RE: [Declude.JunkMail] How does this spam trick work

[Markus Gufler]

 Keith Purtell:
 The message-length limit in particular is probably destined 
 to be revised. We should have some control over this. Such as 
 the ability to change it, or the ability to change the limit 
 when certain parameters are met.

BTW: SpamChk is able to identify and analyze multipart mails. 
If there is a text and a following html-part only the html-part will be
analyzed for suspiciuos keywords.

Markus

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] ERROR: SOMEONE CRUMBLED MY MAGIC COOKIE

[R. Scott Perry]

It may.  But that file is a binary file that shouldn't be handled with text
editors, making it difficult to view the information in it.
Whoops. Then I hope I didn't seriously goof something up. My installed.bin 
file properties state that it consists of exactly six bytes, and if I open 
it with a non-invasive text editor, it says 1.76i4. Should there be more 
to it?
I doubt there is a problem with the file -- I'm just surprised that a text 
editor would open it.  Perhaps it is due to the long version (most versions 
are just 4 bytes).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] W32/swen

[Larry Craddock]

I'm fairly new to this and guessing there's a simple way to catch these?

Larry Craddock

Received: from dns1.atuacao.inf.br [200.203.92.130] by netride.net with
ESMTP
  (SMTPD32-8.03) id A0F770A00C0; Tue, 14 Oct 2003 07:49:59 -0500
Received: from udsikd ([200.203.92.14])
 by dns1.atuacao.inf.br (8.12.3/8.12.3) with SMTP id h9ECFlCB001365;
 Tue, 14 Oct 2003 10:15:47 -0200
Date: Tue, 14 Oct 2003 10:15:47 -0200
Message-Id: [EMAIL PROTECTED]
FROM: Mail System [EMAIL PROTECTED]
TO:   [EMAIL PROTECTED]
SUBJECT:
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary=buojnauxtqmv
X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 200.203.92.130
with no reverse DNS entry.
X-Declude-Sender: [EMAIL PROTECTED] [200.203.92.130]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: IPNOTINMX, NOLEGITCONTENT, REVDNS [4]
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 319324547

--buojnauxtqmv
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

HTML
HEAD/HEAD
BODY
iframe src=3Dcid:zkfgpjlwuzrijpd; height=3D0 width=3D0/iframe
BRMessage from rocketmail.com
BRBRI'm afraid =
the message returned below could not be delivered =
to the following addresses:BR
BRBRBRUndelivered message to B[EMAIL PROTECTED]/B
/BODY/HTML

--buojnauxtqmv
Content-Type: audio/x-wav; name=hrklfqxx.bat
Content-Transfer-Encoding: base64
Content-Id: zkfgpjlwuzrijpd


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Weight maybe not working right??

[Paul Ingram]

Hello,

I just recived several spams to my box all with weights greater then
I allow (weight of 49). Does anyone see anything wrong here?
  
GLOBAL.CFG
WEIGHT1  weightrange x x 5 11
WEIGHT2  weightrange x x 12 17
WEIGHT3  weightrange x x 18 36
WEIGHT4  weightrange x x 37 0

$default$.junkmail
WEIGHT1  WARN
WEIGHT2  SUBJECT
WEIGHT3  HOLD
WEIGHT4  DELETE

-- 
Best regards,
 ~Paul~  mailto:[EMAIL PROTECTED]

---
{This E-mail scanned for viruses by Declude Virus/McAfee}

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] W32/swen

[R. Scott Perry]

I'm fairly new to this and guessing there's a simple way to catch these?
With a virus scanner.  :)

However, a number of people do try creating filters to catch the more 
common viruses, based on subject lines, file names, etc.  You just have to 
be careful when doing so that you do not catch legitimate mail.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Weight maybe not working right??

[Bill Landry]

- Original Message - 
From: Paul Ingram [EMAIL PROTECTED]
 I just recived several spams to my box all with weights greater then
 I allow (weight of 49). Does anyone see anything wrong here?

 GLOBAL.CFG
 WEIGHT1  weightrange x x 5 11
 WEIGHT2  weightrange x x 12 17
 WEIGHT3  weightrange x x 18 36
 WEIGHT4  weightrange x x 37 0

Change WEIGHT4 to a weight test instead of a weightrange:

WEIGHT4  weight x x 37 0

This will apply whatever action you define (in your case: DELETE) to any
message with a weight of 27 or higher.  That should take care of it.

Bill

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 1.76i4 and 1.76i6

[R. Scott Perry]

I just noticed that all we're getting for IP addresses with these two 
versions is 0.0.0.0.

Example:
  X-Declude-Sender: [EMAIL PROTECTED] [0.0.0.0]
After going back to 1.76i1, we're getting a real IP address.

Example:
  X-Declude-Sender: [EMAIL PROTECTED] [156.21.1.21]
This is fixed in the interim release v1.76i7 at 
http://www.declude.com/release/176i/declude.exe .  It seems that when 
Received: headers were encountered with no IP in them, the previous interim 
release would not skip over the Received: header -- and would therefore end 
up with the IP of 0.0.0.0 (since there was no actual IP in the 
header).  v1.76i7 takes care of this problem.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Filters And Attachments

[Darrell LaRock]

Darrell LaRock
Systems Analyst
Gannett Television
716-849-2272
Hod do most folks deal with word filters being triggered on attachments.
See below for example?

10/13/2003 00:00:36 Q236256fe026ef9a4 Triggered CONTAINS filter WORDFILTER
on sex [weight-2; SExQlAnjsABzk

Is there something that is put in the body of a message that indicates there
is an attachment so that potentially reverse weight can be applied?

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Comments in IPFILE Text File

[R. Scott Perry]

I am using a flat text file full of individual IP addresses...

61.115.176.254
200.24.83.51
218.79.70.14
, etc., with the IPFILE test. Can I put a comment in this file, e.g.

61.115.176.254  # iexpect.com

without breaking the test?
Yes.  According to the Whitelist/Blacklist Reference section of the 
manual, comments are allowed in the IP blacklists.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Understanding Imail logs document

[Todd Holt]

A link to this was posted recently.  Can someone please repost the link?

Todd Holt
Xidix Technologies, Inc
Las Vegas, NV  USA
www.xidix.com
702.319.4349


---
[This E-mail scanned for viruses by Declude Virus (http://www.declude.com)]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Comments in IPFILE Text File

[Dan Geiser]

Hello, All,
I am using a flat text file full of individual IP addresses...

61.115.176.254
200.24.83.51
218.79.70.14

, etc., with the IPFILE test. Can I put a comment in this file, e.g.

61.115.176.254  # iexpect.com

without breaking the test?

Thanks In Advance,
Dan Geiser [EMAIL PROTECTED]
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Understanding Imail logs document

[R. Scott Perry]

A link to this was posted recently.  Can someone please repost the link?
It's http://www.declude.com/info/logs.htm .

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Understanding Imail, junkmail, virus logs

[Todd Holt]

Regarding the relationships between Imail logs, Junkmail logs and Virus
logs:

In the Imail logs:
- A single process ID represents all of the work for a single message in
a single direction.

- If a message is received from a remote server, the log lines for that
message will reference a spool\D##.SMD file (an inbound connection,
process=SMTPD).

- If a message is received from a local authenticated user (for example:
sending through Outlook), the log lines for that message will reference
a spool\D##.SMD file (an inbound connection, process=SMTPD).
Subsequently, a separate set of log lines will reference a
spool\Q##.SMD file (an outbound connection, process=SMTP-) for the
outbound connection to send that message to a remote server (if the
message is bound for a remote domain).  The Q and D files for this
entire message will have the same file name other than the Q and D.

- A message sent from a local user to another local user will only have
a spool\D##.SMD file (an inbound connection, process=SMTPD).

- To accurately count the number of messages processed, one only needs
to count the inbound messages b/c any outbound messages must have been
preceeded by an inbound message.

In the Junkmail and Virus logs:
- The set of log lines representing work done on a single message will
have the Q file specified (minus the .SMD) on each associated line.
This identifier is mated with the Imail log entry which references the
D version of the same name.

- All Junkmail/Virus processing is done on the inbound connection,
either from a remote server or the user client app (ie. Outlook).  No
processing is done on the outbound connection; hence no D files are
specified.

---
I wrote this as a number of statements that indicate my understanding.
Please comment on any incorrect statements. 

Thanks,

Todd Holt
Xidix Technologies, Inc
Las Vegas, NV  USA
www.xidix.com
702.319.4349



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of R. Scott Perry
 Sent: Tuesday, October 14, 2003 11:03 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Understanding Imail logs document
 
 
 A link to this was posted recently.  Can someone please repost the
link?
 
 It's http://www.declude.com/info/logs.htm .
 
 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail
mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day
evaluation.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus
 (http://www.declude.com)]


---
[This E-mail scanned for viruses by Declude Virus (http://www.declude.com)]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Understanding Imail, junkmail, virus logs

[R. Scott Perry]

In the Imail logs:
- A single process ID represents all of the work for a single message in
a single direction.
- If a message is received from a remote server, the log lines for that
message will reference a spool\D##.SMD file (an inbound connection,
process=SMTPD).
- If a message is received from a local authenticated user (for example:
sending through Outlook), the log lines for that message will reference
a spool\D##.SMD file (an inbound connection, process=SMTPD).
Subsequently, a separate set of log lines will reference a
spool\Q##.SMD file (an outbound connection, process=SMTP-) for the
outbound connection to send that message to a remote server (if the
message is bound for a remote domain).  The Q and D files for this
entire message will have the same file name other than the Q and D.
- A message sent from a local user to another local user will only have
a spool\D##.SMD file (an inbound connection, process=SMTPD).
I believe this is all correct.  Note that most of this refers just to the 
logging -- for example, a Q*.SMD file and D*.SMD file will be used for both 
incoming and outgoing E-mail.

- To accurately count the number of messages processed, one only needs
to count the inbound messages b/c any outbound messages must have been
preceeded by an inbound message.
inbound and outbound may cause confusion here (but technically could be 
considered correct terms).

Instead, I would say that you can accurately count the number of messages 
processed by counting the MAIL FROM: SMTPD lines.  You could instead 
count the RCPT TO: SMTPD lines to get the total number of recipients.

In the Junkmail and Virus logs:
- The set of log lines representing work done on a single message will
have the Q file specified (minus the .SMD) on each associated line.
This identifier is mated with the Imail log entry which references the
D version of the same name.
Correct.  By taking the spool file name and removing the first character 
and extension, you can find the E-mail in both the IMail and Declude log files.

- All Junkmail/Virus processing is done on the inbound connection,
either from a remote server or the user client app (ie. Outlook).  No
processing is done on the outbound connection; hence no D files are
specified.
Correct.

Note that the D file is the data file (which has a copy of the E-mail 
in it, including headers), and the Q file is the recipient file (which 
contains information about the recipients and other information that IMail 
finds useful to save about the E-mail).  They refer to an E-mail that IMail 
has already received via SMTPD (inbound), but not yet delivered via 
SMTP32 (outbound).

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Understanding Imail, junkmail, virus logs

[Todd Holt]

Thanks for the info.  Your always a wealth of information! :)

Todd Holt
Xidix Technologies, Inc
Las Vegas, NV  USA
www.xidix.com
702.319.4349



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of R. Scott Perry
 Sent: Tuesday, October 14, 2003 2:28 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Understanding Imail, junkmail, virus
logs
 
 
 In the Imail logs:
 - A single process ID represents all of the work for a single message
in
 a single direction.
 
 - If a message is received from a remote server, the log lines for
that
 message will reference a spool\D##.SMD file (an inbound
connection,
 process=SMTPD).
 
 - If a message is received from a local authenticated user (for
example:
 sending through Outlook), the log lines for that message will
reference
 a spool\D##.SMD file (an inbound connection, process=SMTPD).
 Subsequently, a separate set of log lines will reference a
 spool\Q##.SMD file (an outbound connection, process=SMTP-) for
the
 outbound connection to send that message to a remote server (if the
 message is bound for a remote domain).  The Q and D files for this
 entire message will have the same file name other than the Q and D.
 
 - A message sent from a local user to another local user will only
have
 a spool\D##.SMD file (an inbound connection, process=SMTPD).
 
 I believe this is all correct.  Note that most of this refers just to
the
 logging -- for example, a Q*.SMD file and D*.SMD file will be used for
 both
 incoming and outgoing E-mail.
 
 - To accurately count the number of messages processed, one only
needs
 to count the inbound messages b/c any outbound messages must have
been
 preceeded by an inbound message.
 
 inbound and outbound may cause confusion here (but technically
could
 be
 considered correct terms).
 
 Instead, I would say that you can accurately count the number of
messages
 processed by counting the MAIL FROM: SMTPD lines.  You could instead
 count the RCPT TO: SMTPD lines to get the total number of
recipients.
 
 In the Junkmail and Virus logs:
 - The set of log lines representing work done on a single message
will
 have the Q file specified (minus the .SMD) on each associated line.
 This identifier is mated with the Imail log entry which references
the
 D version of the same name.
 
 Correct.  By taking the spool file name and removing the first
character
 and extension, you can find the E-mail in both the IMail and Declude
log
 files.
 
 - All Junkmail/Virus processing is done on the inbound connection,
 either from a remote server or the user client app (ie. Outlook).  No
 processing is done on the outbound connection; hence no D files are
 specified.
 
 Correct.
 
 Note that the D file is the data file (which has a copy of the
E-mail
 in it, including headers), and the Q file is the recipient file
(which
 contains information about the recipients and other information that
IMail
 finds useful to save about the E-mail).  They refer to an E-mail that
 IMail
 has already received via SMTPD (inbound), but not yet delivered via
 SMTP32 (outbound).
 
 
 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail
mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day
evaluation.
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus
 (http://www.declude.com)]


---
[This E-mail scanned for viruses by Declude Virus (http://www.declude.com)]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.