMDOMAINS spamdomains E:\imailsrvr\declude\sd.txt x 10 0 BASE64 base64 x x 4 0 IPNOTINMX ipnotinmx x x 0 -3 #*** FIVETEN-SPAMip4rblackholes.five-ten-sg.com 127.0.0.230 FIVETEN-BULKip4rblackholes.five-ten-sg.com 127.0.0.450 FIVETEN-MULTISTAGE ip4rblackholes.five-ten-sg.com 127.0.0.530 FIVETEN-SPAMSUPPORT ip4rblackholes.five-ten-sg.com 127.0.0.730 FIVETEN-MISCip4rblackholes.five-ten-sg.com 127.0.0.940 FIVETEN-SINGLESTAGE ip4rblackholes.five-ten-sg.com 127.0.0.630 FIVETEN-FREEip4rblackholes.five-ten-sg.com 127.0.0.12 30 MAILPOLICE-BULKrhsblbulk.rhs.mailpolice.com 127.0.0.250 MAILPOLICE-PORNrhsblporn.rhs.mailpolice.com 127.0.0.250 BONDEDSENDERip4rquery.bondedsender.org 127.0.0.10 -20 0 #* # This is an automatically maintained list generated by spamtraps whose messages # are then tested by a community maintained script at http://sourceforge.net/projects/sorbs/ # For the all-in info, see the
Re: [Declude.JunkMail] header problem
1- why was it sent to fanga.afribone.net.ml ? i do not send notification to remote users ( ONLYSENDIFLOCALSENDER in sender.eml, and ONLYSENDIFLOCALRECIPIENT in recep.eml) RSP: It was NOT sent there. It was RECEIVED from there. sorry, i'm slow today, but i still do not get it :) the subject line Attention: On vous a envoyé un virus is defenitly our notification. I would personally not worry about this if it was just one E-mail. That E-mail was very convoluted. Since it was received from another server, it may be that it was an improper bounce message? and also the first received in the header is showing our server adress (non-virtual secondary host) Ah, then it may have actually come from your server. But that still doesn't explain the extra Received: headers. doesn't this mean it was generated by our server and sent to fanga ? Received: from [208.154.200.29] (helo=edmsa.net) by fanga.afribone.net.ml with esmtp (Exim 3.36 #1) id 19sJeI-0001P2-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + That header wasn't added by IMail. It means that fanga.afribone.net.ml received the E-mail from 208.154.200.29 (which most likely identifies itself as edmsa.net). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
FW: [Declude.JunkMail] Alligate
John, I understand you are very pleased with the product. Do you use MessageSniffer as well? If so, why? Thanks, Bill -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Aug 2003 09:03:45 -0700 Please see the link to the archives in my earlier post on this. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of bill.maillists Sent: Thursday, August 28, 2003 8:28 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Alligate Im already using Message Sniffer with Declude. What would Alligate do that Message Sniffer doesn't? Thanks, Bill Newberg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft
I'm deep into monitoring false positives, passed spam, and valid near misses. I'll post some info tonight or tomorrow. One thing that is very clear thus far is that FIVETEN detects a lot of spam that other blacklists don't, however they also have a very high false positive rate which is why I score them so low. Three of the FIVETEN tests marked 15 of 40 pieces of spam that got in under the top score, however it also marked 12 of 17 valid near misses (passed legit stuff) from newsletters and other sorts of automated mailings like opt-in lists and receipts. It also marked valid yahoo.com accounts which tend to fail several minor technical tests. Then for my false positives (rejected valid E-mail), it marked 3 of 8 messages. One note about what I am counting as valid here. There are varying levels of commercial E-mail and I am trying to pass anything opted-into directly or resulting from being a customer of that mailer. Most of this stuff is of no value, but I don't want to block it if I can help. SPAMCOP for instance is blocking a fundraising letter from George Bush's campaign that includes the customer's full name, and the NYTimes.com daily update fails FIVETEN-SPAMSUPPORT as well as SPAMHEADERS. Some companies use outside sources for their mailings and they suffer from not choosing wisely the company they deal with. So with the above results, I definitely would include FIVETEN in any setup, but score them very low in respect to others, hoping that they fail some technical tests to put them over the edge. The numbers in the summary are from my settings where I fail on a score of 10, and I don't score technical tests very high (though I'm probably going to increase BADHEADERS). Matt Serge wrote: yes, you'd better disable them otherwise, the server will slow down considerably (waiting for replies, timout is 10s for each test) you will also start to get false positives, as osirusoft is blacklisting everybody retry again the archives, you should be able to find a replacement i compiled what was posted here, attached is what i came up with - Original Message - From: "Dale McDiarmid" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 3:56 PM Subject: [Declude.JunkMail] osirusoft Hello... My apologies if this has already been discussed. I'm not normally a member here, and the archives seem only to go up thru Aug. 25th. With the news of Osirusoft's troubles, Do I need to disable them in Declude? What are the repercussions of having Osirusoft enabled right now? Thanks, D. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. #OSDUL ip4rrelays.osirusoft.com 127.0.0.3 5 0 #OSFORM ip4rrelays.osirusoft.com 127.0.0.8 6 0 #OSLIST ip4rrelays.osirusoft.com 127.0.0.7 5 0 #OSPROXY ip4rrelays.osirusoft.com 127.0.0.9 7 0 #OSRELAY ip4rrelays.osirusoft.com 127.0.0.2 5 0 #OSSMART ip4rrelays.osirusoft.com 127.0.0.5 5 0 #OSSOFT ip4rrelays.osirusoft.com 127.0.0.6 5 0 #OSSRC ip4rrelays.osirusoft.com 127.0.0.4 10 0 #OSDIPS ip4rrelays.osirusoft.com 127.0.0.3 5 0 BLITZEDALL ip4r opm.blitzed.org * 5 0 DSBL ip4r list.dsbl.org * 6 0 EASYNET-DNSBL ip4r blackholes.easynet.nl 127.0.0.2 5 0 EASYNET-PROXIES ip4r proxies.blackholes.easynet.nl * 5 0 EXSILIA-SPAM ip4r spam.exsilia.net * 3 0 IPWHOIS ip4r ipwhois.rfc-ignorant.org * 5 0 MONKEYFORMMAIL ip4rformmail.relays.monkeys.com * 7 0 MONKEYPROXIES ip4rproxies.relays.monkeys.com * 7 0 ORDB ip4r relays.ordb.org * 5 0 SPAMHAUS ip4r sbl.spamhaus.org * 3 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 10 0 SBL ip4r sbl.spamhaus.org 127.0.0.2 5 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 3 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 3 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 3 0 BADHEADERS badheaders x x 8 0 HELOBOGUS helovalid x x 6 0 MAILFROMenvfrom x x 12 0 PERCENT percent x x 9 0 REVDNS revdnsexists x x 3 0 ROUTING spamrouting x x 4 0 SPAMHEADERS spamheaders x x 3 0 SPAMDOMAINS spamdomains E:\imailsrvr\declude\sd.txt x 10 0 BASE64 base64 x x 4 0 IPNOTINMX ipnotinmx x x 0 -3 #*** FIVETEN-SPAM ip4rblackholes.five-ten-sg.com 127.0.0.230 FIVETEN-BULK ip4rblackholes.five-ten-sg.com 127.0.0.450 FIVETEN-MULTISTAGE ip4rblackholes.five-ten-sg.com 127.0.0.530 FIVETEN-SPAMSUPPORT ip4rblackholes.five-ten-sg.com 127.0.0.730 FIVETEN-MISC ip4rblackholes.five-ten-sg.com 127.0.0.940
[Declude.JunkMail] stat/prob test, imail declude
Title: Message declude was developing aprobability spam test in one of the previous betas when will it be released ? will it be similar to imail stat test ? the message below did not get a high weight, but did get high imail stat score is there a way to use that header infoin declude ? X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, FIVETEN-SPAMSUPPORTX-weight: 9X-Declude version: 1.75X-Note: This E-mail was sent from bay5-dav51.bay5.hotmail.com ([65.54.173.81]).X-IMAIL-SPAM-STATISTICS: 0.9684
Re: [Declude.JunkMail] header problem
RSP:That header wasn't added by IMail. It means that fanga.afribone.net.ml received the E-mail from 208.154.200.29 (which most likely identifies itself as edmsa.net). that IS OUR imail server we received 2 of those today i will continue to monitor RSP:Ah, then it may have actually come from your server. But that still doesn't explain the extra Received: headers. exactly, but why did not the onlysendif work ? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 28, 2003 4:35 PM Subject: Re: [Declude.JunkMail] header problem 1- why was it sent to fanga.afribone.net.ml ? i do not send notification to remote users ( ONLYSENDIFLOCALSENDER in sender.eml, and ONLYSENDIFLOCALRECIPIENT in recep.eml) RSP: It was NOT sent there. It was RECEIVED from there. sorry, i'm slow today, but i still do not get it :) the subject line Attention: On vous a envoyé un virus is defenitly our notification. I would personally not worry about this if it was just one E-mail. That E-mail was very convoluted. Since it was received from another server, it may be that it was an improper bounce message? and also the first received in the header is showing our server adress (non-virtual secondary host) Ah, then it may have actually come from your server. But that still doesn't explain the extra Received: headers. doesn't this mean it was generated by our server and sent to fanga ? Received: from [208.154.200.29] (helo=edmsa.net) by fanga.afribone.net.ml with esmtp (Exim 3.36 #1) id 19sJeI-0001P2-00 for [EMAIL PROTECTED]; Thu, 28 Aug 2003 10:05:03 + That header wasn't added by IMail. It means that fanga.afribone.net.ml received the E-mail from 208.154.200.29 (which most likely identifies itself as edmsa.net). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] header problem
RSP:Ah, then it may have actually come from your server. But that still doesn't explain the extra Received: headers. exactly, but why did not the onlysendif work ? Because the E-mail isn't what it seems to be. It could take hours to properly analyze it. That E-mail *did* go through other mailservers, which may have altered it. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] FW: Attention mail server administrators
[1] Dialup accounts where the ISP blocks outgoing SMTP E-mail. This is very, very common, and has been done for years. To handle this, E-mail must be sent through the ISP's mailserver. Unfortunately, for many telecommuters, they cannot send business mail thru the ISP, but must have it originate from their company servers (due to policy or legal requirements). So, they get hit with higher VPN costs in order to bypass the blocking, while spammers just move around to another tactic (recent ALABAMA ring, had dedicated lines to bypass getting killed by their ISP, used lots of stolen credit cards to establish accounts both for sending and for test receiving of email (to see what the ISP was successfully blocking)). Now, companies like No-Ip.com will just sell them space on dedicated IP's (which we have to keep blocking) and still the little user that was legitimately using their connection is the one that pays (with no real effect on spammers). --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Alligate
I do not use MessageSniffer at this time, but would if I could. I like the product. I have evaluated it. It is a very good test to use. Why would I use both, the broader the scope of the tests, the more chance of catching all spam with a lesser FP rate. They both have there strengths, and weaknesses. Their weaknesses is nothing to detract from them, it is inhearant in any program. I just do not have the funds at this time. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Bill Newberg Sent: Thursday, August 28, 2003 9:39 AM To: [EMAIL PROTECTED] Subject: FW: [Declude.JunkMail] Alligate John, I understand you are very pleased with the product. Do you use MessageSniffer as well? If so, why? Thanks, Bill -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 28 Aug 2003 09:03:45 -0700 Please see the link to the archives in my earlier post on this. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of bill.maillists Sent: Thursday, August 28, 2003 8:28 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Alligate Im already using Message Sniffer with Declude. What would Alligate do that Message Sniffer doesn't? Thanks, Bill Newberg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] stat/prob test, imail declude
declude was developing a probability spam test in one of the previous betas when will it be released ? We do not have an ETA on it. will it be similar to imail stat test ? No, it is very different (the one in Declude is not based on key words/phrases, which makes it much faster and less user-dependent, and produces a much more accurate statistic). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft
Is it OK just to comment out the entries for now with a #? Yes, that will work fine (just make sure to do so in the \IMail\Declude\global.cfg file, where the tests are defined). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] osirusoft
Is it OK just to comment out the entries for now with a #? Mike At 11:59 AM 8/28/2003 -0400, you wrote: With the news of Osirusoft's troubles, Do I need to disable them in Declude? Absolutely. What are the repercussions of having Osirusoft enabled right now? Legit E-mail failing their tests and slowdowns in processing E-mail. The word is that they are blacklisting the world...if you can reach their servers. Matt Dale McDiarmid wrote: Hello... My apologies if this has already been discussed. I'm not normally a member here, and the archives seem only to go up thru Aug. 25th. With the news of Osirusoft's troubles, Do I need to disable them in Declude? What are the repercussions of having Osirusoft enabled right now? Thanks, D. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [This E-mail scanned for viruses by Declude Virus] [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.