RE: [Declude.JunkMail] Integrity Checker
When I travel, I have to use mail.earthlink .net as my SMTP server. Some airlines send out reservation confirmations from servers that are not theirs. For sure it will create false positives - as many other tests. For example the SPAMDOMAIN test if a user uses the mailserver of his current ISP but a freemailer address like @yahoo.com as sender address. I think that far more spam will fail such an integrity check then some few legit messages. So it should be a good test in a weighting system. It's not the goal to hold if such an integrity test will fail. Simply add some points. All information needed to determine the integrity is already here. No additional NS lookups, heavy processing, large files or databases. The same test can also give a negative weight if domain or tld of MAILFROM, REVDNS, HELO/EHLO and maybe also the Country-chain show a certain integrity. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] How does this spam trick work
Jonas, Saturday, October 11, 2003 you wrote: J I assume that they must do this to try to avoid content filtering. I J was never aware of that they could fake messages like this. I think you are viewing a message that is in multipart mime. In web mail you are viewing the html part of the message. In Imail client you are viewing the text part. These do not have to be the same and frequently the text part will be something like your client doesn't support html messages. Well crafted messages will have a text part of the message customized for those who see only text and vice versa. Terry Fritts --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Dictionary attacks --- anyone have any solutions.
Yes. Soil-tech.com is a local domain that we host and Tony is a valid user on that domain. It almost appears that Imail is seeing his OutlookExpress as a mail server, not a authenticated mail client. Any other suggestions? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Saturday, October 11, 2003 5:37 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Dictionary attacks --- anyone have any solutions. I have a customer using Outlook Express 6 and each message he sends fails the HELOBOGUS test as shown below: 10/10/2003 14:45:30 Q28770c310140cd76 Msg failed HELOBOGUS (Domain TONY has no MX or A records.). Action=HEADER. 10/10/2003 14:45:30 Q28770c310140cd76 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 24.234.126.165 ID: What would cause this? Is soil-tech.com a local domain? If not, the sender needs to use a valid host name in the HELO/EHLO data that it sends. TONY is not a valid Internet host name. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Integrity Checker
Hi JD: In my opinion the more tests we have the less false positives we will have since we can reduce the high weight for some of our other tests. What I find interesting is our spam is no longer failing with borderline weights. As we have added more and more tests a spam fails with much higher weight and those that are borderline (we hold on 20) have a higher probability to be false positives. One example of a test that at first we found to be a great test but over time we have reduced its weight to 5 is REVDNS. More and more legitimate mail fails that test. So if we can come up with tests that can trigger spam and yet with reverse tests negate the ones we know our chances of success increases. What triggered this was getting a porn email where HELO was .Microsoft.com. Can we ever imagine eBay sending an email where HELO is eBay but REVDNS is EarthLink or a DSL? For example: Domain REVDNS HELO (perhaps even IP range) this will work best with such companies as eBay, Microsoft, Amazon, etc. So if a REVDNS comes up that does not match the domain or HELO then it gets a certain weight. it should be easy to implement... Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J.D. SpringerSent: Saturday, October 11, 2003 11:08 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] Integrity Checker Kami:I think this is a good idea in concept, but could produce a lot false positives if not used carefully.For example: When I travel, I have to use mail.earthlink.net as my SMTP server.Some airlines send out reservation confirmations from servers that are not theirs.J.D.Kami Razvan wrote: Hi; I wonder if a test could be setup that checks for the integrity of the email. For example: === X-Declude-Sender: [EMAIL PROTECTED] [67.121.210.25]X-Declude-Spoolname: D17aa0bbd0062ac07.SMDX-Note: This E-mail was scanned filtered by Declude [1.76i5] for SPAM virus.X-Weight: 13X-Hello: microsoft.com === Why should @gundamfan.com have a HELO of microsoft.com? Perhaps an extension of SPAMDOMAINS where one could specify the email and the REVDNS could also be extended to HELO. So HELO of Micorosoft.com should only be allowed if REVDNS is also Microsoft and email is Microsoft.com. Or can we do this already? Regards, Kami--- [This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude and IMgate
We use Imgate as a mail gateway for incoming/outgoing mail. Imgate delivers incoming mail to Imail. Should I set HOP in global.cfg to 1 under this scenario? Declude seems to be work fine with it set to 0. Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and IMgate
If you have set IPBYPASS for your IMGate machine's IP address, then you do not need to change your HOP count from 0. Declude will check the IP addresses that delivered the mail to your IMGate machine just as if it were delivered directly to the IMail server. Bill - Original Message - From: Jonas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 6:35 PM Subject: [Declude.JunkMail] Declude and IMgate We use Imgate as a mail gateway for incoming/outgoing mail. Imgate delivers incoming mail to Imail. Should I set HOP in global.cfg to 1 under this scenario? Declude seems to be work fine with it set to 0. Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and IMgate
There are actually 2 ...hop and hop high... which one are you referring to in making the changes i'm interested myself the mail from my imgate keeps getting help in spam review too... - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 8:12 PM Subject: Re: [Declude.JunkMail] Declude and IMgate If you have set IPBYPASS for your IMGate machine's IP address, then you do not need to change your HOP count from 0. Declude will check the IP addresses that delivered the mail to your IMGate machine just as if it were delivered directly to the IMail server. Bill - Original Message - From: Jonas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 6:35 PM Subject: [Declude.JunkMail] Declude and IMgate We use Imgate as a mail gateway for incoming/outgoing mail. Imgate delivers incoming mail to Imail. Should I set HOP in global.cfg to 1 under this scenario? Declude seems to be work fine with it set to 0. Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and IMgate
HOP defines where Declude should start it's IP based checks, so HOP 0 tells Declude to start its checks on the IP address that connects to the IMail server. HOP HIGH defines how many hops back from the first hop checked Declude should run its IP checks on. IPBYPASS tells Declude to skip this IP address when doing it IP checks. IPBYPASS works well for skipping mail gateway servers. When using IPBYPASS, you can usually keep the HOP settings at there default of 0. Bill - Original Message - From: Webmaster Oilfield Directory [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 9:49 PM Subject: Re: [Declude.JunkMail] Declude and IMgate There are actually 2 ...hop and hop high... which one are you referring to in making the changes i'm interested myself the mail from my imgate keeps getting help in spam review too... - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 8:12 PM Subject: Re: [Declude.JunkMail] Declude and IMgate If you have set IPBYPASS for your IMGate machine's IP address, then you do not need to change your HOP count from 0. Declude will check the IP addresses that delivered the mail to your IMGate machine just as if it were delivered directly to the IMail server. Bill - Original Message - From: Jonas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 6:35 PM Subject: [Declude.JunkMail] Declude and IMgate We use Imgate as a mail gateway for incoming/outgoing mail. Imgate delivers incoming mail to Imail. Should I set HOP in global.cfg to 1 under this scenario? Declude seems to be work fine with it set to 0. Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude and IMgate
Hey ..thanks for the info.. that helps me... so if i understand you correctly they should both be set to zero and use ipbypass.. theonly thing is i can't figure out why the reports from my imgate machines keeps getting held and not bypassed ..strange... - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 9:09 PM Subject: Re: [Declude.JunkMail] Declude and IMgate HOP defines where Declude should start it's IP based checks, so HOP 0 tells Declude to start its checks on the IP address that connects to the IMail server. HOP HIGH defines how many hops back from the first hop checked Declude should run its IP checks on. IPBYPASS tells Declude to skip this IP address when doing it IP checks. IPBYPASS works well for skipping mail gateway servers. When using IPBYPASS, you can usually keep the HOP settings at there default of 0. Bill - Original Message - From: Webmaster Oilfield Directory [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 9:49 PM Subject: Re: [Declude.JunkMail] Declude and IMgate There are actually 2 ...hop and hop high... which one are you referring to in making the changes i'm interested myself the mail from my imgate keeps getting help in spam review too... - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 8:12 PM Subject: Re: [Declude.JunkMail] Declude and IMgate If you have set IPBYPASS for your IMGate machine's IP address, then you do not need to change your HOP count from 0. Declude will check the IP addresses that delivered the mail to your IMGate machine just as if it were delivered directly to the IMail server. Bill - Original Message - From: Jonas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 12, 2003 6:35 PM Subject: [Declude.JunkMail] Declude and IMgate We use Imgate as a mail gateway for incoming/outgoing mail. Imgate delivers incoming mail to Imail. Should I set HOP in global.cfg to 1 under this scenario? Declude seems to be work fine with it set to 0. Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net Find out why we're better - 310-442-1530 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
