RE: [Declude.JunkMail] How does this spam trick work
Keith Purtell: The message-length limit in particular is probably destined to be revised. We should have some control over this. Such as the ability to change it, or the ability to change the limit when certain parameters are met. BTW: SpamChk is able to identify and analyze multipart mails. If there is a text and a following html-part only the html-part will be analyzed for suspiciuos keywords. Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ERROR: SOMEONE CRUMBLED MY MAGIC COOKIE
It may. But that file is a binary file that shouldn't be handled with text editors, making it difficult to view the information in it. Whoops. Then I hope I didn't seriously goof something up. My installed.bin file properties state that it consists of exactly six bytes, and if I open it with a non-invasive text editor, it says 1.76i4. Should there be more to it? I doubt there is a problem with the file -- I'm just surprised that a text editor would open it. Perhaps it is due to the long version (most versions are just 4 bytes). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] W32/swen
I'm fairly new to this and guessing there's a simple way to catch these? Larry Craddock Received: from dns1.atuacao.inf.br [200.203.92.130] by netride.net with ESMTP (SMTPD32-8.03) id A0F770A00C0; Tue, 14 Oct 2003 07:49:59 -0500 Received: from udsikd ([200.203.92.14]) by dns1.atuacao.inf.br (8.12.3/8.12.3) with SMTP id h9ECFlCB001365; Tue, 14 Oct 2003 10:15:47 -0200 Date: Tue, 14 Oct 2003 10:15:47 -0200 Message-Id: [EMAIL PROTECTED] FROM: Mail System [EMAIL PROTECTED] TO: [EMAIL PROTECTED] SUBJECT: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=buojnauxtqmv X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 200.203.92.130 with no reverse DNS entry. X-Declude-Sender: [EMAIL PROTECTED] [200.203.92.130] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, REVDNS [4] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 319324547 --buojnauxtqmv Content-Type: text/html Content-Transfer-Encoding: quoted-printable HTML HEAD/HEAD BODY iframe src=3Dcid:zkfgpjlwuzrijpd; height=3D0 width=3D0/iframe BRMessage from rocketmail.com BRBRI'm afraid = the message returned below could not be delivered = to the following addresses:BR BRBRBRUndelivered message to B[EMAIL PROTECTED]/B /BODY/HTML --buojnauxtqmv Content-Type: audio/x-wav; name=hrklfqxx.bat Content-Transfer-Encoding: base64 Content-Id: zkfgpjlwuzrijpd --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Weight maybe not working right??
Hello, I just recived several spams to my box all with weights greater then I allow (weight of 49). Does anyone see anything wrong here? GLOBAL.CFG WEIGHT1 weightrange x x 5 11 WEIGHT2 weightrange x x 12 17 WEIGHT3 weightrange x x 18 36 WEIGHT4 weightrange x x 37 0 $default$.junkmail WEIGHT1 WARN WEIGHT2 SUBJECT WEIGHT3 HOLD WEIGHT4 DELETE -- Best regards, ~Paul~ mailto:[EMAIL PROTECTED] --- {This E-mail scanned for viruses by Declude Virus/McAfee} --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] W32/swen
I'm fairly new to this and guessing there's a simple way to catch these? With a virus scanner. :) However, a number of people do try creating filters to catch the more common viruses, based on subject lines, file names, etc. You just have to be careful when doing so that you do not catch legitimate mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Weight maybe not working right??
- Original Message - From: Paul Ingram [EMAIL PROTECTED] I just recived several spams to my box all with weights greater then I allow (weight of 49). Does anyone see anything wrong here? GLOBAL.CFG WEIGHT1 weightrange x x 5 11 WEIGHT2 weightrange x x 12 17 WEIGHT3 weightrange x x 18 36 WEIGHT4 weightrange x x 37 0 Change WEIGHT4 to a weight test instead of a weightrange: WEIGHT4 weight x x 37 0 This will apply whatever action you define (in your case: DELETE) to any message with a weight of 27 or higher. That should take care of it. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] 1.76i4 and 1.76i6
I just noticed that all we're getting for IP addresses with these two versions is 0.0.0.0. Example: X-Declude-Sender: [EMAIL PROTECTED] [0.0.0.0] After going back to 1.76i1, we're getting a real IP address. Example: X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.21] This is fixed in the interim release v1.76i7 at http://www.declude.com/release/176i/declude.exe . It seems that when Received: headers were encountered with no IP in them, the previous interim release would not skip over the Received: header -- and would therefore end up with the IP of 0.0.0.0 (since there was no actual IP in the header). v1.76i7 takes care of this problem. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filters And Attachments
Darrell LaRock Systems Analyst Gannett Television 716-849-2272 Hod do most folks deal with word filters being triggered on attachments. See below for example? 10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER on sex [weight-2; SExQlAnjsABzk Is there something that is put in the body of a message that indicates there is an attachment so that potentially reverse weight can be applied? Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Comments in IPFILE Text File
I am using a flat text file full of individual IP addresses... 61.115.176.254 200.24.83.51 218.79.70.14 , etc., with the IPFILE test. Can I put a comment in this file, e.g. 61.115.176.254 # iexpect.com without breaking the test? Yes. According to the Whitelist/Blacklist Reference section of the manual, comments are allowed in the IP blacklists. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Understanding Imail logs document
A link to this was posted recently. Can someone please repost the link? Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Comments in IPFILE Text File
Hello, All, I am using a flat text file full of individual IP addresses... 61.115.176.254 200.24.83.51 218.79.70.14 , etc., with the IPFILE test. Can I put a comment in this file, e.g. 61.115.176.254 # iexpect.com without breaking the test? Thanks In Advance, Dan Geiser [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Understanding Imail logs document
A link to this was posted recently. Can someone please repost the link? It's http://www.declude.com/info/logs.htm . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Understanding Imail, junkmail, virus logs
Regarding the relationships between Imail logs, Junkmail logs and Virus logs: In the Imail logs: - A single process ID represents all of the work for a single message in a single direction. - If a message is received from a remote server, the log lines for that message will reference a spool\D##.SMD file (an inbound connection, process=SMTPD). - If a message is received from a local authenticated user (for example: sending through Outlook), the log lines for that message will reference a spool\D##.SMD file (an inbound connection, process=SMTPD). Subsequently, a separate set of log lines will reference a spool\Q##.SMD file (an outbound connection, process=SMTP-) for the outbound connection to send that message to a remote server (if the message is bound for a remote domain). The Q and D files for this entire message will have the same file name other than the Q and D. - A message sent from a local user to another local user will only have a spool\D##.SMD file (an inbound connection, process=SMTPD). - To accurately count the number of messages processed, one only needs to count the inbound messages b/c any outbound messages must have been preceeded by an inbound message. In the Junkmail and Virus logs: - The set of log lines representing work done on a single message will have the Q file specified (minus the .SMD) on each associated line. This identifier is mated with the Imail log entry which references the D version of the same name. - All Junkmail/Virus processing is done on the inbound connection, either from a remote server or the user client app (ie. Outlook). No processing is done on the outbound connection; hence no D files are specified. --- I wrote this as a number of statements that indicate my understanding. Please comment on any incorrect statements. Thanks, Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, October 14, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Understanding Imail logs document A link to this was posted recently. Can someone please repost the link? It's http://www.declude.com/info/logs.htm . -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Understanding Imail, junkmail, virus logs
In the Imail logs: - A single process ID represents all of the work for a single message in a single direction. - If a message is received from a remote server, the log lines for that message will reference a spool\D##.SMD file (an inbound connection, process=SMTPD). - If a message is received from a local authenticated user (for example: sending through Outlook), the log lines for that message will reference a spool\D##.SMD file (an inbound connection, process=SMTPD). Subsequently, a separate set of log lines will reference a spool\Q##.SMD file (an outbound connection, process=SMTP-) for the outbound connection to send that message to a remote server (if the message is bound for a remote domain). The Q and D files for this entire message will have the same file name other than the Q and D. - A message sent from a local user to another local user will only have a spool\D##.SMD file (an inbound connection, process=SMTPD). I believe this is all correct. Note that most of this refers just to the logging -- for example, a Q*.SMD file and D*.SMD file will be used for both incoming and outgoing E-mail. - To accurately count the number of messages processed, one only needs to count the inbound messages b/c any outbound messages must have been preceeded by an inbound message. inbound and outbound may cause confusion here (but technically could be considered correct terms). Instead, I would say that you can accurately count the number of messages processed by counting the MAIL FROM: SMTPD lines. You could instead count the RCPT TO: SMTPD lines to get the total number of recipients. In the Junkmail and Virus logs: - The set of log lines representing work done on a single message will have the Q file specified (minus the .SMD) on each associated line. This identifier is mated with the Imail log entry which references the D version of the same name. Correct. By taking the spool file name and removing the first character and extension, you can find the E-mail in both the IMail and Declude log files. - All Junkmail/Virus processing is done on the inbound connection, either from a remote server or the user client app (ie. Outlook). No processing is done on the outbound connection; hence no D files are specified. Correct. Note that the D file is the data file (which has a copy of the E-mail in it, including headers), and the Q file is the recipient file (which contains information about the recipients and other information that IMail finds useful to save about the E-mail). They refer to an E-mail that IMail has already received via SMTPD (inbound), but not yet delivered via SMTP32 (outbound). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Understanding Imail, junkmail, virus logs
Thanks for the info. Your always a wealth of information! :) Todd Holt Xidix Technologies, Inc Las Vegas, NV USA www.xidix.com 702.319.4349 -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, October 14, 2003 2:28 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Understanding Imail, junkmail, virus logs In the Imail logs: - A single process ID represents all of the work for a single message in a single direction. - If a message is received from a remote server, the log lines for that message will reference a spool\D##.SMD file (an inbound connection, process=SMTPD). - If a message is received from a local authenticated user (for example: sending through Outlook), the log lines for that message will reference a spool\D##.SMD file (an inbound connection, process=SMTPD). Subsequently, a separate set of log lines will reference a spool\Q##.SMD file (an outbound connection, process=SMTP-) for the outbound connection to send that message to a remote server (if the message is bound for a remote domain). The Q and D files for this entire message will have the same file name other than the Q and D. - A message sent from a local user to another local user will only have a spool\D##.SMD file (an inbound connection, process=SMTPD). I believe this is all correct. Note that most of this refers just to the logging -- for example, a Q*.SMD file and D*.SMD file will be used for both incoming and outgoing E-mail. - To accurately count the number of messages processed, one only needs to count the inbound messages b/c any outbound messages must have been preceeded by an inbound message. inbound and outbound may cause confusion here (but technically could be considered correct terms). Instead, I would say that you can accurately count the number of messages processed by counting the MAIL FROM: SMTPD lines. You could instead count the RCPT TO: SMTPD lines to get the total number of recipients. In the Junkmail and Virus logs: - The set of log lines representing work done on a single message will have the Q file specified (minus the .SMD) on each associated line. This identifier is mated with the Imail log entry which references the D version of the same name. Correct. By taking the spool file name and removing the first character and extension, you can find the E-mail in both the IMail and Declude log files. - All Junkmail/Virus processing is done on the inbound connection, either from a remote server or the user client app (ie. Outlook). No processing is done on the outbound connection; hence no D files are specified. Correct. Note that the D file is the data file (which has a copy of the E-mail in it, including headers), and the Q file is the recipient file (which contains information about the recipients and other information that IMail finds useful to save about the E-mail). They refer to an E-mail that IMail has already received via SMTPD (inbound), but not yet delivered via SMTP32 (outbound). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail scanned for viruses by Declude Virus (http://www.declude.com)] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.