[Declude.JunkMail] SUBJECTSPACES test
I am sure I can do this but thought I would ask: SUBJECTSPACES1 subjectspaces 15 x x 10 0 SUBJECTSPACES2 subjectspaces 30 x x 10 0 Any message with 30 or more spaces would get a weight of 20 added, correct? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Imail queue stuck
I know this is an Ipswitch problem but I think I remember seeing this mentioned here before. A couple times today my SMTP stops, I restart and I get all my mail but it seems to just get stuck in the queue. It seems that some people running IMail v8 are having this problem with the Queue Manager, even in 8.02. I'm not sure if there is a workaround. I noticed this. http://support.ipswitch.com/kb/IM-19990730-DM01.htm In it it mentions making sure the delivery application is smtp32.exe, mine has declude.exe this is right right? That's correct. Their KB article assumes that you aren't using the delivery application feature (which Declude uses). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SUBJECTSPACES test
No, that column of numbers relates to the trigger point for the test, i.e. 1, 3 or 5 BCC's. Each failure scores only one point. Same goes for the COMMENTS test. I did just a second ago limit that test to 10, 20, 30, 40 and 50, so the score would top out at 5 (fails at 10). I've found after testing that very few messages have 50+ comments in them, most of which is easy to detect spam, and I wanted to protect from false positives being a fan of using comments tags in my own code. Matt Bill Landry wrote: Matt, with this configuration, if a message has 5 or more BCC addresses listed, won't the message fail all three BCC tests and accumulate a total BCC weight of 9 points? Also, if a message contains 100 or more comments, won't it will fail all nine of your comments test and accumulate a total comments weight of 540 points? Bill - Original Message - From: "Matthew Bramble" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 11:22 PM Subject: Re: [Declude.JunkMail] SUBJECTSPACES test Yes, you are correct. I do something similar with the BCC and COMMENTS tests. I think you have an extra "x" in your definitions though. BCC-1bcc1x10 BCC-3bcc3x10 BCC-5bcc5x10 COMM-20comments20x10 COMM-30comments30x10 COMM-40comments40x10 COMM-50comments50x10 COMM-60comments60x10 COMM-70comments70x10 COMM-80comments80x10 COMM-90comments90x10 COMM-100comments100x10 John Tolmachoff (Lists) wrote: I am sure I can do this but thought I would ask: SUBJECTSPACES1 subjectspaces 15 x x 10 0 SUBJECTSPACES2 subjectspaces 30 x x 10 0 Any message with 30 or more spaces would get a weight of 20 added, correct? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] ===
Re: [Declude.JunkMail] Detecting gibberish
R. Scott Perry wrote: Just for the record, we don't have plans to implement more Bayes filtering in Declude (we did years ago, before the Paul Graham article, and found that it just wasn't as effective as the weighting system). Yeah, I tested the HERU filters and found them to be remarkably skilled at detecting opt-in advertising and newsletters. I saw your comments on this list about that fact and it being the reason why it didn't make a release. I even thought about using HERU-10 as a negative weight test to detect friendly opt-in ads :) My only problem with using this DNS-based stuff is that you can only control the score and not the actual content of those databases. MAILPOLICE-PORN has been blocking Ebay for at least a week (figure that one out), SPAMCOP picked up PayPal.com for a short time last week and has even blacklisted Ipswitch as was discussed in this group earlier this year, Macromedia as well. I think they need to adjust their submission filters to account for the spam nazis :) Technical tests can be very nice as well, though I just found another valid BADHEADERS violator, MDaemon's Web mail client which doesn't use 4 numbers in time offset, unless you live in the middle of the Pacific Ocean... I just want to use some select content filters to help clean up the gray area. On my box about 5% of the E-mail scores between 5 and 9, and about 80% or more of that is spam. Around 5% also fails between 10-14, and about 97% of that is spam with the false positives being mostly automated stuff from poorly configured servers. Just rambling...not enough sleep...grumble, grumble... Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How do I get removed
How do I get off this spam list. URBL Im not even sure how I got on. http://www.dnsstuff.com/tools/ip4r.ch?ip=64.118.70.2 Kevin Shimwell Link Brokers Group, LLC ( Support ) 401 Ist Ave. North North Myrtle Beach, SC 29582 Phone: 843-663-1004 Fax: 843-663-1007 Email: [EMAIL PROTECTED] 24/7 Support http://www.linkbrokers.com/support_ticket.cfm Support M-F 1-888-546-5631 [This E-mail scanned for viruses by Link Brokers Group, Inc Virus Protection] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I get removed
To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Thank you, Robert Saylors A+ Technical Services Manager FoxBerry Incorporated [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Link Brokers Support Sent: Wednesday, September 10, 2003 9:29 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How do I get removed [This message failed the OSRELAY and may be SPAM.] How do I get off this spam list. URBL Im not even sure how I got on. http://www.dnsstuff.com/tools/ip4r.ch?ip=64.118.70.2 Kevin Shimwell Link Brokers Group, LLC ( Support ) 401 Ist Ave. North North Myrtle Beach, SC 29582 Phone: 843-663-1004 Fax: 843-663-1007 Email: [EMAIL PROTECTED] 24/7 Support http://www.linkbrokers.com/support_ticket.cfm Support M-F 1-888-546-5631 [This E-mail scanned for viruses by Link Brokers Group, Inc Virus Protection] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How do I get removed
How do I get off this spam list. URBL Im not even sure how I got on. http://www.dnsstuff.com/tools/ip4r.ch?ip=64.118.70.2 If you read the description, you'll see why you are appropriately listed. We usually get several E-mails every day from people asking us. :( -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I get removed
Lists every IP address. Should not be used. This one was included because it has a good point: you REALLY should know what and why a test blocks before using it. Confirmed 09 Apr 2002. http://www.declude.com/junkmail/support/ip4r.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Link Brokers Support Sent: 10. september 2003 15:29 To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] How do I get removed How do I get off this spam list. URBL Im not even sure how I got on. http://www.dnsstuff.com/tools/ip4r.ch?ip=64.118.70.2 Kevin Shimwell Link Brokers Group, LLC ( Support ) 401 Ist Ave. North North Myrtle Beach, SC 29582 Phone: 843-663-1004 Fax: 843-663-1007 Email: [EMAIL PROTECTED] 24/7 Support http://www.linkbrokers.com/support_ticket.cfm Support M-F 1-888-546-5631 [This E-mail scanned for viruses by Link Brokers Group, Inc Virus Protection] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] mailbox forwarding no action
I'm pretty new to Declude Spam so I may have something setup wrong. I have -- IMail: 7.0 ?5? Declude Junkmail: 1.75 Pro Virtual Domain: mail.example.com With alias: example.com Mailbox that has forwarding on it [EMAIL PROTECTED] forwards to: [EMAIL PROTECTED] [EMAIL PROTECTED] User1 has user config file (user1.junkmail) User3 has user config file (user2.junkmail) mail.example.com has default config file ($default$.junkmail) All three config files are basically the say, with the only difference being the WHITELISTFILE settings. declude has default config file ($default.junkmail) This config file has everything turned off. ** Now if a message is sent to User1 it fails tests, the log says that it is moving the message to the spambox mailbox (this is the correct action), but it never makes it, and the users that are setup to receive the forwarded message get it. Now the final users, get the message, in the headers it says it fails but no action is taken. If I remove the forward.ima file from the User1 directory (turning off forwarding) everything behaves as it should ( the message goes into the spam box). Put the forwarding back on and it reverts bas to the problem state. Below is the debug log file, as you can see the log thinks the message is being moved to the correct place, but it never gets there. And there are no logs for the forwarded message to User2 and User3. Am I doing some wrong. If you want I can show you the config files. Thanks in advance. --Jason W. Allen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SUBJECTSPACES test
Oops, I was looking at the wrong column for the weight. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 5:22 AM Subject: Re: [Declude.JunkMail] SUBJECTSPACES test No, that column of numbers relates to the trigger point for the test, i.e. 1, 3 or 5 BCC's. Each failure scores only one point.Same goes for the COMMENTS test. I did just a second ago limit that test to 10, 20, 30, 40 and 50, so the score would top out at 5 (fails at 10). I've found after testing that very few messages have 50+ comments in them, most of which is easy to detect spam, and I wanted to protect from false positives being a fan of using comments tags in my own code.MattBill Landry wrote: Matt, with this configuration, if a message has 5 or more BCC addresses listed, won't the message fail all three BCC tests and accumulate a total BCC weight of 9 points? Also, if a message contains 100 or more comments, won't it will fail all nine of your comments test and accumulate a total comments weight of 540 points? Bill - Original Message - From: "Matthew Bramble" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 11:22 PM Subject: Re: [Declude.JunkMail] SUBJECTSPACES test Yes, you are correct. I do something similar with the BCC and COMMENTS tests. I think you have an extra "x" in your definitions though. BCC-1bcc1x10 BCC-3bcc3x10 BCC-5bcc5x10 COMM-20comments20x10 COMM-30comments30x10 COMM-40comments40x10 COMM-50comments50x10 COMM-60comments60x10 COMM-70comments70x10 COMM-80comments80x10 COMM-90comments90x10 COMM-100comments100x10 John Tolmachoff (Lists) wrote: I am sure I can do this but thought I would ask: SUBJECTSPACES1 subjectspaces 15 x x 10 0 SUBJECTSPACES2 subjectspaces 30 x x 10 0 Any message with 30 or more spaces would get a weight of 20 added, correct? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] ===
Re: [Declude.JunkMail] How do I get removed
R. Scott Perry wrote: If you read the description, you'll see why you are appropriately listed. We usually get several E-mails every day from people asking us. :( White text on the red background would cut down a little on those E-mails. The words are a little hard to see. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] How do I get removed
Yeah, I ran the test and we're also on the BLARSBL. Looked up the secondary mail server and that too is on the list. Looks like he just blocked our whole IP range. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] How do I get removed How do I get off this spam list. URBL Im not even sure how I got on. http://www.dnsstuff.com/tools/ip4r.ch?ip=64.118.70.2 If you read the description, you'll see why you are appropriately listed. We usually get several E-mails every day from people asking us. :( -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] mailbox forwarding no action
Virtual Domain: mail.example.com With alias: example.com Mailbox that has forwarding on it [EMAIL PROTECTED] In this case, all E-mail sent to [EMAIL PROTECTED] will use the configurations for [EMAIL PROTECTED]. that would be a per-user file \IMail\Declude\mail.example.com\user1.JunkMail or a per-domain file \IMail\Declude\mail.example.com. forwards to: [EMAIL PROTECTED] [EMAIL PROTECTED] That actually isn't relevant here -- the E-mail will be scanned based on the settings for user1. Now if a message is sent to User1 it fails tests, the log says that it is moving the message to the spambox mailbox (this is the correct action), but it never makes it, and the users that are setup to receive the forwarded message get it. Have you checked the IMail SMTP log files? They should provide some information as to what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] mailbox forwarding no action
See the following recent thread for the answer: http://www.mail-archive.com/declude.junkmail%40declude.com/msg10790.html Matt Jason W. Allen wrote: I'm pretty new to Declude Spam so I may have something setup wrong. I have -- IMail: 7.0 ?5? Declude Junkmail: 1.75 Pro Virtual Domain: mail.example.com With alias: example.com Mailbox that has forwarding on it [EMAIL PROTECTED] forwards to: [EMAIL PROTECTED] [EMAIL PROTECTED] User1 has user config file (user1.junkmail) User3 has user config file (user2.junkmail) mail.example.com has default config file ($default$.junkmail) All three config files are basically the say, with the only difference being the WHITELISTFILE settings. declude has default config file ($default.junkmail) This config file has everything turned off. ** Now if a message is sent to User1 it fails tests, the log says that it is moving the message to the spambox mailbox (this is the correct action), but it never makes it, and the users that are setup to receive the forwarded message get it. Now the final users, get the message, in the headers it says it fails but no action is taken. If I remove the forward.ima file from the User1 directory (turning off forwarding) everything behaves as it should ( the message goes into the spam box). Put the forwarding back on and it reverts bas to the problem state. Below is the debug log file, as you can see the log thinks the message is being moved to the correct place, but it never gets there. And there are no logs for the forwarded message to User2 and User3. Am I doing some wrong. If you want I can show you the config files. Thanks in advance. --Jason W. Allen 09/10/2003 09:14:42.953 Q23c2055400a6d83d Setting DNS server to IMail's 198.6.1.5. 09/10/2003 09:14:42.968 Q23c2055400a6d83d Declude JunkMail Pro Version Registered 09/10/2003 09:14:42.968 Q23c2055400a6d83d Start 09/10/2003 09:14:42.984 Q23c2055400a6d83d Locked E:\IMail\spool\Q23c2055400a6d83d.SMD. 09/10/2003 09:14:42.984 Q23c2055400a6d83d Getting message envelope 09/10/2003 09:14:42.984 Q23c2055400a6d83d Copyall=no_copyall_account. 09/10/2003 09:14:43.000 Q23c2055400a6d83d QE:\IMail\spool\D23c2055400a6d83d.SMD 09/10/2003 09:14:43.000 Q23c2055400a6d83d Hgershwin.mpgis.net 09/10/2003 09:14:43.015 Q23c2055400a6d83d WE:\IMail 09/10/2003 09:14:43.015 Q23c2055400a6d83d E0, 09/10/2003 09:14:43.031 Q23c2055400a6d83d S[EMAIL PROTECTED] 09/10/2003 09:14:43.031 Q23c2055400a6d83d NRCPT TO: [EMAIL PROTECTED] 09/10/2003 09:14:43.046 Q23c2055400a6d83d Recip: NRCPT TO: [EMAIL PROTECTED] 09/10/2003 09:14:43.046 Q23c2055400a6d83d R[EMAIL PROTECTED] 09/10/2003 09:14:43.046 Q23c2055400a6d83d Recip: R[EMAIL PROTECTED] 09/10/2003 09:14:43.062 Q23c2055400a6d83d Setting altaddr 0 to [EMAIL PROTECTED] [EMAIL PROTECTED] 09/10/2003 09:14:43.062 Q23c2055400a6d83d Setting reciphost to example.com 09/10/2003 09:14:43.062 Q23c2055400a6d83d 09/10/2003 09:14:43.078 Q23c2055400a6d83d nRecips: 1 (1 total) 09/10/2003 09:14:43.078 Q23c2055400a6d83d Recip 0: [EMAIL PROTECTED] = [EMAIL PROTECTED] 09/10/2003 09:14:43.093 Q23c2055400a6d83d Starting locality check (sender=declude.com; nr=1 ca=off). 09/10/2003 09:14:43.093 Q23c2055400a6d83d CL Opening HKEY_LOCAL_MACHINE\software\Ipswitch\IMail\Domains 09/10/2003 09:14:43.093 Q23c2055400a6d83d [EMAIL PROTECTED] [0] is local domain2 09/10/2003 09:14:43.109 Q23c2055400a6d83d Done getting message envelope 09/10/2003 09:14:43.109 Q23c2055400a6d83d Getting headers 09/10/2003 09:14:43.125 Q23c2055400a6d83d Done getting envelope and headers 09/10/2003 09:14:43.125 Q23c2055400a6d83d Ver=30 verflag=0 09/10/2003 09:14:43.140 Q23c2055400a6d83d About to run spam tests 09/10/2003 09:14:43.140 Q23c2055400a6d83d Going through datafile 09/10/2003 09:14:43.156 Q23c2055400a6d83d LOOKING FOR IP: Received: from www.declude.com [216.58.1 09/10/2003 09:14:43.156 Q23c2055400a6d83d Setting [IPTEXT] to 216.58.174.203 09/10/2003 09:14:43.156 Q23c2055400a6d83d iptext now=216.58.174.203 09/10/2003 09:14:43.171 Q23c2055400a6d83d Testing IP 216.58.174.203 09/10/2003 09:14:43.171 Q23c2055400a6d83d Handling Received: header 09/10/2003 09:14:43.187 Q23c2055400a6d83d Got IP 216.58.174.203 09/10/2003 09:14:43.187 Q23c2055400a6d83d Setting remote IP address to 216.58.174.203 09/10/2003 09:14:43.203 Q23c2055400a6d83d 203.174.58.216.in-addr.arpa 09/10/2003 09:14:52.890 Q23c2055400a6d83d revdns: nt3.nshosts.com. 09/10/2003 09:14:52.890 Q23c2055400a6d83d Hop 0: Checking IP Address 216.58.174.203. 09/10/2003 09:14:52.890 Q23c2055400a6d83d iptext=216.58.174.203 myip1=d83aaecb i=4 09/10/2003 09:15:02.968 Q23c2055400a6d83d Test 0-BLITZEDALL didn't get a response. 09/10/2003 09:15:02.968 Q23c2055400a6d83d Test 1-CBL didn't get a response. 09/10/2003 09:15:02.968 Q23c2055400a6d83d Test 2-DSBL didn't get a response. 09/10/2003 09:15:02.984 Q23c2055400a6d83d Test 3-EASYNET-DNSBL didn't get a
RE: [Declude.JunkMail] mailbox forwarding no action
What I don't understand, is that the logs say it is using the correct config file and then performing the correct action. But that is as far as it goes. The message doesn't actually get moved the Spambox Mailbox, but gets forwarded on to the downstream users and then settings don't pick it up. The SMTP logs, just show the message being received and then being converted to a .FWD File and forwarded to User2 User3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 10:32 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] mailbox forwarding no action Virtual Domain: mail.example.com With alias: example.com Mailbox that has forwarding on it [EMAIL PROTECTED] In this case, all E-mail sent to [EMAIL PROTECTED] will use the configurations for [EMAIL PROTECTED]. that would be a per-user file \IMail\Declude\mail.example.com\user1.JunkMail or a per-domain file \IMail\Declude\mail.example.com. forwards to: [EMAIL PROTECTED] [EMAIL PROTECTED] That actually isn't relevant here -- the E-mail will be scanned based on the settings for user1. Now if a message is sent to User1 it fails tests, the log says that it is moving the message to the spambox mailbox (this is the correct action), but it never makes it, and the users that are setup to receive the forwarded message get it. Have you checked the IMail SMTP log files? They should provide some information as to what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
What I don't understand, is that the logs say it is using the correct config file and then performing the correct action. But that is as far as it goes. The message doesn't actually get moved the Spambox Mailbox, but gets forwarded on to the downstream users and then settings don't pick it up. What happens here is Declude JunkMail changes the recipient's address from [EMAIL PROTECTED] to [EMAIL PROTECTED], and IMail is then supposed to deliver it to the spambox account. The SMTP logs, just show the message being received and then being converted to a .FWD File and forwarded to User2 User3 Are you sure that you have a ., at the beginning of the forwarding line? Without that, IMail won't keep a copy in the original recipient's mailbox. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
I have added the ., to the forward file and now a copy of the message gets moved to the spambox. But the message still goes downstream to the forwarded to Users and does not get picked up as spam. I think I follow the logic, of why this is not working: the message comes in from the outside, a copy is made to be processed by the forwarding Engine, the external (original message) gets tested, and since I don't have a copy being saved to the original recipient it doesn't do anything (since I enabled '.', it does get processed by declude and gets moved to the spambox--Correctly), the FWD Message does not get tested since it is now internal to the server, and goes to the downstream users, never getting tested, no action is taken and spam gets through. Is this the correct logic, or am I missing something? Is there a way around this, such as once the message is moved then it is no longer forwarded, or that an internal message (the FWD message that gets processed by the SMTP-FWD) gets scanned by the Junkmail? Or should I revise my whole policy about forwarding? --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action What I don't understand, is that the logs say it is using the correct config file and then performing the correct action. But that is as far as it goes. The message doesn't actually get moved the Spambox Mailbox, but gets forwarded on to the downstream users and then settings don't pick it up. What happens here is Declude JunkMail changes the recipient's address from [EMAIL PROTECTED] to [EMAIL PROTECTED], and IMail is then supposed to deliver it to the spambox account. The SMTP logs, just show the message being received and then being converted to a .FWD File and forwarded to User2 User3 Are you sure that you have a ., at the beginning of the forwarding line? Without that, IMail won't keep a copy in the original recipient's mailbox. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
I have added the ., to the forward file and now a copy of the message gets moved to the spambox. But the message still goes downstream to the forwarded to Users and does not get picked up as spam. That is the way that it should work. E-mail that is forwarded from one user to another automatically in IMail (as opposed to aliases or forwarding from a mail client) bypasses any scanning. I think I follow the logic, of why this is not working: the message comes in from the outside, a copy is made to be processed by the forwarding Engine, the external (original message) gets tested, and since I don't have a copy being saved to the original recipient it doesn't do anything (since I enabled '.', it does get processed by declude and gets moved to the spambox--Correctly), the FWD Message does not get tested since it is now internal to the server, and goes to the downstream users, never getting tested, no action is taken and spam gets through. Is this the correct logic, or am I missing something? Very close. The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. Is there a way around this, such as once the message is moved then it is no longer forwarded, or that an internal message (the FWD message that gets processed by the SMTP-FWD) gets scanned by the Junkmail? Unfortunately, I'm not aware of any way around this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
So in other words, If I have mailboxes with forwarding on them Spam will still get through. Disappointing... --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action I have added the ., to the forward file and now a copy of the message gets moved to the spambox. But the message still goes downstream to the forwarded to Users and does not get picked up as spam. That is the way that it should work. E-mail that is forwarded from one user to another automatically in IMail (as opposed to aliases or forwarding from a mail client) bypasses any scanning. I think I follow the logic, of why this is not working: the message comes in from the outside, a copy is made to be processed by the forwarding Engine, the external (original message) gets tested, and since I don't have a copy being saved to the original recipient it doesn't do anything (since I enabled '.', it does get processed by declude and gets moved to the spambox--Correctly), the FWD Message does not get tested since it is now internal to the server, and goes to the downstream users, never getting tested, no action is taken and spam gets through. Is this the correct logic, or am I missing something? Very close. The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. Is there a way around this, such as once the message is moved then it is no longer forwarded, or that an internal message (the FWD message that gets processed by the SMTP-FWD) gets scanned by the Junkmail? Unfortunately, I'm not aware of any way around this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] autowhitelist wildcard?
Is there any wildcard character that can be used in the address book addresses for the autowhitelist feature. For instance, if I was subscribed to a newsletter that was sent from [EMAIL PROTECTED], where the numbers after someone are different every time, is there some way to put it in the address book without having to whitelist [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
It appears that I spoke too soon... I have figured it out. I really don't want to beat a dead horse, but I really needed a solution for this. We have Addresses that need to have mail come from them, but note really receive mail, that why it needs to have a real mailbox (valid user) to send mail. Such as techsupport, etc. But these mailboxes are forwarded to multiple people, but with the configuration all the end mailboxes get a ton of spam, that's why it very important, that I find a solution. So for anybody that's interested here is the fix. For the mailbox that is currently forwarded: [EMAIL PROTECTED] Remove all the forwarding on this box. Create an Alias that has the same name as the Mailbox: [EMAIL PROTECTED] Forward this alias to the user(s) you need, to make sure that you can use the existing config files, make sure you forward to the Full Host, such as [EMAIL PROTECTED] You can also setup the forwarding to a list file, See the Imail documentation for that. There you have it. Any spam that comes in for the Alias will get redirected before in gets tested by declude, making declude think that the message came directly to the end user and test it accordingly. --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action So in other words, If I have mailboxes with forwarding on them Spam will still get through. Disappointing... --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action I have added the ., to the forward file and now a copy of the message gets moved to the spambox. But the message still goes downstream to the forwarded to Users and does not get picked up as spam. That is the way that it should work. E-mail that is forwarded from one user to another automatically in IMail (as opposed to aliases or forwarding from a mail client) bypasses any scanning. I think I follow the logic, of why this is not working: the message comes in from the outside, a copy is made to be processed by the forwarding Engine, the external (original message) gets tested, and since I don't have a copy being saved to the original recipient it doesn't do anything (since I enabled '.', it does get processed by declude and gets moved to the spambox--Correctly), the FWD Message does not get tested since it is now internal to the server, and goes to the downstream users, never getting tested, no action is taken and spam gets through. Is this the correct logic, or am I missing something? Very close. The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. Is there a way around this, such as once the message is moved then it is no longer forwarded, or that an internal message (the FWD message that gets processed by the SMTP-FWD) gets scanned by the Junkmail? Unfortunately, I'm not aware of any way around this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] autowhitelist wildcard?
Is there any wildcard character that can be used in the address book addresses for the autowhitelist feature. For instance, if I was subscribed to a newsletter that was sent from [EMAIL PROTECTED], where the numbers after someone are different every time, is there some way to put it in the address book without having to whitelist [EMAIL PROTECTED] No, there are no wildcards. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OT: Slightly: Reason for HELO bogus
OK I just got off the phone with another mail admin who claims his helo bogus is by design. He clained it is a security feature so the inturnal structure of his network can not be figured out. Could somebody explain this logic to me I can not figure out why a hacker/cracker would need or even use dns to locate a service. Kevin Bilbee --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
Why do they have to have a real mail box? I send mail as aliases all the time, my support, sales, postmaster, hostmaster, webmaster, staff, etc., addresses are all aliases but I have no problem sending as them, as long as the client is configured correctly. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action It appears that I spoke too soon... I have figured it out. I really don't want to beat a dead horse, but I really needed a solution for this. We have Addresses that need to have mail come from them, but note really receive mail, that why it needs to have a real mailbox (valid user) to send mail. Such as techsupport, etc. But these mailboxes are forwarded to multiple people, but with the configuration all the end mailboxes get a ton of spam, that's why it very important, that I find a solution. So for anybody that's interested here is the fix. For the mailbox that is currently forwarded: [EMAIL PROTECTED] Remove all the forwarding on this box. Create an Alias that has the same name as the Mailbox: [EMAIL PROTECTED] Forward this alias to the user(s) you need, to make sure that you can use the existing config files, make sure you forward to the Full Host, such as [EMAIL PROTECTED] You can also setup the forwarding to a list file, See the Imail documentation for that. There you have it. Any spam that comes in for the Alias will get redirected before in gets tested by declude, making declude think that the message came directly to the end user and test it accordingly. --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action So in other words, If I have mailboxes with forwarding on them Spam will still get through. Disappointing... --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action I have added the ., to the forward file and now a copy of the message gets moved to the spambox. But the message still goes downstream to the forwarded to Users and does not get picked up as spam. That is the way that it should work. E-mail that is forwarded from one user to another automatically in IMail (as opposed to aliases or forwarding from a mail client) bypasses any scanning. I think I follow the logic, of why this is not working: the message comes in from the outside, a copy is made to be processed by the forwarding Engine, the external (original message) gets tested, and since I don't have a copy being saved to the original recipient it doesn't do anything (since I enabled '.', it does get processed by declude and gets moved to the spambox--Correctly), the FWD Message does not get tested since it is now internal to the server, and goes to the downstream users, never getting tested, no action is taken and spam gets through. Is this the correct logic, or am I missing something? Very close. The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. Is there a way around this, such as once the message is moved then it is no longer forwarded, or that an internal message (the FWD message that gets processed by the SMTP-FWD) gets scanned by the Junkmail? Unfortunately, I'm not aware of any way around this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. ---
RE: [Declude.JunkMail] mailbox forwarding no action
Some of the mail is not coming from a client. I have mail auto generators on some servers for certain apps, and websites. If I try to send from an alias I get relaying errors, since I can't use other settings, other then a mailfrom. So that's why I need a valid Email Address. --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Frolick Sent: Wednesday, September 10, 2003 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action Why do they have to have a real mail box? I send mail as aliases all the time, my support, sales, postmaster, hostmaster, webmaster, staff, etc., addresses are all aliases but I have no problem sending as them, as long as the client is configured correctly. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action It appears that I spoke too soon... I have figured it out. I really don't want to beat a dead horse, but I really needed a solution for this. We have Addresses that need to have mail come from them, but note really receive mail, that why it needs to have a real mailbox (valid user) to send mail. Such as techsupport, etc. But these mailboxes are forwarded to multiple people, but with the configuration all the end mailboxes get a ton of spam, that's why it very important, that I find a solution. So for anybody that's interested here is the fix. For the mailbox that is currently forwarded: [EMAIL PROTECTED] Remove all the forwarding on this box. Create an Alias that has the same name as the Mailbox: [EMAIL PROTECTED] Forward this alias to the user(s) you need, to make sure that you can use the existing config files, make sure you forward to the Full Host, such as [EMAIL PROTECTED] You can also setup the forwarding to a list file, See the Imail documentation for that. There you have it. Any spam that comes in for the Alias will get redirected before in gets tested by declude, making declude think that the message came directly to the end user and test it accordingly. --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action So in other words, If I have mailboxes with forwarding on them Spam will still get through. Disappointing... --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, September 10, 2003 11:23 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] mailbox forwarding no action I have added the ., to the forward file and now a copy of the message gets moved to the spambox. But the message still goes downstream to the forwarded to Users and does not get picked up as spam. That is the way that it should work. E-mail that is forwarded from one user to another automatically in IMail (as opposed to aliases or forwarding from a mail client) bypasses any scanning. I think I follow the logic, of why this is not working: the message comes in from the outside, a copy is made to be processed by the forwarding Engine, the external (original message) gets tested, and since I don't have a copy being saved to the original recipient it doesn't do anything (since I enabled '.', it does get processed by declude and gets moved to the spambox--Correctly), the FWD Message does not get tested since it is now internal to the server, and goes to the downstream users, never getting tested, no action is taken and spam gets through. Is this the correct logic, or am I missing something? Very close. The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. Is there a way around this, such as once the message is moved then it is no longer forwarded, or that an internal message (the FWD message that gets processed by the SMTP-FWD) gets scanned by the Junkmail? Unfortunately, I'm not aware of any way around this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
RE: [Declude.JunkMail] New test request
Any thoughts, good or bad? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, September 09, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New test request How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
May be I misunderstand The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. If the forwarding is handled by Imail AFTER Declude processed it - then would Declude first ACT on the incoming email (e.g., bounce, delete, warn - and Virus checking) and only messages that make it past the Declude filters would eventually be forwarded? That is correct. If it works that way - then where's the problem? There is no reason to rescan the forwarded copies, if the original was already processed? If the E-mail is blocked (such as with DELETE or HOLD), there is no problem. But if you use an action that causes the E-mail to be delivered (such as SUBJECT, WARN, MAILBOX), then the forwarded E-mail will be delivered. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
Scott: May be I misunderstand The forwarding is actually handled by IMail after the E-mail is processed by Declude, so there is no evidence of forwarding when Declude sees the E-mail. If the forwarding is handled by Imail AFTER Declude processed it - then would Declude first ACT on the incoming email (e.g., bounce, delete, warn - and Virus checking) and only messages that make it past the Declude filters would eventually be forwarded? If it works that way - then where's the problem? There is no reason to rescan the forwarded copies, if the original was already processed? If it doesn't work that way, e.g., if one can really entirely bypass Declude simply by sending mail to a forwarding email account - then this would be a huge security hole? But I can't imagine that being the case!? Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Any thoughts, good or bad? It's one that we do hope to add. It's not foolproof (such as [EMAIL PROTECTED]), but would be useful in helping catch spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] autowhitelist wildcard?
So the e-mail that Mr. Koehler listed yesterday afternoon about this subject is incorrect? Darn, that would be an awesome feature. His e-mail is listed below... Personal Whitelist A personal whitelist allows you to accept email messages from any email address you want no matter how many Spam tests the message actually fails. There are three options currently available in the personal whitelist feature. You can whitelist individual email addresses, whitelist all messages from a certain domain and, if you do not want the anti-Spam service at all, you can whitelist all messages sent to your address. E-mail Options - 1. [EMAIL PROTECTED] - whitelist a single email address. 2. [EMAIL PROTECTED] - whitelist all messages from a certain domain. To whitelist all messages from hotmail.com enter [EMAIL PROTECTED] For all messages from aol.com enter [EMAIL PROTECTED] 3. [EMAIL PROTECTED] - whitelist all messages from everyone (turns off Spam filtering). Enter [EMAIL PROTECTED] to whitelist all messages sent to your address. Jason - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 11:39 AM Subject: Re: [Declude.JunkMail] autowhitelist wildcard? Is there any wildcard character that can be used in the address book addresses for the autowhitelist feature. For instance, if I was subscribed to a newsletter that was sent from [EMAIL PROTECTED], where the numbers after someone are different every time, is there some way to put it in the address book without having to whitelist [EMAIL PROTECTED] No, there are no wildcards. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] mailbox forwarding no action
If I try to send from an alias I get relaying errors, since I can't use other settings, other then a mailfrom. So that's why I need a valid Email Address. Please don't tell us that you're using 'Relay for Local Users'--i.e. that you're running an open relay (unless this is only exposed internally). While some apps can't handle AUTH, is there some reason that you can't relay by IP? Are these server IPs really changing all that much? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] X-Note: Number Recipient(s): 2?
Is there anyway in which Declude could be set to not show this as 2, but 1? - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 21, 2003 12:23 PM Subject: Re: [Declude.JunkMail] X-Note: Number Recipient(s): 2? All messages show the following headers (intentional): X-Note: Number Recipient(s): 2 X-Note: Recipient(s): [EMAIL PROTECTED] But the curious item is why does it show 2 recipients? We do use the Copy All account from time to time. Is this what it is picking up on, and just not showing? That's correct. IMail tells Declude JunkMail that there are 2 recipients when the Copy All account is used. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] autowhitelist wildcard?
So the e-mail that Mr. Koehler listed yesterday afternoon about this subject is incorrect? Darn, that would be an awesome feature. His e-mail is listed below... You can use [EMAIL PROTECTED] to whitelist all E-mail addresses at a domain. However, you can not use a wildcard, as in '[EMAIL PROTECTED]'. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] X-Note: Number Recipient(s): 2?
Is there anyway in which Declude could be set to not show this as 2, but 1? Unfortunately, there is not (without removing the copyall account). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action
See now you've confused me... Which isn't very hard. I believe I have Relay for Local Users Only (If I look in the Imail admin interface, that what it says, but it says relay by addresses in the web admin). Yet If I test relaying (by telneting in and trying to send something with a local user address), I still get a relaying error and it won't let it. To me that means I'm am not a Open relay. But I still need a local usermailbox to send from my App mailers. --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sanford Whiteman Sent: Wednesday, September 10, 2003 2:13 PM To: Jason W. Allen Subject: Re[2]: [Declude.JunkMail] mailbox forwarding no action If I try to send from an alias I get relaying errors, since I can't use other settings, other then a mailfrom. So that's why I need a valid Email Address. Please don't tell us that you're using 'Relay for Local Users'--i.e. that you're running an open relay (unless this is only exposed internally). While some apps can't handle AUTH, is there some reason that you can't relay by IP? Are these server IPs really changing all that much? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
That would work great at detecting old Compuserve accounts :) I'm not convinced that this would be a very clear marker for spam though (depends on what the automated real stuff does), but you could probably set up a filter to test the theory First create a filter file test and score it as a negative 2: SENDERNUM filter C:\IMail\Declude\SenderNum.txt x -2 0 Then fill the file with an entry for numbers 10-99, scoring each one as a single point: MAILFROM 1 CONTAINS 10 MAILFROM 1 CONTAINS 11 MAILFROM 1 CONTAINS 12 ... This would score the number of digits in succession as follows, note that it will score higher if the address has numbers surrounded by letters, and lower if it is only numbers: 1 num = N/A 2 num = -1 3 num = 0 4 num = 1 5 num = 2 6 num = 3 7 num = 4 8 num = 5 9 num = 6 10 num = 7 ... Obviously there are two primary problems with this approach. First, it can have up to 86 points if the string of numbers is long enough (too bad you can't cap the total score of the filter). Secondly, it benefits senders by one point with just 3 successive numbers in their address. I'm thinking that some autoreply/auto-ticket systems might trip this filter though if they use the address instead of something in the subject line to track a communication. This might be same type of reason that some spammers use this...they might be cleaning their list with the bounces that get through HELO??? Who knows, maybe it's worth a try if you are really that interested in exploring whether or not the real thing would work??? Real-people E-mail shouldn't be failing too many other tests, and the automated stuff suffers greatly. Maybe having 3 numbers only in an E-mail address is something that rarely happens with spam??? Matt John Tolmachoff (Lists) wrote: Any thoughts, good or bad? John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, September 09, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] New test request How about a test like this: NUMBERSINMAILFROM It would be similar to SUBJECTSPACES but would count the amount of numbers in the mail from address. You could then configure it for say if 10 or more, add 5 to the weight and so forth. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com
Re: [Declude.JunkMail] mailbox forwarding no action
I think you want to look at changing this. If I am correct (wasn't clear from the settings you described), I could fake my from address as one of your users and bounce E-mail off of your server. This is a common test for an open relay. What you want is "Relay Mail for Addresses" in the real IMail interface. Then press the addresses button and add the IP's of your E-mail sending scripts, and range for your local network(s). Anyone that is outside of either one of these areas can use SMTP AUTH to send E-mail ("My server requires authentication "checkbox in Outlook Express, not checked by default; automatic in Netscape). Matt Jason W. Allen wrote: See now you've confused me... Which isn't very hard. I believe I have Relay for Local Users Only (If I look in the Imail admin interface, that what it says, but it says relay by addresses in the web admin). Yet If I test relaying (by telneting in and trying to send something with a local user address), I still get a relaying error and it won't let it. To me that means I'm am not a Open relay. But I still need a local usermailbox to send from my App mailers. --Jason W. Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sanford Whiteman Sent: Wednesday, September 10, 2003 2:13 PM To: Jason W. Allen Subject: Re[2]: [Declude.JunkMail] mailbox forwarding no action If I try to send from an alias I get relaying errors, since I can't use other settings, other then a mailfrom. So that's why I need a valid Email Address. Please don't tell us that you're using 'Relay for Local Users'--i.e. that you're running an open relay (unless this is only exposed internally). While some apps can't handle AUTH, is there some reason that you can't relay by IP? Are these server IPs really changing all that much? -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED]
Re[4]: [Declude.JunkMail] mailbox forwarding no action
I believe I have Relay for Local Users Only (If I look in the Imail admin interface, that what it says... Then that's what it is, and you're an open relay. Yet If I test relaying (by telneting in and trying to send something with a local user address), I still get a relaying error and it won't let it. That doesn't make sense. You said that your appservers can only relay if they use a local user address as the sender. Then you said that if you telnet in and use a local user address as the sender, you can't relay. Which one is it? Telnet is not substantively different from what your appservers are doing, so you need to get some more consistent results. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Sorry, I've no great insight on the positive uses of this test, but I can point out another exception. E-mail enabled pagers and RIM Blackberries often have their phone number as the e-mail address @TheProviderDomain.com instead of or in addition to the subscriber's name. Andrew. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action
Working on it. Thanks for the tests, I don't know what I was doing wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Frolick Sent: Wednesday, September 10, 2003 3:32 PM To: [EMAIL PROTECTED] Subject: RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action Just relayed an email through your server from my desk. Transcript folows: Opening mail.mpgis.net... 220 gershwin.mpgis.net (IMail 7.07 36033-2) NT-ESMTP Server X1 HELO argolink.net 250 hello gershwin.mpgis.net MAIL FROM: [EMAIL PROTECTED] 250 ok RCPT TO: [EMAIL PROTECTED] 250 ok its for [EMAIL PROTECTED] DATA 354 ok, send it; end with CRLF.CRLF Sending Data... 250 Message queued QUIT 221 Goodbye You are an open relay. The ONLY acceptable settings are, relay for address or no relay. Thank you, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action See now you've confused me... Which isn't very hard. I believe I have Relay for Local Users Only (If I look in the Imail admin interface, that what it says, but it says relay by addresses in the web admin). Yet If I test relaying (by telneting in and trying to send something with a local user address), I still get a relaying error and it won't let it. To me that means I'm am not a Open relay. But I still need a local usermailbox to send from my App mailers. --Jason W. Allen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Title: Message maybe a bad idea - We send out e-mail that has a Variable Return Address, so that we can handle bounces well. In our case, that address is a combo of letters and numbers (lots of numbers sometimes). And, we work hard to make sure our mail is all requested! Other legit mailers use something similar. It does suggest the mail comes from a mailing list, but doesn't help to separate legit from spam. Rob www.iGive.com not convinced that this would be a very clear marker for spam though (depends on what the automated real stuff does), but you could probably set up a filter to test the theoryFirst create a filter file test and score it as a negative 2:
RE: [Declude.JunkMail] SMTP Relay Limit
If all you need is a relay server or backup MX, then IIS' built-in SMTP server works just fine for us. We actually think of Imail as a mailbox server and try to offload all outbound or relay functions to the MS SMTP. Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, September 10, 2003 03:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SMTP Relay Limit I'm running Declude as a gateway for various IPs and just hit a limit. Under Addresses specified here are to be considered local addresses for mail gatewaying Adding entries to Access Control under SMTP, the 100th entry produces an error: Maximum table size reached So now, no more clients can be added because I can't relay their mail. Ipswitch says its hard coded across all versions and a fix is months away, if they agree to do it. What I'm thinking is sending all mail to a down stream server that doesn't have this limit that would in turn forward to clients. This leaves two questions: 1) What's the best email server software to do this with, providing both unlimited relay IPs and easy text editing of the delivery list (Linux, Windows, Mac)? 2) What's the best way to deliver from Imail to this server? The obvious is to add this same IP to every domain listed in the hosts file, but would it be better to use Gateway Option, Send all remote mail through gateway Any comments/insights would be appreciated. Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
But if you use an action that causes the E-mail to be delivered (such as SUBJECT, WARN, MAILBOX), then the forwarded E-mail will be delivered. I'm a bit dense today - and why would THAT be a problem? Or are you saying the forwarded email would be an entirely new email message and Declude's subject or header inserts would not appear in those forwarded copies? Some of our clients do use forwarding mailboxes - so I just want to be clear about the implications. Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] mailbox forwarding no action
But if you use an action that causes the E-mail to be delivered (such as SUBJECT, WARN, MAILBOX), then the forwarded E-mail will be delivered. I'm a bit dense today - and why would THAT be a problem? They are using the MAILBOX action on the original recipient, so it will get delivered to [EMAIL PROTECTED], and then forwarded to [EMAIL PROTECTED] and [EMAIL PROTECTED] Since the forwarding doesn't have the MAILBOX action applied to it, there is no way to tell that it is spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
OK, my suggested weights are too high. Remember, the point of this test is to be used in the weighting system only. Pagers have 10 numbers, so I would actually start at either 11 or 15. An old CompuServe address will most likely not be failing other tests to where this one would put it over. How many numbers do those addresses have in them? I am thinking say if 11 numbers, add weight of 5. If 20 numbers, then add 15 more. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, September 10, 2003 12:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] New test request Sorry, I've no great insight on the positive uses of this test, but I can point out another exception. E-mail enabled pagers and RIM Blackberries often have their phone number as the e-mail address @TheProviderDomain.com instead of or in addition to the subscriber's name. Andrew. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SMTP Relay Limit
I like Xmail server (http://www.xmailserver.org), it is multi platform and can easily do what you want. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, September 10, 2003 2:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SMTP Relay Limit I'm running Declude as a gateway for various IPs and just hit a limit. Under Addresses specified here are to be considered local addresses for mail gatewaying Adding entries to Access Control under SMTP, the 100th entry produces an error: Maximum table size reached So now, no more clients can be added because I can't relay their mail. Ipswitch says its hard coded across all versions and a fix is months away, if they agree to do it. What I'm thinking is sending all mail to a down stream server that doesn't have this limit that would in turn forward to clients. This leaves two questions: 1) What's the best email server software to do this with, providing both unlimited relay IPs and easy text editing of the delivery list (Linux, Windows, Mac)? 2) What's the best way to deliver from Imail to this server? The obvious is to add this same IP to every domain listed in the hosts file, but would it be better to use Gateway Option, Send all remote mail through gateway Any comments/insights would be appreciated. Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Another AUTOWHITE question
Maybe this is a no-brainer, but ... Will [EMAIL PROTECTED] cover all email, or will I need an [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc.? Wes Harper MCP Network Administrator Pioneer Telephone Cooperative, Inc. (405) 375-0290 This email message and any files transmitted with it are intended solely for the use of the individual or entity for whom it is addressed. It may contain confidential and privileged information. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message and its contents. Any unauthorized review, use, disclosure or distribution of this email or any file attachments is strictly prohibited. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a little to make sure that our actual recpients won't get their newsletter interfered with because it was posted to a public forum. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: [Declude.JunkMail] New test request
Dan Patnode wrote: Good point, The goal then should be to differentiate numbers used as codes from numbers used to confuse. The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters. Perhaps if the test counted numbers with letters on both sides? Dan If you are looking for gibberish, look to the subject line and not the sender. I actually have a decent test for this in the subject line (don't use it in the body). The only false positives would come from very strange acronyms and auto-generated code such as tracking/receipt numbers. This scores higher the more gibberish you catch. It's been safe so far for me. GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt x10 SUBJECT2CONTAINSqb SUBJECT2CONTAINSqc SUBJECT2CONTAINSqd SUBJECT2CONTAINSqe SUBJECT2CONTAINSqf SUBJECT2CONTAINSqg SUBJECT2CONTAINSqh SUBJECT2CONTAINSqi SUBJECT2CONTAINSqj SUBJECT2CONTAINSqk SUBJECT2CONTAINSqm SUBJECT2CONTAINSqn SUBJECT2CONTAINSqo SUBJECT2CONTAINSqp SUBJECT2CONTAINSqr SUBJECT2CONTAINSqs SUBJECT2CONTAINSqt SUBJECT2CONTAINSqv SUBJECT2CONTAINSqx SUBJECT2CONTAINSqy SUBJECT2CONTAINSqz SUBJECT2CONTAINSvq SUBJECT2CONTAINSwq SUBJECT2CONTAINStq SUBJECT2CONTAINSjq SUBJECT2CONTAINSxd SUBJECT2CONTAINSxj SUBJECT2CONTAINSxk SUBJECT2CONTAINSxr SUBJECT2CONTAINSxz SUBJECT2CONTAINSzb SUBJECT2CONTAINSzc SUBJECT2CONTAINSzf SUBJECT2CONTAINSzj SUBJECT2CONTAINSzk SUBJECT2CONTAINSzl SUBJECT2CONTAINSzm SUBJECT2CONTAINSzx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
JT Pagers have 10 numbers, so I would actually start at either 11 or 15. JT An old CompuServe address will most likely not be failing other tests to JT where this one would put it over. How many numbers do those addresses have JT in them? Nine digits, e.g [EMAIL PROTECTED] (that was mine for 5 years before they really had an Internet gateway...) Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
I wouldn't consider that to be spam. Amazon? Travelocity? Yahoo Groups? Most of these are opt-in sources (by way of membership or purchase), and doing the bounce test that they are doing is in fact responsible use of commercial E-mail. If you are going to monitor for failed receivers, that means that your server isn't moving and you become a static target for the lists and heuristic filters. It's too bad that everyone doesn't do this. I'd much rather have a filter that detects no displayable text, or only searches decoded-non-HTML body text. Testing for that stuff would be a negative weight on my system...that's the F-P type of stuff that I'm trying to solve. Matt Colbeck, Andrew wrote: Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a little to make sure that our actual recpients won't get their newsletter interfered with because it was posted to a public forum. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: [Declude.JunkMail] Another AUTOWHITE question
Maybe this is a no-brainer, but ... Will [EMAIL PROTECTED] cover all email, or will I need an [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc.? [EMAIL PROTECTED] will whitelist everything sent to the user (even E-mail from .org/.net domains). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0 MB SUBJECT2CONTAINSqb (snip) This looks good, Matthew. The weight is low enough to be cautious, and I suspect the only false positives you will get are on subject lines with that raw =?ISO-8859-1?B?UmU6U2lsZG stuff. (For those new to the party, Scott confirmed earlier that with declude.exe v1.75 (and a JunkMail Pro licence) these (8-bit encoded?) subject lines are not decoded to US-ASCII before applying a SUBJECT text match. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New test request
In your examples, I only see 4 that would be FP under this, the ones from microsoft.com, unitiedmedia.com, yahoo groups, and Travelocity.com. newsletters.microsoft.com is already in a whitefilter. Yahoo groups are already in a whitefilter for known problems. Travelocity is a legit company, and therefore could go in a whitefilter. comicsmail.unitedmedia.com is something that can go into a whitefilter. The point is, someone can always come up with examples of how it can be used and how it would cause problems. Maybe it means at 15 add 5 and at 25 add another 10. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Wednesday, September 10, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [Declude.JunkMail] New test request Here's some examples of mailing lists that have lots of numbers (and letters) in the MAILFROM. You may find that you'll have to put in a counterweight everytime a user reports that they're missing mail when they sign up for a newsletter. Andrew 8) p.s. I've deliberately munged the addresses a little to make sure that our actual recpients won't get their newsletter interfered with because it was posted to a public forum. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action
Just futther proof, here are the headers from the message I sent: Received: from gershwin.mpgis.net [65.199.185.236] by argolink.net with ESMTP (SMTPD32-6.06) id A9D822F401B0; Wed, 10 Sep 2003 15:30:16 -0500 Received: from argolink.net [209.144.1.45] by gershwin.mpgis.net (SMTPD32-7.07) id A8201DF00DE; Wed, 10 Sep 2003 15:14:40 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Relay Test Date: Sept 10, 2003 14:27 -0500 Message-ID: [EMAIL PROTECTED] X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [801e]. X-Declude-Sender: [EMAIL PROTECTED] [209.144.1.45] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Declude-Warning: [BADHEADERS] This message may be SPAM. This E-mail was sent from a broken mail client [801e]. X-SPAM-Level: SPAM-NONE X-Declude-Sender: [EMAIL PROTECTED] [65.199.185.236] X-Declude-Spoolname: D89d81b0.SMD X-Note: This E-mail was scanned for SPAM by ArgoLink.net with Declude JunkMail. X-Note: More info at http://help.argolink.net/spam.asp X-Declude-Failed: BADHEADERS, NOLEGITCONTENT, SPAM-NONE X-Declude-Total-Weight: 2 X-Declude-RCPT-Count: 1 X-RCPT-TO: [EMAIL PROTECTED] X-UIDL: 363051832 Status: U Ignore the BADHEADERS, I hand typed the message source. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles Frolick Sent: Wednesday, September 10, 2003 2:32 PM To: [EMAIL PROTECTED] Subject: RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action Just relayed an email through your server from my desk. Transcript folows: Opening mail.mpgis.net... 220 gershwin.mpgis.net (IMail 7.07 36033-2) NT-ESMTP Server X1 HELO argolink.net 250 hello gershwin.mpgis.net MAIL FROM: [EMAIL PROTECTED] 250 ok RCPT TO: [EMAIL PROTECTED] 250 ok its for [EMAIL PROTECTED] DATA 354 ok, send it; end with CRLF.CRLF Sending Data... 250 Message queued QUIT 221 Goodbye You are an open relay. The ONLY acceptable settings are, relay for address or no relay. Thank you, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason W. Allen Sent: Wednesday, September 10, 2003 1:57 PM To: [EMAIL PROTECTED] Subject: RE: Re[2]: [Declude.JunkMail] mailbox forwarding no action See now you've confused me... Which isn't very hard. I believe I have Relay for Local Users Only (If I look in the Imail admin interface, that what it says, but it says relay by addresses in the web admin). Yet If I test relaying (by telneting in and trying to send something with a local user address), I still get a relaying error and it won't let it. To me that means I'm am not a Open relay. But I still need a local usermailbox to send from my App mailers. --Jason W. Allen --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
Thanks Andrew...I like my apples :) Some stuff could be put back in that I took out while testing the filter for the body before I found out that it caught attachments. I was careful to take out things like ql because of MSSQL, and I searched a dictionary file for matches on the other strings and deleted as was necessary, but other deletions were for more obscure reasons. My only concern was tagging an auto-generated serial/tracking number from an online receipt, but those should be generally numbers from looking over what I have saved from my purchases. I've gone kind of filter crazy in the last week. Anytime I see a message that should of been rejected, I look it over for patterns to match :) It's really too bad that this same filter doesn't work on the body text exclusively...that would tag a lot of the stuff that gets through. Matt Colbeck, Andrew wrote: MB GIBBERISHSUB filter C:\IMail\Declude\GibberishSub.txt x 1 0 MB SUBJECT2CONTAINSqb (snip) This looks good, Matthew. The weight is low enough to be cautious, and I suspect the only false positives you will get are on subject lines with that raw =?ISO-8859-1?B?UmU6U2lsZG stuff. (For those new to the party, Scott confirmed earlier that with declude.exe v1.75 (and a JunkMail Pro licence) these (8-bit encoded?) subject lines are not decoded to US-ASCII before applying a SUBJECT text match. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New test request
Wow, what a sweet idea Matthew! Applying rules of English (like Q is always followed by U) to look for gibberish. :) Yea, so long as BODY searches attachments, any small code will sooner or later show up in an attachment. I've even had problems trying hard tests for complete words where an L was replaced with an I and it showed up in attachment PDF code. Dan On Wednesday, September 10, 2003 13:36, Matthew Bramble [EMAIL PROTECTED] wrote: Dan Patnode wrote: Good point, The goal then should be to differentiate numbers used as codes from numbers used to confuse. The former tend to be contiguous while the later (in my experience), tend to be mixed in with letters. Perhaps if the test counted numbers with letters on both sides? Dan If you are looking for gibberish, look to the subject line and not the sender. I actually have a decent test for this in the subject line (don't use it in the body). The only false positives would come from very strange acronyms and auto-generated code such as tracking/receipt numbers. This scores higher the more gibberish you catch. It's been safe so far for me. GIBBERISHSUBfilterC:\IMail\Declude\GibberishSub.txt x10 SUBJECT2CONTAINSqb SUBJECT2CONTAINSqc SUBJECT2CONTAINSqd SUBJECT2CONTAINSqe SUBJECT2CONTAINSqf SUBJECT2CONTAINSqg SUBJECT2CONTAINSqh SUBJECT2CONTAINSqi SUBJECT2CONTAINSqj SUBJECT2CONTAINSqk SUBJECT2CONTAINSqm SUBJECT2CONTAINSqn SUBJECT2CONTAINSqo SUBJECT2CONTAINSqp SUBJECT2CONTAINSqr SUBJECT2CONTAINSqs SUBJECT2CONTAINSqt SUBJECT2CONTAINSqv SUBJECT2CONTAINSqx SUBJECT2CONTAINSqy SUBJECT2CONTAINSqz SUBJECT2CONTAINSvq SUBJECT2CONTAINSwq SUBJECT2CONTAINStq SUBJECT2CONTAINSjq SUBJECT2CONTAINSxd SUBJECT2CONTAINSxj SUBJECT2CONTAINSxk SUBJECT2CONTAINSxr SUBJECT2CONTAINSxz SUBJECT2CONTAINSzb SUBJECT2CONTAINSzc SUBJECT2CONTAINSzf SUBJECT2CONTAINSzj SUBJECT2CONTAINSzk SUBJECT2CONTAINSzl SUBJECT2CONTAINSzm SUBJECT2CONTAINSzx --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP Relay Limit
Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Top 2 or 3 names? Thanks, Dan On Wednesday, September 10, 2003 13:15, Charles Frolick [EMAIL PROTECTED] wrote: I like Xmail server (http://www.xmailserver.org), it is multi platform and can easily do what you want. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, September 10, 2003 2:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SMTP Relay Limit I'm running Declude as a gateway for various IPs and just hit a limit. Under Addresses specified here are to be considered local addresses for mail gatewaying Adding entries to Access Control under SMTP, the 100th entry produces an error: Maximum table size reached So now, no more clients can be added because I can't relay their mail. Ipswitch says its hard coded across all versions and a fix is months away, if they agree to do it. What I'm thinking is sending all mail to a down stream server that doesn't have this limit that would in turn forward to clients. This leaves two questions: 1) What's the best email server software to do this with, providing both unlimited relay IPs and easy text editing of the delivery list (Linux, Windows, Mac)? 2) What's the best way to deliver from Imail to this server? The obvious is to add this same IP to every domain listed in the hosts file, but would it be better to use Gateway Option, Send all remote mail through gateway Any comments/insights would be appreciated. Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP Relay Limit
Look at http://www.alligate.com On 09/10/03 3:20pm you wrote... Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Top 2 or 3 names? Thanks, Dan On Wednesday, September 10, 2003 13:15, Charles Frolick [EMAIL PROTECTED] wrote: I like Xmail server (http://www.xmailserver.org), it is multi platform and can easily do what you want. Thanks, Chuck Frolick ArgoNet, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, September 10, 2003 2:34 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SMTP Relay Limit I'm running Declude as a gateway for various IPs and just hit a limit. Under Addresses specified here are to be considered local addresses for mail gatewaying Adding entries to Access Control under SMTP, the 100th entry produces an error: Maximum table size reached So now, no more clients can be added because I can't relay their mail. Ipswitch says its hard coded across all versions and a fix is months away, if they agree to do it. What I'm thinking is sending all mail to a down stream server that doesn't have this limit that would in turn forward to clients. This leaves two questions: 1) What's the best email server software to do this with, providing both unlimited relay IPs and easy text editing of the delivery list (Linux, Windows, Mac)? 2) What's the best way to deliver from Imail to this server? The obvious is to add this same IP to every domain listed in the hosts file, but would it be better to use Gateway Option, Send all remote mail through gateway Any comments/insights would be appreciated. Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SMTP Relay Limit
Dan Patnode wrote: Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Top 2 or 3 names? Thanks, Dan What, Microsoft doesn't count? LOL! Honestly, what larger ISP isn't using Sendmail? I don't think they answer the phone, but it's free and there are 50,000 different utilities to make it do whatever you want. Ipswitch would seem to be the leading non-groupware E-mail system for Windows, followed by MDaemon and SLMail (I'm sure there are others of course and the order may be different). It's a crying shame that IMail has such a basic shortcoming. One might think that was purposeful. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] SMTP Relay Limit
Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. MSN eats its own dog food, AFAIK. We've been able to pump MS SMTP at enterprise loads, and as the same engine behind Exchange 2K, support is readily available. If you've been satisfied with IMail's configurability and performance as a gateway, I'd say there's no (0.00%) chance that MS SMTP will disappoint you in that function. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href=http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni;img src=http://discountrate2-dot-com/pics/gv1.gif; height=270 width=405/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Scott, It pains me to suggest making your todo list longer but how about adding test grouping? It would be to much to make multiple weight scales, but how about something simpler. Say you wanted to make 3 groups of 3 each. Label one of the option columns in such a way that they can be grouped: Group1 G1 x x 0 0 Group2 G2 x x 0 0 Group3 G3 x x 0 0 BADHEADERS badheaders G1 x 0 0 BASE64 base64 G1 x 0 0 HELOBOGUS helovalid G1 x 0 0 MAILFROMenvfrom G2 x 0 0 IPNOTINMX ipnotinmG2 x 0 0 PERCENT percent G2 x 0 0 REVDNS revdnsexistsG3 x 0 0 ROUTING spamrouting G3 x 0 0 SPAMHEADERS spamheaders G3 x 0 0 Sub tests could be duplicated to run solo and in a group or not to run only in a group. Groups could be hit only in action files ($default) or have weights (being tests of their own). We could then build profiles, adding all the different behaviors paricular spams share, regardless of which tests define those behaviors. I would love, for example, to combine an IPFILE listing US broadband IPs with NONENGLISH. Dan On Wednesday, September 10, 2003 16:57, Dan Patnode [EMAIL PROTECTED] wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: Shirley Dalton [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href=http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni;img src=http://discountrate2-dot-com/pics/gv1.gif; height=270 width=405/a/center /html/body --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This
Re: [Declude.JunkMail] Strange Subject
How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 314612976 htmlbody center!--lfoln42j66--a href="" class="moz-txt-link-rfc2396E"
[Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT
Title: Message Anyone else getting messages such as this? I'm getting them delivered into a number or different e-mail accounts. Could this be the next thing thanks to SoBig? -Original Message-From: Aron [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 8:45 AMSubject: URGENT URGENT URGENT Importance: High "GOT YOU"If you were dumb enough to open this email then you will find a WORM has executed itself through your mailboxand by the time you read this into your hard-drive. This is PAYBACK for the Virus you disguised in the email you sentto us recently which destroyed our hard-drive and back-up system. This costs us thousands of dollars and we lost a lotof irreplaceable files on our system.Now it's your turn to have your computer infected. This WORM it is undetectable by AntiVirus software and it will drive your computer crazy because it's always hiding and causing havoc in your system. Using your computer recovery disks will not remove the problem cause it still stays on your computers Motherboard. This will proabably cost you a new computer and I sincerely hope this teaches you a lesson not to send peoplenasty viruses again.Evocash Administration Inc.Phone: +1 767 4499922Fax: +1 767 4499922 ^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-
Re: Re: [Declude.JunkMail] Strange Subject
This is a multi-part message in MIME format. How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the What is your test setup for the above string, please? Thanks, Doug How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS. Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 + Message-ID: [EMAIL PROTECTED] X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" [EMAIL PROTECTED] Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1]
Re: [Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT
Title: Message This is just a virus hoax: http://www.trendmicro.com/vinfo/hoaxes/hoax5.asp?HName=Got+You+Worm+Hoax Cheers Adrian From: Jeff Maze - Hostmaster To: [EMAIL PROTECTED] Sent: Thursday, September 11, 2003 11:03 AM Subject: [Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT Anyone else getting messages such as this? I'm getting them delivered into a number or different e-mail accounts. Could this be the next thing thanks to SoBig? -Original Message-From: Aron [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 8:45 AMSubject: URGENT URGENT URGENT Importance: High "GOT YOU"If you were dumb enough to open this email then you will find a WORM has executed itself through your mailboxand by the time you read this into your hard-drive. This is PAYBACK for the Virus you disguised in the email you sentto us recently which destroyed our hard-drive and back-up system. This costs us thousands of dollars and we lost a lotof irreplaceable files on our system.Now it's your turn to have your computer infected. This WORM it is undetectable by AntiVirus software and it will drive your computer crazy because it's always hiding and causing havoc in your system. Using your computer recovery disks will not remove the problem cause it still stays on your computers Motherboard. This will proabably cost you a new computer and I sincerely hope this teaches you a lesson not to send peoplenasty viruses again.Evocash Administration Inc.Phone: +1 767 4499922Fax: +1 767 4499922 ^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-
Re: [Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT
Title: Message http://securityresponse.symantec.com/avcenter/venc/data/got.you.hoax.html Its a Hoax. Todd Hunter Progressive Systems - Original Message - From: Jeff Maze - Hostmaster To: [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 8:03 PM Subject: [Declude.JunkMail] [OT] - Subject: URGENT URGENT URGENT Anyone else getting messages such as this? I'm getting them delivered into a number or different e-mail accounts. Could this be the next thing thanks to SoBig? -Original Message-From: Aron [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 8:45 AMSubject: URGENT URGENT URGENT Importance: High "GOT YOU"If you were dumb enough to open this email then you will find a WORM has executed itself through your mailboxand by the time you read this into your hard-drive. This is PAYBACK for the Virus you disguised in the email you sentto us recently which destroyed our hard-drive and back-up system. This costs us thousands of dollars and we lost a lotof irreplaceable files on our system.Now it's your turn to have your computer infected. This WORM it is undetectable by AntiVirus software and it will drive your computer crazy because it's always hiding and causing havoc in your system. Using your computer recovery disks will not remove the problem cause it still stays on your computers Motherboard. This will proabably cost you a new computer and I sincerely hope this teaches you a lesson not to send peoplenasty viruses again.Evocash Administration Inc.Phone: +1 767 4499922Fax: +1 767 4499922 ^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-^+Start^=Auto^Execute+^WORM^-
Re: [Declude.JunkMail] Strange Subject
It pains me to suggest making your todo list longer but how about adding test grouping? Don't feel bad -- it was already in the todo list. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Strange Subject
Doug McKee wrote: What is your test setup for the above string, please? SUBJECT 15 CONTAINS =?ISO-8859-1?b? >From what I can tell, there's no valid reason to encode Latin-1 in the subject since that character set is supported by default in E-mail, so it's quite safe to fail on just that. Matt
Re: [Declude.JunkMail] Strange Subject
I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS 10 CONTAINS ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers). The only pattern this guys leaves apart from having no text in the body,
Re: [Declude.JunkMail] Strange Subject
Add the following tests and it get's even better :) SUBSPACE-10subjectspaces10x10 SUBSPACE-20subjectspaces20x20 SUBSPACE-30subjectspaces30x30 Matt Dan Patnode wrote: I did a scan of all uncaught spam from the last week, found all the one's with Q, removed the QU's and ended up with this list. All of these would have been seen by Matt's new config: Subject: Block those unwanted Popups yqvqk Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: Block those unwanted Popups yqvqk Subject: FW: drive luxury cars and get paid 9xP%oY5NzPG\q2G Subject: FW: drive luxury cars and get paid L0z[7J4aYq!F7P1 Subject: FW: get that extra boost in the bed uvqtc qqyixu Subject: FW: new mailREgnfqnKQT Subject: Fw: :( would u mind if i ..jqvmoiqfkzkokdwns u Subject: get that extra boost in the bed uvqtc qqyixu Subject: get that extra boost in the bed uvqtc qqyixu Subject: Re: new mailREgnfqnKQT Subject: Re: new mail REgnfqnKQT Subject: Stop messages SPAM po p vyoaejswayqo Subject: [Fwd: =?GB2312?B?0OnE4r/VvOS089PFu92jrDE5OdSqv8nS1L2o0ru49s341b6jrA==?==?GB2312?B?uM+/7LW9d3d3LjA3NTVzei5jb23J6sfrsMld?= Dan On Wednesday, September 10, 2003 17:45, Matthew Bramble [EMAIL PROTECTED] wrote: How about 4 different super tests? I fail automatically on =?ISO-8859-1?B?, and that accounts for more than 1% of the E-mail coming in to my server, but only a handful of additional catches in what was being missed...no false positives. I think I've mentioned enough times, the other tests that I would like to have...a BODYTEXT filter that searches just a decoded non-HTML body, a NOTEXT test for nothing but spaces and returns and attachments (that's a key) after decoding and de-HTMLifying, and a TEXTCOUNT marquee test that would allow you to search for amounts of non-HTML decoded body text just just like SUBECTSPACES and BCC, but in reverse (the less there is, the higher the score). I could catch so much crap with those 40 or so two character gibberish strings, in fact I think it was properly tagging around 10% to 20% of all unique incoming messages today if not more. That gibberish subject filter is tagging over 5% by itself, and with perfect accuracy so far. A functional gibberish body filter though would have a reasonable number of false positives (was tagging buy.com links that were shown in displayable text for instance). I don't of course though expect Scott to rush to my aid here. I have managed to add though tests for SUBECTSPACES (very effective), COMMENTS (effective) and BCC (just ok), along with some small key word/phrase filters for the body, subject and sender with very good success. I only saw about 5 definitive false positives today out of around 3000 unique messages, but approximately 150 pieces of spam got through. I think that could be reduced by as much as half without a measurable impact on the false positives. If that doesn't work, I'm buying a gun :) BTW, on Linux, my guru buddy recommends Postfix as the SMTP client and Webmin as the interface. I don't though dispute Sandy's faith in MS SMTP, and it can be run on the same box as IMail. Matt Dan Patnode wrote: FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject: Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble [EMAIL PROTECTED] wrote: Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it. The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this): HEADERS10CONTAINSISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text. The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text. This guy is real good at getting through my settings unless he chooses a bad IP to send from. I think a few days
Re: [Declude.JunkMail] SMTP Relay Limit
Dan, If you're going Unix-based, qmail and Postfix are faster more widely used than Exim. But with all three you don't have anybody to call if things break. If you need support, I recommend SurgeMail by Netwin www.surgemail.com ...I've heard good things about the scalability of their product and in evaluating their software recently they have provided me with great customer service (though their business hours are awekward since they're in New Zealand). And they have builds for just about every OS. Bill -Original Message- From: Dan Patnode Sent: 10 Sep 2003 16:32:26 -0700 Subject: Re: [Declude.JunkMail] SMTP Relay Limit Any opinions on Exim?: http://www.exim.org/ Dan On Wednesday, September 10, 2003 15:36, Matthew Bramble [EMAIL PROTECTED] wrote: Dan Patnode wrote: Should have been more specific, I'm looking for something used by larger ISPs that gives me the confidence of volume and stability. Something attached to a name and a phone number I can call when there's a problem. I don't mind paying for it. Top 2 or 3 names? Thanks, Dan What, Microsoft doesn't count? LOL! Honestly, what larger ISP isn't using Sendmail? I don't think they answer the phone, but it's free and there are 50,000 different utilities to make it do whatever you want. Ipswitch would seem to be the leading non-groupware E-mail system for Windows, followed by MDaemon and SLMail (I'm sure there are others of course and the order may be different). It's a crying shame that IMail has such a basic shortcoming. One might think that was purposeful. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.