Re: [Declude.JunkMail] Internal Mail
Darryl, You can run Declude on its own server in front of clients' email servers, as a gateway. Only external email then gets scanned for spam. Dan On Thursday, September 18, 2003 8:01, Darryl Koster [EMAIL PROTECTED] wrote: The hosting business I run deals mainly with business and I have no dial up or dsl customers that use my services. Saying this it means we get a lot of internal mail going between clients. Is there a way to ensure that e-mails sent from an address (say statustechnologies to statustechnologies) will be allowed through? I know that there is the whitelist from, its hard to list over 1000 clients on there with only 200 whitelist options available. Having something like this would definitely cut down on the amount of held mail we get on a daily basis. Thanks Darryl Koster ~~ Status Technologies Inc. President/Owner Let Us Help You Get The Status You Deserve! http://www.statustechnologies.com P: (905) 435-0145 TF (NA) 888-909-9004 F: (905) 435-0873 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Some good info on the Verislime coup
Interesting points, There's a name for industries where more than one supplier isn't practical: natural monopoly. I can't recall a single example where a natural monopoly improved after privatization. In economics terms, systems for maximizing profit (capitalism) don't work with systems where multiple suppliers are possible/practical. Imagine multiple water pipes coming into your home, one for each company. Were so used to words like capitalism and democracy, we don't realize our systems are actually hybrids, operating in balance. Dan On Thursday, September 18, 2003 10:29, Todd Holt [EMAIL PROTECTED] wrote: Just another example of what happens when basic infrastructure is privatized! I'm not a bleeding heart liberal proponent of government controlling everything, but I do believe that certain infrastructure components need to be controlled by a disinterested third party (or less interested) that can be controlled by the will of the people to some degree (by voting). This problem is similar to the deregulation of electricity. Now many parts of the country pay more for electricity than before. And what happens if some bonehead company takes over a huge section of the grid, then goes bankrupt? We now have absolutely no control over the internet! Be careful of what you wish for, because you just may get it! Another interesting note from the article, how about this hypothetical situation: One of my users sends a message to his mother telling her that he just found out that he tested positive for AIDS. Not wanting his employer to know because of fears of discrimination. And expecting that only his mother will read the message. In that message, he accidentally misspells the domain name in his mothers address. This message now gets sent to Verislime's SMTP relay server, the content saved and the message discarded. Next, the content is sold to a researcher who contacts the original users employer asking for medical history on the person with AIDS. Now the employer knows, the discrimination occurs. Does that user have a right to sue me as the email provider for not insuring his privacy? Tell me the lawyers won't have a field day with that. Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Sheldon Koehler Sent: Thursday, September 18, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Some good info on the Verislime coup http://homepages.tesco.net./~J.deBoynePollard/FGA/verisign-internet- coup.html Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM)
on 9/18/03 9:38 PM, R. Scott Perry wrote: Thanks a bunch for both new features. Are you planning on doing anything in the future with the IP's that you are collecting, i.e. new functionality like creating a blacklist? Or is this just being done to facilitate that test? We haven't decided for certain what we are going to do, but if we get enough of a volume, we will likely send automated notices to the appropriate abuse addresses. One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in our config or .eml files and if Declude Virus sees a forging virus it would not send the warning messages automatically. That way we wouldn't have to manually update what is a forging virus in our files. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM)
One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in our config or .eml files and if Declude Virus sees a forging virus it would not send the warning messages automatically. That way we wouldn't have to manually update what is a forging virus in our files. Already done. :) You can add a line SKIPIFFORGING to any of the \IMail\Declude\*.eml files, and they will not be sent out when a forging virus is detected (with the latest interim release, at http://www.declude.com/release/175i/declude.exe ). Also, the sender.eml and otherpostmaster.eml files will automatically be skipped if a forging virus is detected, so you would only need the SKIPIFFORGING line if you have your own custom .eml files, or don't want recipient/postmaster notifications sent for forging viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM)
You can add a line SKIPIFFORGING to any of the \IMail\Declude\*.eml Scott: Will the recipient and postmaster then show the sender as FORGED? Since we had a list of the forged in the virus.cfg. 1: Can we delete all the skipifvirus lines in the .eml files? 2: Can we delete all the forged entries in the virus.cfg? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 19, 2003 7:51 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM) One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in our config or .eml files and if Declude Virus sees a forging virus it would not send the warning messages automatically. That way we wouldn't have to manually update what is a forging virus in our files. Already done. :) You can add a line SKIPIFFORGING to any of the \IMail\Declude\*.eml files, and they will not be sent out when a forging virus is detected (with the latest interim release, at http://www.declude.com/release/175i/declude.exe ). Also, the sender.eml and otherpostmaster.eml files will automatically be skipped if a forging virus is detected, so you would only need the SKIPIFFORGING line if you have your own custom .eml files, or don't want recipient/postmaster notifications sent for forging viruses. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM)
on 9/19/03 7:51 AM, R. Scott Perry wrote: One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in our config or .eml files and if Declude Virus sees a forging virus it would not send the warning messages automatically. That way we wouldn't have to manually update what is a forging virus in our files. Already done. :) Nice! I figured you already had something in place in the interim release, but since you didn't say anything, I thought I'd state the obvious. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] How to block this?????
Hello. First of all, I am noticing an increase in the amount of spam getting through. I blocked weight 10 yesterday but am still receiving spam. Doesn't seem like blocking weight 10 did much. Here are headers from one of the many spam messages. How do I go about blocking this? I seem to be getting a lot from this spammer in particular...but not explicitly. Microsoft Mail Internet Headers Version 2.0 Received: from apollo.misd.net ([64.88.0.98]) by xmail1.macombisd.org with Microsoft SMTPSVC(5.0.2195.6713); Thu, 18 Sep 2003 13:31:33 -0400 Received: from SMTP32-FWD by apollo.misd.net (SMTP32) id A00FA657B; Thu, 18 Sep 2003 13:38:58 -0400 Received: from mailer01-17.eqwe1.com [66.54.211.21] by apollo.misd.net (SMTPD32-8.02) id ADA3974600F4; Thu, 18 Sep 2003 13:38:43 -0400 From: Cigarettes [EMAIL PROTECTED] Reply-To: Cigarettes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 18 Sep 2003 17:28:53 GMT Subject: EVERY Major Cigarette Brand under $15/carton! Message-Id: [EMAIL PROTECTED] X-No-Spam: Stop Spam! Report abuse of this service to [EMAIL PROTECTED] X-Priority: 3 (Normal) X-Msmail-Priority: Normal Content-Length: 598 X-RBL-Warning: OSRELAY: Please stop using relays.osirusoft.com X-RBL-Warning: IPNOTINMX: X-Declude-Sender: [EMAIL PROTECTED] [66.54.211.21] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: OSRELAY, IPNOTINMX [5] X-IMAIL-SPAM-STATISTICS: 1. Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Sep 2003 17:31:33.0886 (UTC) FILETIME=[B47539E0:01C37E0A] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM) entries (aka VERISCAM)
Will the recipient and postmaster then show the sender as FORGED? No, but that will likely be added. Since we had a list of the forged in the virus.cfg. 1: Can we delete all the skipifvirus lines in the .eml files? 2: Can we delete all the forged entries in the virus.cfg? I would recommend keeping them in there, just as a backup. Once this new system has been well tested, then it should be safe to remove them. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamDomain Help please
Question about the spamdomains.txt file I have email coming from sprintpcs that can come from several domains. I have sprint. sprintpcs.com .sprintip.net So that will take care of sprint matching sprint, and sprintpcs.com matching mail from .sprintip.net But need to add a third possible domain of .lightsurf.net so do I just add the line sprintpcs.com .lightsurf.net after the first two lines or will it fail before this? Do they have to be in any special order? David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How to block this?????
First of all, I am noticing an increase in the amount of spam getting through. I blocked weight 10 yesterday but am still receiving spam. Doesn't seem like blocking weight 10 did much. Here are headers from one of the many spam messages. How do I go about blocking this? I seem to be getting a lot from this spammer in particular...but not explicitly. That's the problem -- it's that one spammer. Most likely, the recipient gave permission to the sender to sent the spam. The IP that it came from is not listed in any spam databases Received: from mailer01-17.eqwe1.com [66.54.211.21] by apollo.misd.net (SMTPD32-8.02) id ADA3974600F4; Thu, 18 Sep 2003 13:38:43 -0400 Since it came from an eqwe1.com mailserver, and: X-No-Spam: Stop Spam! Report abuse of this service to [EMAIL PROTECTED] Has this header, it's probably a case where the sender gave permission. The best thing to do in this case is request to get removed, or block them manually (blocking a return address with .eqwe2.com in it, blocking the IP 66.54.211.21, etc.). X-RBL-Warning: OSRELAY: Please stop using relays.osirusoft.com While we're at it, please stop using relays.osirusoft.com. :) Specifically, you need to remove all lines that begin with OS in the Declude config files. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SpamDomain Help please
I have email coming from sprintpcs that can come from several domains. I have sprint. sprintpcs.com .sprintip.net So that will take care of sprint matching sprint, and sprintpcs.com matching mail from .sprintip.net But need to add a third possible domain of .lightsurf.net Unfortunately, that isn't possible yet. so do I just add the line sprintpcs.com .lightsurf.net after the first two lines or will it fail before this? The line sprint. will require any return address that includes sprint. to have a reverse DNS entry with sprint. in it. The sprintpcs.com .sprintip.net line requires any return address with sprintpcs.com in it to have either sprintpcs.com or .sprintip.net in the reverse DNS entry. However, and Email from host.lightsurf.net won't pass that test, so it doesn't matter what other lines follow. In this case, the best you could do probably would be to have one line sprint .lightsurf.net (so that any return address with sprint in it would have to have either sprint or .lightsurf.net in the reverse DNS entry). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] filter list
Does anyone have what has proven to be an effective filter list (ie myfile.txt) that seems to be working? I could really use the help. Chris Butler Internal Systems Engineer Region VI ESC phone 936.435.8276 fax 936.295.1447 [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
I finally got this figured out. What I needed to do was have my ISP delegate control of my subnet to our server. Easy enough but I guess I wasn't fully aware of their settings to see what was going on in order to come to this conclusion. Thanks for the help. - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 11:45 AM Subject: Re: [Declude.JunkMail] RevDNS I'm guessing that your local DNS server thinks that it is authoritative for reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. When you say local, you are talking about the internal Private DNS server, right? By local I mean the DNS server that IMail uses. Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. That will happen if the DNS server that IMail uses reports that 209.7.3.194 has no reverse DNS entry (which would be incorrect, since it does have a reverse DNS entry). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude JunkMail v1.76 (beta) released
We have just released Declude Virus v1.76 (beta). See http://www.declude.com/junkmail/manual.htm . Notable changes since the last beta include: o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. o Fixes a rare issue with CNAMEs in reverse DNS lookups. o Prevents EASYNET-DYNA test from working with 2nd and further hops. o Automatically detects wildcards from TLD parents (such as non-existent .com/.net domains). o ANYWHERE filter type (for example, ANYWHERE 0 CONTAINS something), to search both headers and body. o WHITELIST AUTH option in global.cfg file, which automatically whitelists authenticated senders (for IMail v8 and later). Other additions and fixes can be found in the release notes, at http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service Agreement is entitled to free upgrades (see http://www.declude.com/agree.htm for information on the Declude Service Agreement). --- Quick Resource Reference: Tech Support: [EMAIL PROTECTED] Mailing List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.junkmail your name in the body New Releases List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.releases your name in the body Troubleshooting: See manual URL above; look at Troubleshooting section Emergency Uninstall: See manual URL above; look at Emergency Uninstall section Urgent Support: urgent @declude.com (for urgent/time-sensitive issues only) Declude Addons/Tools URL: http://www.declude.com/tools Manual: http://www.declude.com/junkmail/manual.htm --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] filter list
Filter list for what? I have 9 different filter lists that are very effective. Each serves a different function. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Chris Butler Sent: Friday, September 19, 2003 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] filter list Does anyone have what has proven to be an effective filter list (ie myfile.txt) that seems to be working? I could really use the help. Chris Butler Internal Systems Engineer Region VI ESC phone 936.435.8276 fax 936.295.1447 [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] RevDNS
It might be easier to get them to act as a secondary for your reverse DNS. ISP's don't typically like to delegate control of such things. It works just as effectively and DNS's auto notification features allow my changes for instance to be published immediately to the ISP's authoritative DNS server. Matt EN wrote: I finally got this figured out. What I needed to do was have my ISP delegate control of my subnet to our server. Easy enough but I guess I wasn't fully aware of their settings to see what was going on in order to come to this conclusion. Thanks for the help. - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 11:45 AM Subject: Re: [Declude.JunkMail] RevDNS I'm guessing that your local DNS server thinks that it is authoritative for reverse DNS lookups, but doesn't have a reverse DNS entry for 209.7.3.194. When you say local, you are talking about the internal Private DNS server, right? By "local" I mean the DNS server that IMail uses. Or the dns of imail? I just added a reverse zone on my private DNS server for the ip in question, as well as others ( had to be a classless zone too), but I am still getting the same warnings. That will happen if the DNS server that IMail uses reports that 209.7.3.194 has no reverse DNS entry (which would be incorrect, since it does have a reverse DNS entry). -Scott
[Declude.JunkMail] blocking spam faked as coming from local address
How do I reliably block this kind of thing? Can my own domain be added to the SpamDomains list? I've replaced the recipient address with [local-user] in the headers below, but it was the samevalid local user account on all parameters. 138.89.104.227 is not one of my IPs. Glenn Z. Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400Message-ID: [EMAIL PROTECTED]From: "jenna henny" [EMAIL PROTECTED]To: [local-user]@wcnet.netSubject: Spam (10) - Don't wait for rates to climb back upDate: Fri, 19 Sep 2003 00:04:20 -0400MIME-Version: 1.0Content-Type: text/html; charset="ISO-8859-1"X-Priority: 3X-Mailer: mailerReturn-Path: [local-user]@wcnet.netAbuse2-Tracking: Z2xlbm5jbXpAd2NuZXQubmV0X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227]X-Declude-Spoolname: D8045042b014c3731.SMDX-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam.X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10X-Note-In: Total spam weight of this E-mail is 13.X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227])X-Note-In: SMTP Real From: [local-user]@wcnet.netX-RCPT-TO: [local-user]@wcnet.netStatus: RX-Mozilla-Status: X-Mozilla-Status2: X-UIDL: 8400
RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress
Title: Message According to external DNS, you only have one mail host. For starters, you can whitelist your own IP. And if that server is the only machine of yours that is going to identify itself as wcnet.net, HELO20 ENDSWITH wcnet.net should do nicely until someone called mail.newcnet.net tries to send mail to you* And while you're at it, you can also do this: HELO 20 CONTAINS 68.89.56.16 because I'm seeing spammers trying to get around *somebody's* filters by stuffing the destination MX addresswith their HELO name. The important thing here is to know your network. For example, if you relay mail for, say, web.wcnet.net then you would have to either whitelist that IP or 'cancel out' my first example with: HELO -20 ENDSWITH web.wcnet.net I do this for neatness, even if I'm whitelisting. It makes the total weight in the declude log look right. * p.s. Does anybody know ifHELO etc matchesfor : .example.org example.org are equivalent if the hostname is null? -Original Message-From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 10:23 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] blocking spam faked as coming from local address How do I reliably block this kind of thing? Can my own domain be added to the SpamDomains list? I've replaced the recipient address with [local-user] in the headers below, but it was the samevalid local user account on all parameters. 138.89.104.227 is not one of my IPs. Glenn Z. Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400Message-ID: [EMAIL PROTECTED]From: "jenna henny" [EMAIL PROTECTED]To: [local-user]@wcnet.netSubject: Spam (10) - Don't wait for rates to climb back upDate: Fri, 19 Sep 2003 00:04:20 -0400MIME-Version: 1.0Content-Type: text/html; charset="ISO-8859-1"X-Priority: 3X-Mailer: mailerReturn-Path: [local-user]@wcnet.netAbuse2-Tracking: Z2xlbm5jbXpAd2NuZXQubmV0X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227]X-Declude-Spoolname: D8045042b014c3731.SMDX-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam.X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10X-Note-In: Total spam weight of this E-mail is 13.X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227])X-Note-In: SMTP Real From: [local-user]@wcnet.netX-RCPT-TO: [local-user]@wcnet.netStatus: RX-Mozilla-Status: X-Mozilla-Status2: X-UIDL: 8400
RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Used only as a last resort. :) It can be defined with a line such as EMERGENCYBYPASS bypasswhitelisting 60 3 0 0. The 60 refers to the weight the E-mail must reach, and the 3 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 3 or more recipients and a weight of 60 or higher. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress
Title: Message I should add: If you want to go the extra mile and say: MAILFROM 20 ENDSWITH wcnet.net Then you'll find that works great against spammers who fake their mailfrom address so it looks your own name (or say, [EMAIL PROTECTED] while trying to send to you!), but: You'll also find that it works "great" to also block mailing lists, news subscriptions,and greeting cards that use the name of the destination mailbox as the mailfrom. One example is the sabre.com travel service, and another is pretty well any newspaper where somebody can read an article and forward it somebody. So, although it looks like a great idea, to implement will take a lot of work on your part to look for false positives (preferably ahead of time). And your counterweight section will be different from mine, and his, and hers over there... Andrew 8) -Original Message-From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 10:23 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] blocking spam faked as coming from local address How do I reliably block this kind of thing? Can my own domain be added to the SpamDomains list? I've replaced the recipient address with [local-user] in the headers below, but it was the samevalid local user account on all parameters. 138.89.104.227 is not one of my IPs. Glenn Z. Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400Message-ID: [EMAIL PROTECTED]From: "jenna henny" [EMAIL PROTECTED]To: [local-user]@wcnet.netSubject: Spam (10) - Don't wait for rates to climb back upDate: Fri, 19 Sep 2003 00:04:20 -0400MIME-Version: 1.0Content-Type: text/html; charset="ISO-8859-1"X-Priority: 3X-Mailer: mailerReturn-Path: [local-user]@wcnet.netAbuse2-Tracking: Z2xlbm5jbXpAd2NuZXQubmV0X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227]X-Declude-Spoolname: D8045042b014c3731.SMDX-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam.X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10X-Note-In: Total spam weight of this E-mail is 13.X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227])X-Note-In: SMTP Real From: [local-user]@wcnet.netX-RCPT-TO: [local-user]@wcnet.netStatus: RX-Mozilla-Status: X-Mozilla-Status2: X-UIDL: 8400
[Declude.JunkMail] MAILFROM catches too much now?
Hi Scott: Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] But, when I check @VM.MARIST.EDU I get: vm.marist.edu. Non-authoritative answer: Name:vm.marist.edu Addresses: 148.100.81.40, 148.100.80.40 Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
Uh - cool feature. Currently I have a certain receiving Postmaster account whitelisted (so that the occasional false positive can alert us after we sent them a BOUNCE or ALERT) - which means it gets 80% spam. The real false positives are seldomly more than a few points over our BOUNCE or ALERT limit. Certainly, if they were up to our KILL limit (for which we've never gotten any complaints), they would not know that we blocked them and therefore, are not likely that they'd ever try to contact our Postmaster account. So, if I use: BYPASSWHITELIST bypasswhitelisting 20 0 0 0 it will not whitelist any mails if the weight is 20 (our kill weight) or more and the mail has any number of recipients or no recipients? (At 20, the mail must have failed so many tests that I have NEVER seen any false positives.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 19, 2003 01:56 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Used only as a last resort. :) It can be defined with a line such as EMERGENCYBYPASS bypasswhitelisting 60 3 0 0. The 60 refers to the weight the E-mail must reach, and the 3 refers to the minimum number of recipients. In this case, it would attempt to bypass the whitelisting for E-mail with 3 or more recipients and a weight of 60 or higher. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
So, if I use: BYPASSWHITELIST bypasswhitelisting 20 0 0 0 it will not whitelist any mails if the weight is 20 (our kill weight) or more and the mail has any number of recipients or no recipients? That is correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress
I get more valid E-mail's faking the from to look like it's from one of my users than I get in actual spam that is doing this. In a recent test of 5,530 unique incoming messages, only 6 spammers tried to look as if it was coming from my server, that's only 0.1%. It all failed as well. I highly recommend not filtering the fake MAILFROM for your local domains. Matt Colbeck, Andrew wrote: Message I should add: If you want to go the extra mile and say: MAILFROM 20 ENDSWITH wcnet.net Then you'll find that works great against spammers who fake their mailfrom address so it looks your own name (or say, [EMAIL PROTECTED] while trying to send to you!), but: You'll also find that it works "great" to also block mailing lists, news subscriptions,and greeting cards that use the name of the destination mailbox as the mailfrom. One example is the sabre.com travel service, and another is pretty well any newspaper where somebody can read an article and forward it somebody. So, although it looks like a great idea, to implement will take a lot of work on your part to look for false positives (preferably ahead of time). And your counterweight section will be different from mine, and his, and hers over there... Andrew 8) -Original Message- From: Glenn \ WCNet [mailto:[EMAIL PROTECTED]] Sent: Friday, September 19, 2003 10:23 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] blocking spam faked as coming from local address How do I reliably block this kind of thing? Can my own domain be added to the SpamDomains list? I've replaced the recipient address with [local-user] in the headers below, but it was the samevalid local user account on all parameters. 138.89.104.227 is not one of my IPs. Glenn Z. Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500 Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400 Message-ID: [EMAIL PROTECTED] From: "jenna henny" [EMAIL PROTECTED] To: [local-user]@wcnet.net Subject: Spam (10) - Don't wait for rates to climb back up Date: Fri, 19 Sep 2003 00:04:20 -0400 MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" X-Priority: 3 X-Mailer: mailer Return-Path: [local-user]@wcnet.net Abuse2-Tracking: Z2xlbm5jbXpAd2NuZXQubmV0 X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227] X-Declude-Spoolname: D8045042b014c3731.SMD X-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam. X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10 X-Note-In: Total spam weight of this E-mail is 13. X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227]) X-Note-In: SMTP Real From: [local-user]@wcnet.net X-RCPT-TO: [local-user]@wcnet.net Status: R X-Mozilla-Status: X-Mozilla-Status2: X-UIDL: 8400
RE: [Declude.JunkMail] MAILFROM catches too much now?
Scott: X-Declude-Note: Domain lists.msnbc.com has no MX or A records. Sure does: lists.msnbc.com. Non-authoritative answer: lists.msnbc.com internet address = 207.46.169.42 Yet - Declude fails the MAILFROM test! X-Declude: Version 1.76; D499f047e01827d13.SMD from lists.msnbc.com [207.46.169.42] X-Declude: Triggered BONDEDSENDER, MAILFROM, HELOBOGUS [-7] X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Friday, September 19, 2003 02:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM catches too much now? Importance: High Hi Scott: Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] But, when I check @VM.MARIST.EDU I get: vm.marist.edu. Non-authoritative answer: Name:vm.marist.edu Addresses: 148.100.81.40, 148.100.80.40 Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MAILFROM catches too much now?
Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] What is in the X-Declude-Sender: header (that's the one that Declude looks at)? I just tested here with 1.76, and the MAILFROM test is not triggered on @vm.marist.edu addresses. vm.marist.edu doesn't have an MX record, which is a serious problem (especially now that many people are talking about no longer sending mail to servers with no MX record), but that shouldn't by itself trigger the test (unless you use envfromstrict, but you should know if you are using that). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] attachment problems
I am having a real problem with clients not getting attachments. Is there a test I can do that will help with this? Darryl Koster --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking spam faked as coming from local address
Title: Message Didn't I read here somewhere that whitelisting one's own IP is a bad thing? Is that required in combination with the HELO filter? Andthe HELOfilters work because my mail server should never be connecting to itself . . correct? G.Z. - Original Message - From: Colbeck, Andrew To: '[EMAIL PROTECTED]' Sent: Friday, September 19, 2003 12:51 PM Subject: RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress According to external DNS, you only have one mail host. For starters, you can whitelist your own IP. And if that server is the only machine of yours that is going to identify itself as wcnet.net, HELO20 ENDSWITH wcnet.net should do nicely until someone called mail.newcnet.net tries to send mail to you* And while you're at it, you can also do this: HELO 20 CONTAINS 68.89.56.16 because I'm seeing spammers trying to get around *somebody's* filters by stuffing the destination MX addresswith their HELO name. The important thing here is to know your network. For example, if you relay mail for, say, web.wcnet.net then you would have to either whitelist that IP or 'cancel out' my first example with: HELO -20 ENDSWITH web.wcnet.net I do this for neatness, even if I'm whitelisting. It makes the total weight in the declude log look right. * p.s. Does anybody know ifHELO etc matchesfor : .example.org example.org are equivalent if the hostname is null? -Original Message-From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 10:23 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] blocking spam faked as coming from local address How do I reliably block this kind of thing? Can my own domain be added to the SpamDomains list? I've replaced the recipient address with [local-user] in the headers below, but it was the samevalid local user account on all parameters. 138.89.104.227 is not one of my IPs. Glenn Z. Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400Message-ID: [EMAIL PROTECTED]From: "jenna henny" [EMAIL PROTECTED]To: [local-user]@wcnet.netSubject: Spam (10) - Don't wait for rates to climb back upDate: Fri, 19 Sep 2003 00:04:20 -0400MIME-Version: 1.0Content-Type: text/html; charset="ISO-8859-1"X-Priority: 3X-Mailer: mailerReturn-Path: [local-user]@wcnet.netAbuse2-Tracking: Z2xlbm5jbXpAd2NuZXQubmV0X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227]X-Declude-Spoolname: D8045042b014c3731.SMDX-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam.X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10X-Note-In: Total spam weight of this E-mail is 13.X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227])X-Note-In: SMTP Real From: [local-user]@wcnet.netX-RCPT-TO: [local-user]@wcnet.netStatus: RX-Mozilla-Status: X-Mozilla-Status2: X-UIDL: 8400
Re: [Declude.JunkMail] blocking spam faked as coming from local address
Title: Message MAILFROM 20 ENDSWITH wcnet.net wouldn'tprevent my customers from sending mail to each other? G.Z. - Original Message - From: Colbeck, Andrew To: '[EMAIL PROTECTED]' Sent: Friday, September 19, 2003 1:09 PM Subject: RE: [Declude.JunkMail] blocking spam faked as coming from local a ddress I should add: If you want to go the extra mile and say: MAILFROM 20 ENDSWITH wcnet.net Then you'll find that works great against spammers who fake their mailfrom address so it looks your own name (or say, [EMAIL PROTECTED] while trying to send to you!), but: You'll also find that it works "great" to also block mailing lists, news subscriptions,and greeting cards that use the name of the destination mailbox as the mailfrom. One example is the sabre.com travel service, and another is pretty well any newspaper where somebody can read an article and forward it somebody. So, although it looks like a great idea, to implement will take a lot of work on your part to look for false positives (preferably ahead of time). And your counterweight section will be different from mine, and his, and hers over there... Andrew 8) -Original Message-From: Glenn \ WCNet [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 10:23 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] blocking spam faked as coming from local address How do I reliably block this kind of thing? Can my own domain be added to the SpamDomains list? I've replaced the recipient address with [local-user] in the headers below, but it was the samevalid local user account on all parameters. 138.89.104.227 is not one of my IPs. Glenn Z. Received: from wcnet.net [138.89.104.227] by wcnet.net with ESMTP (SMTPD32-7.15) id 04542B014C; Thu, 18 Sep 2003 23:04:21 -0500Received: from kennedy-henry [192.168.1.101] by wcnet.net with MailMXPro2(2195.5631); Fri, 19 Sep 2003 00:04:20 -0400Message-ID: [EMAIL PROTECTED]From: "jenna henny" [EMAIL PROTECTED]To: [local-user]@wcnet.netSubject: Spam (10) - Don't wait for rates to climb back upDate: Fri, 19 Sep 2003 00:04:20 -0400MIME-Version: 1.0Content-Type: text/html; charset="ISO-8859-1"X-Priority: 3X-Mailer: mailerReturn-Path: [local-user]@wcnet.netAbuse2-Tracking: Z2xlbm5jbXpAd2NuZXQubmV0X-Declude-Sender: [local-user]@wcnet.net [138.89.104.227]X-Declude-Spoolname: D8045042b014c3731.SMDX-Note-In: This E-mail was scanned on MAIL1 by Declude JunkMail for evidence of spam.X-Spam-Tests-Failed-In: SPAMCOP, IPNOTINMX, SNIFFER, WEIGHT10X-Note-In: Total spam weight of this E-mail is 13.X-Note-In: This E-mail was sent from pool-138-89-104-227.mad.east.verizon.net ([138.89.104.227])X-Note-In: SMTP Real From: [local-user]@wcnet.netX-RCPT-TO: [local-user]@wcnet.netStatus: RX-Mozilla-Status: X-Mozilla-Status2: X-UIDL: 8400
Re: [Declude.JunkMail] blocking spam faked as coming from local address
Didn't I read here somewhere that whitelisting one's own IP is a bad thing? Whitelisting your IPs is fine, *if* untrusted mail won't be coming from them. So you should not whitelist a backup mailserver (unless it does its own spam control, and you are happy with it), but you can whitelist client workstations. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM catches too much now?
Hi, I have XSENDER OFF. Instead I use: XINHEADER Return-Path: %MAILFROM% I don't have EnvFromStrict. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, September 19, 2003 02:30 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILFROM catches too much now? Am I mistaken - or did the MAILFROM used to permit EITHER an MX OR an A record? Suddenly, I see LOTS of mail being held, because of mailfrom failures: X-Declude: Version 1.76; D3f8a026a02001aec.SMD from mailer390.marist.edu [148.100.80.47] X-Declude: Triggered MAILFROM, IPNOTINMX [-3] Return-Path: [EMAIL PROTECTED] What is in the X-Declude-Sender: header (that's the one that Declude looks at)? I just tested here with 1.76, and the MAILFROM test is not triggered on @vm.marist.edu addresses. vm.marist.edu doesn't have an MX record, which is a serious problem (especially now that many people are talking about no longer sending mail to servers with no MX record), but that shouldn't by itself trigger the test (unless you use envfromstrict, but you should know if you are using that). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM catches too much now?
X-Declude-Note: Domain lists.msnbc.com has no MX or A records. I've reproduced this one here. I'm going to do some research to see why this is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] attachment problems
I am having a real problem with clients not getting attachments. Is there a test I can do that will help with this? There are a lot of reasons for this, but usually it is not caused by Declude. The first step is to check the log files, to see where the E-mail was blocked, or whether it was actually delivered (which is often the case, such as Outlook blocking .exe's). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] attachment problems
I have an attachment filter that adds score when something is received attached but not inline. The problem with this is that it also helps viruses get through spam blocking (I plan on improving this). The filter is simple: BODY-5CONTAINScontent-disposition: attachment I have occasional issues from poorly configured corporate servers that are used to send out mail blasts with attachments, and this helps to make sure that at least the important stuff doesn't get held up, but I don't look to it as being a fix for the general problem of false positives, just a partial and inconsistent remedy which is better than nothing. It is extremely rare that a spammer will send non-inline attachments. Having issues only with attachments would be strange unless it is the result of your overall testing setup I would think. Matt Darryl Koster wrote: I am having a real problem with clients not getting attachments. Is there a test I can do that will help with this? Darryl Koster --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude JunkMail v1.76 (beta) released
on 9/19/03 1:55 PM, R. Scott Perry wrote: o Adds a bypasswhitelisting test type that can be used in rare cases when whitelist bypassing is necessary. Used where and how? Used only as a last resort. :) Here's how we use it and why. We're an ISP and we allow users to use the [EMAIL PROTECTED] whitelist feature to not have any of their messages scanned for spam. When a message was sent to two or more recipients and one of them used the [EMAIL PROTECTED] option every recipient received the message no matter how many tests it failed. So because someone wanted all their messages they caused other users, who wanted us to stop their spam, get spam. In other words, the subscribers had more power to control the spam then I did. We had one subscriber get 30 spam messages in one day because in everyone of those messages another subscriber, who used [EMAIL PROTECTED], was a recipient also. With this feature, I now have more power than the subscribers. I can say any message sent to two recipients that has a weight of 100+ can be deleted. This protects the subscribers that don't want spam and those that do won't miss something weighted that high (we delete on 40). Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM)
Scott, Does the new Declude poll every time to your box to see what is forging and what is not or does it keep a cache? (Just thinking about your bandwidth and also if.. g-d forbid... your network connection goes down.) -Josh On Sep 19, 2003, at 8:21 AM, System Administrator wrote: on 9/19/03 7:51 AM, R. Scott Perry wrote: One thing that would be nice is if we could put a DONOTSENDTOFORGINGVIRUS in our config or .eml files and if Declude Virus sees a forging virus it would not send the warning messages automatically. That way we wouldn't have to manually update what is a forging virus in our files. Already done. :) Nice! I figured you already had something in place in the interim release, but since you didn't say anything, I thought I'd state the obvious. Greg --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM catches too much now?
Hi Scott: Here is the debug log and the full headers of an effected email. It clearly shows that the mail fails your VeriScam test: 09/19/2003 15:20:15.287 Q56ec00f1016e71bc Test #17: MAILFROM [envfrom] - may skip 09/19/2003 15:20:15.287 Q56ec00f1016e71bc Doing envfrom type test on mail.matchevents.com. 09/19/2003 15:20:15.287 Q56ec00f1016e71bc Looking up MX/A record for mail.matchevents.com at 63.107.174.65. 09/19/2003 15:20:15.444 Q56ec00f1016e71bc Msg failed MX; testing A (MAILFROM mail.matchevents.com) [1 1 0 ] 09/19/2003 15:20:15.444 Q56ec00f1016e71bc Found root NS record in A record lookup - VERISCAM 09/19/2003 15:20:15.444 Q56ec00f1016e71bc There were no MX/A records. 09/19/2003 15:20:15.444 Q56ec00f1016e71bc DNS Report: [ex=1 rcode=0 ancnt=1 suc=1]. 09/19/2003 15:20:15.444 Q56ec00f1016e71bc Done with MX or A record 09/19/2003 15:20:15.444 Q56ec00f1016e71bc Finished Final Test #17: MAILFROM [envfrom] HEADERS --- Received: from mail.matchevents.com [209.123.232.152] by mail.webhost.hm-software.com (SMTPD32-7.07) id A6ECF1016E; Fri, 19 Sep 2003 15:20:12 -0400 Received: (qmail 3904 invoked by uid 33); 19 Sep 2003 19:20:12 - Date: 19 Sep 2003 19:20:12 - Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] From: 8minuteDating [EMAIL PROTECTED] Reply-To: 8minuteDating [EMAIL PROTECTED] Subject: Upcoming Nyack Party MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000__01C0B5EC.5BF9F0F0 X-Declude-Note: Domain mail.matchevents.com has no MX or A records. X-Declude: Version 1.76; D56ec00f1016e71bc.SMD from mail.matchevents.com [209.123.232.152] X-Declude: Triggered MAILFROM, HELOBOGUS, NOLEGITCONTENT [1] X-Countries: UNITED STATES-destination Return-Path: [EMAIL PROTECTED] DEBUG LOG - 09/19/2003 15:20:13.037 CFG: Setting LOG_OK level to NONE 09/19/2003 15:20:13.053 CFG: Set hop to 0. 09/19/2003 15:20:13.053 Console turned OFF 09/19/2003 15:20:13.053 CFG: Bypassing IP 63.107.174.32. 09/19/2003 15:20:13.053 CFG: Bypassing IP 65.119.204.32. 09/19/2003 15:20:13.053 Setting AUTOWHITELIST to ON 09/19/2003 15:20:13.053 CFG: Whitelisting AUTH . 09/19/2003 15:20:13.053 CFG: Whitelisting TO [EMAIL PROTECTED] 09/19/2003 15:20:13.053 CFG: Whitelisting IP 63.107.174.. 09/19/2003 15:20:13.053 CFG: Whitelisting IP 65.119.204.. 09/19/2003 15:20:13.053 CFG: Whitelisting IP 195.127.133.0/25. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM t-online.de. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM networksolutions.com. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM verisign.net. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM netsol.com. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM nytimes.com. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM lists.cnn.com. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM timeinc.com. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM deepmetrix.com. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM uni.de. 09/19/2003 15:20:13.053 CFG: Whitelisting IP 206.242.213.5. 09/19/2003 15:20:13.053 CFG: Whitelisting IP 206.64.5.31. 09/19/2003 15:20:13.053 CFG: Whitelisting ANYWHERE [EMAIL PROTECTED] 09/19/2003 15:20:13.053 CFG: Whitelisting ANYWHERE [EMAIL PROTECTED] . 09/19/2003 15:20:13.053 CFG: Whitelisting IP 64.119.137.. 09/19/2003 15:20:13.053 CFG: Whitelisting IP 65.199.179.232/29. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM stellenmarkt.de. 09/19/2003 15:20:13.053 CFG: Whitelisting FROM PASSPORT.COM. 09/19/2003 15:20:13.069 Declude v1.76 09/19/2003 15:20:13.069 Setting HOLD directory to: D:\IMAIL\spool\spam. 09/19/2003 15:20:13.069 Q56ec00f1016e71bc Setting DNS server to IMail's 63.107.174.65. 09/19/2003 15:20:13.069 Q56ec00f1016e71bc Declude JunkMail Pro Version Registered 09/19/2003 15:20:13.069 Q56ec00f1016e71bc Start 09/19/2003 15:20:13.069 Q56ec00f1016e71bc Locked D:\IMAIL\spool\Q56ec00f1016e71bc.SMD. 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Getting message envelope 09/19/2003 15:20:13.116 Q56ec00f1016e71bc [EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc QD:\IMAIL\spool\D56ec00f1016e71bc.SMD 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Hmail.webhost.hm-software.com 09/19/2003 15:20:13.116 Q56ec00f1016e71bc We:\MAIL\Virtual 09/19/2003 15:20:13.116 Q56ec00f1016e71bc E0, 09/19/2003 15:20:13.116 Q56ec00f1016e71bc S[EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc NRCPT TO:[EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Recip: NRCPT TO:[EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc R[EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Recip: R[EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Setting altaddr 0 to [EMAIL PROTECTED] [EMAIL PROTECTED] 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Setting reciphost to pianoartist.com 09/19/2003 15:20:13.116 Q56ec00f1016e71bc 09/19/2003 15:20:13.116 Q56ec00f1016e71bc nRecips: 1 (1 total) 09/19/2003 15:20:13.116 Q56ec00f1016e71bc Recip 0: [EMAIL PROTECTED] = [EMAIL PROTECTED] 09/19/2003 15:20:13.116
Re: [Declude.JunkMail] attachment problems
Just to follow-up in case it helps Andy in the event he is unfamiliar with the setting. I used to get a lot of calls when Microsoft started blocking all executable attachments by default with Outlook Express 6. In Microsoft Outlook Express: Tools Security Uncheck: Do not allow attachments to be saved or opened that could potentially be a virus Matt R. Scott Perry wrote: I am having a real problem with clients not getting attachments. Is there a test I can do that will help with this? There are a lot of reasons for this, but usually it is not caused by Declude. The first step is to check the log files, to see where the E-mail was blocked, or whether it was actually delivered (which is often the case, such as Outlook blocking .exe's). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Interim release to detect wildcard DNS entries (aka VERISCAM)
Does the new Declude poll every time to your box to see what is forging and what is not or does it keep a cache? It polls every time a virus is received. (Just thinking about your bandwidth and also if.. g-d forbid... your network connection goes down.) However, if our server can't be reached, Declude Virus will assume that the virus is a forging virus. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] attachment problems
Scott, I never ever thought this was a problem with Declude. I assumed it was something that I honestly had done on my end to cause this. I just want to know how to fix it as I have a client who is acting like they are maybe 3, no wait too old, 2. Thanks Matt, Darryl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Friday, September 19, 2003 3:02 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] attachment problems I am having a real problem with clients not getting attachments. Is there a test I can do that will help with this? There are a lot of reasons for this, but usually it is not caused by Declude. The first step is to check the log files, to see where the E-mail was blocked, or whether it was actually delivered (which is often the case, such as Outlook blocking .exe's). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress
- Original Message - From: Matthew Bramble I highly recommend not filtering the fake MAILFROM for your local domains. Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I don't see a problem doing it with MAILFROM in a filter file either. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress
Bill, It's because it is very rare that you see spam faking your address, 0.1% from a recent test, and much more common that false positives will be created as was noted. I was able to monitor this behavior because unfortunately the DYNAMIC filter catches but doesn't score intra-server domain E-mail, and I searched for this knowing they would all be in there. In other words, filtering for from addresses faked to say they are from your own domain would have a false positive rate of around 75%, or at least that would be so on my server. One prime example is that many of my customer's Web sites with forms will send the submission as if it came from the customer's own domain, and thus fail the test. Lots of ecommerce is done this way. It's a very bad idea in my opinion. Maybe I'm missing something though??? Using SPAMDOMAINS to filter for local domains would also be just as problematic I would think. You might not have issues based on the makeup of your customers and maybe not caring too much about gray area commercial stuff like greeting cards which might fail the filters. No way would I start whitelisting stuff either based on something which would properly add points so rarely. Are you not seeing the same very low incidence of this type of thing? or is that unique to my own customer base? Matt Bill Landry wrote: - Original Message - From: Matthew Bramble I highly recommend not filtering the fake MAILFROM for your local domains. Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I don't see a problem doing it with MAILFROM in a filter file either. Bill
[Declude.JunkMail] www.declude.com down????
I am trying to get to the manual. Is the declude website down? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] www.declude.com down????
It's reachable from here... Darrell Kevin Bilbee writes: I am trying to get to the manual. Is the declude website down? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] www.declude.com down????
No problems here.. Jeff Kratka * TymeWyse Internet P.O.Box 84 - 110 Ecklund St., Canyonville, OR 97417 tel/fax: (541) 839-6027 - [EMAIL PROTECTED] * -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Friday, September 19, 2003 2:34 PM To: JunkMail Declude Subject: [Declude.JunkMail] www.declude.com down I am trying to get to the manual. Is the declude website down? Kevin Bilbee Network Administrator Standard Abrasives, Inc. [EMAIL PROTECTED] (805) 520-5800 x7332 Changing the way industry works. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress
We whitelist the IP address of any system we permit to relay through our IMail server, and all of our customer either use SMTP Auth or we whitelist their IP address space. So the only time we have see a problem is with some mailing lists and e-card services, which we accommodate via filtering. As a quick test, I separated out my hosted domains from the SPAMDOMAINS file and created a new spamdomains test called FORGED-DOMAINS. Here are the subjects of the messages I have flagged with this test within the past 5 minutes: 2 Subject: Complimentary 30 Day Supply of Phentermine! 1 Subject: [NAME WITHHELD] Where to deposit your Payroll? 1 Subject: Someone wants to date you 1 Subject: Self-paced degree programs for busy adults 1 Subject: Please claim your gift 1 Subject: Lowest Mortgage Rates in 45 Years! 1 Subject: Get a Proven Anti - Aging Creme at No Charge 1 Subject: Credit Relief 1 Subject: Complimentary 30 Day Supply of Phentermine! 1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets 1 Subject: 4 F r e e Airline Tickets + $100 Cash Back 1 Subject: 3 months of FREE Satellite TV 1 Subject: 0% Auto Loans! 1 Subject: you are *approved already. No credit check Looks like a very effective test to me. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:16 PM Subject: Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress Bill,It's because it is very rare that you see spam faking your address, 0.1% from a recent test, and much more common that false positives will be created as was noted. I was able to monitor this behavior because unfortunately the DYNAMIC filter catches but doesn't score intra-server domain E-mail, and I searched for this knowing they would all be in there. In other words, filtering for from addresses faked to say they are from your own domain would have a false positive rate of around 75%, or at least that would be so on my server. One prime example is that many of my customer's Web sites with forms will send the submission as if it came from the customer's own domain, and thus fail the test. Lots of ecommerce is done this way. It's a very bad idea in my opinion. Maybe I'm missing something though???Using SPAMDOMAINS to filter for local domains would also be just as problematic I would think. You might not have issues based on the makeup of your customers and maybe not caring too much about gray area commercial stuff like greeting cards which might fail the filters. No way would I start whitelisting stuff either based on something which would properly add points so rarely. Are you not seeing the same very low incidence of this type of thing? or is that unique to my own customer base?MattBill Landry wrote: - Original Message - From: Matthew Bramble I highly recommend not filtering the fake MAILFROM for your local domains. Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I don't see a problem doing it with MAILFROM in a filter file either. Bill
Re: [Declude.JunkMail] blocking spam faked as coming from local address
Bill, It depends on your customer makup. My FP rate with a MAILFROM filter would be close to 90% if not more because of several sites that are configured to send form submissions as being an account from the same domain. SPAMDOMAINS would be a better test because the Web sites and domain based E-mail often shares the same reverse DNS lookup, but not in cases where they are just using aliases for forwarding. I have several customers that have software that sends out automated messages claiming to be from their own domains, such as firewalls and the like, and then I have some customers with sites hosted in different facilities that forge the From address for ecommerce. All of this is before you get the refer-a-friend and gift card stuff. I see all of this with less than 250 actual accounts and just 50 domains hosted on my server at present. If you don't do a lot of Web hosting, you might not see much of a problem, or if you do hosting for sites without forms configured in that way, you also wouldn't notice it. I personally don't want to be whitelisting E-mail as the result of being alerted to the problem by a customer that rightfully assumed that the From address should be their own when setting up a script on a Web site. Spam that forges the from address is likely to fail many technical tests because forging isn't generally limited to the from address, typically they forge the HELO and screw many other things up in the headers. I almost never get spam that passes the filters that uses my own address anymore. As my own sample of FP's seen in the last 5,000 or so messages would be the following: - Used Vehicle Inquiry - [name removed] (about 20 of these) - New Vehicle Inquiry - [name removed] (about 20 of these) - Parts Inquiry - [name removed] (about 5 of these) - Website Contact Form (2 of these) - New firmware available. (1 of these, sent from a SonicWall) - From your friend: [name removed] (2 of these sent through SendAFriend) - Internet Order # [numbers] (3 of these) In addition to these there are GM and Mazda corporate Internet lead notifications that fake the from address as the address they are sending them to (these have problems with these poorly configured servers). Again though, depending on your customer makup, your mileage may vary. SPAMDOMAINS would have not FP'd on a few of the first 4 examples because they are locally hosted on the same domain as the receiver, but would have FP'd on MAILFROM.. Everything else would have FP'd on both tests. Matt Bill Landry wrote: We whitelist the IP address of any system we permit to relay through our IMail server, and all of our customer either use SMTP Auth or we whitelist their IP address space. So the only time we have see a problem is with some mailing lists and e-card services, which we accommodate via filtering. As a quick test, I separated out my hosted domains from the SPAMDOMAINS file and created a new spamdomains test called FORGED-DOMAINS. Here are the subjects of the messages I have flagged with this test within the past 5 minutes: 2 Subject: Complimentary 30 Day Supply of Phentermine! 1 Subject: [NAME WITHHELD] Where to deposit your Payroll? 1 Subject: Someone wants to date you 1 Subject: Self-paced degree programs for busy adults 1 Subject: Please claim your gift 1 Subject: Lowest Mortgage Rates in 45 Years! 1 Subject: Get a Proven Anti - Aging Creme at No Charge 1 Subject: Credit Relief 1 Subject: Complimentary 30 Day Supply of Phentermine! 1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets 1 Subject: 4 F r e e Airline Tickets + $100 Cash Back 1 Subject: 3 months of FREE Satellite TV 1 Subject: 0% Auto Loans! 1 Subject: you are *approved already. No credit check Looks like a very effective test to me. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:16 PM Subject: Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress Bill, It's because it is very rare that you see spam faking your address, 0.1% from a recent test, and much more common that false positives will be created as was noted. I was able to monitor this behavior because unfortunately the DYNAMIC filter catches but doesn't score intra-server domain E-mail, and I searched for this knowing they would all be in there. In other words, filtering for from addresses faked to say they are from your own domain would have a false positive rate of around 75%, or at least that would be so on my server. One prime example is that many of my customer's Web sites with forms will send the submission as if it came from the customer's own domain, and thus fail the test. Lots of ecommerce is done this way. It's a very bad idea in my opinion. Maybe I'm missing something though??? Using SPAMDOMAINS to filter for local domains would also be just as problematic I would think. You
Re: [Declude.JunkMail] blocking spam faked as coming from local address
I actually missed a whole bunch of stuff that also would have FP'd on this. Cox in many cases and Earthlink among others are blocking outbound port 25, so customers using these services for access which are mailing to other customers on my server would FP on both the SPAMDOMAINS and MAILFROM filters. Cable and DSL providers at times have had large segments of their networks blacklisted for continuing problems with spam, so they can produce a score. If I was having problems with self addressed spam getting through, I would probably think about using this to add a few points like Andrew suggested, but some of the FP's produced would be problematic with a few regular senders that fail multiple technical tests. Matt Matthew Bramble wrote: Bill, It depends on your customer makup. My FP rate with a MAILFROM filter would be close to 90% if not more because of several sites that are configured to send form submissions as being an account from the same domain. SPAMDOMAINS would be a better test because the Web sites and domain based E-mail often shares the same reverse DNS lookup, but not in cases where they are just using aliases for forwarding. I have several customers that have software that sends out automated messages claiming to be from their own domains, such as firewalls and the like, and then I have some customers with sites hosted in different facilities that forge the From address for ecommerce. All of this is before you get the refer-a-friend and gift card stuff. I see all of this with less than 250 actual accounts and just 50 domains hosted on my server at present. If you don't do a lot of Web hosting, you might not see much of a problem, or if you do hosting for sites without forms configured in that way, you also wouldn't notice it. I personally don't want to be whitelisting E-mail as the result of being alerted to the problem by a customer that rightfully assumed that the From address should be their own when setting up a script on a Web site. Spam that forges the from address is likely to fail many technical tests because forging isn't generally limited to the from address, typically they forge the HELO and screw many other things up in the headers. I almost never get spam that passes the filters that uses my own address anymore. As my own sample of FP's seen in the last 5,000 or so messages would be the following: - Used Vehicle Inquiry - [name removed] (about 20 of these) - New Vehicle Inquiry - [name removed] (about 20 of these) - Parts Inquiry - [name removed] (about 5 of these) - Website Contact Form (2 of these) - New firmware available. (1 of these, sent from a SonicWall) - From your friend: [name removed] (2 of these sent through SendAFriend) - Internet Order # [numbers] (3 of these) In addition to these there are GM and Mazda corporate Internet lead notifications that fake the from address as the address they are sending them to (these have problems with these poorly configured servers). Again though, depending on your customer makup, your mileage may vary. SPAMDOMAINS would have not FP'd on a few of the first 4 examples because they are locally hosted on the same domain as the receiver, but would have FP'd on MAILFROM.. Everything else would have FP'd on both tests. Matt Bill Landry wrote: We whitelist the IP address of any system we permit to relay through our IMail server, and all of our customer either use SMTP Auth or we whitelist their IP address space. So the only time we have see a problem is with some mailing lists and e-card services, which we accommodate via filtering. As a quick test, I separated out my hosted domains from the SPAMDOMAINS file and created a new spamdomains test called FORGED-DOMAINS. Here are the subjects of the messages I have flagged with this test within the past 5 minutes: 2 Subject: Complimentary 30 Day Supply of Phentermine! 1 Subject: [NAME WITHHELD] Where to deposit your Payroll? 1 Subject: Someone wants to date you 1 Subject: Self-paced degree programs for busy adults 1 Subject: Please claim your gift 1 Subject: Lowest Mortgage Rates in 45 Years! 1 Subject: Get a Proven Anti - Aging Creme at No Charge 1 Subject: Credit Relief 1 Subject: Complimentary 30 Day Supply of Phentermine! 1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets 1 Subject: 4 F r e e Airline Tickets + $100 Cash Back 1 Subject: 3 months of FREE Satellite TV 1 Subject: 0% Auto Loans! 1 Subject: you are *approved already. No credit check Looks like a very effective test to me. Bill - Original Message - From: Matthew Bramble To: [EMAIL PROTECTED] Sent: Friday, September 19, 2003 2:16 PM Subject: Re: [Declude.JunkMail] blocking spam faked as coming from local a ddress ddress ddress ddress Bill, It's because it is very rare that you see spam faking your address, 0.1% from a
[Declude.JunkMail] COUNTRY test
I have seen a COUNTRY test mentioned on the list. It references the %countrychain% variable. How is this test implemented? What does it do? How do I get the countrychain variable to appear in the header (mine appears blank). Thanks, Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
