Re: [Declude.JunkMail] ATTACH Still not working. Bah.
Here's the text from the spamattach email. I would recommend trying to latest interim release, from http://www.declude.com/release/176i/declude.exe . There have been several changes in the interim release that may affect how this situation is handled. If it continues with the latest interim release, the next step will be the debug mode. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] log analyzer
Hello paul, try this: http://spamreview.argolink.net/software/declude.htm i'm using it, and it works ok. Tuesday, November 4, 2003, 12:20:22 PM, you wrote: p I was just wondering if anyone here has ever thought of, or worked on, a p Declude log analyzer that can, similar to Scott's AWESOME bouncefinder, list p the deleted mail? Maybe list it as email address + weight? This way, if p someone calls about missing mail, if you run daily log analyzing, you can p search for that address, find it faster, and make the adjustments you need. p Does this seem feasable? p Paul p --- p [This E-mail scanned for viruses by Declude Virus] p --- p [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] p --- p This E-mail came from the Declude.JunkMail mailing list. To p unsubscribe, just send an E-mail to [EMAIL PROTECTED], and p type unsubscribe Declude.JunkMail. The archives can be found p at http://www.mail-archive.com. p --- p [This E-mail scanned for viruses by Declude Virus] -- Best regards, Administrationmailto:[EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
OK, I did what John said last nite (with the logs set to 'high' and the spool name on) and what Scott said (use the interim release) this morning. Here's the log entry. I picked something going to me so I could say for sure it showed up in my inbox (it did, and it most definitely was spam). Set the logs to 'debug' and will follow up with a sample shortly. 11/05/2003 07:46:12 Q1ad9014900d05f2b Triggered CONTAINS filter GIBBERISHSUB on qr [weight-0; qr7]. 11/05/2003 07:46:12 Q1ad9014900d05f2b GIBBERISHSUB:3 NOABUSE:3 NOPOSTMASTER:3 REVDNS:5 . Total weight = 14 11/05/2003 07:46:12 Q1ad9014900d05f2b Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed GIBBERISHSUB (Message failed GIBBERISHSUB test (78)). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed IPNOTINMX (). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 221.196.22.47 with no reverse DNS entry.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed WEIGHT1319 (Total weight between 13 and 19.). Action=ATTACH. 11/05/2003 07:46:12 Q1ad9014900d05f2b L1 Message OK 11/05/2003 07:46:12 Q1ad9014900d05f2b Subject: hello1nqr7 11/05/2003 07:46:12 Q1ad9014900d05f2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.196.22.47 ID: 11/05/2003 07:46:12 Q1ad9014900d05f2b Last action = IGNORE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
Look at last action, Ignore. Is there a White list anywhere that could affect that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Wednesday, November 05, 2003 7:58 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ATTACH Still not working. Bah. OK, I did what John said last nite (with the logs set to 'high' and the spool name on) and what Scott said (use the interim release) this morning. Here's the log entry. I picked something going to me so I could say for sure it showed up in my inbox (it did, and it most definitely was spam). Set the logs to 'debug' and will follow up with a sample shortly. 11/05/2003 07:46:12 Q1ad9014900d05f2b Triggered CONTAINS filter GIBBERISHSUB on qr [weight-0; qr7]. 11/05/2003 07:46:12 Q1ad9014900d05f2b GIBBERISHSUB:3 NOABUSE:3 NOPOSTMASTER:3 REVDNS:5 . Total weight = 14 11/05/2003 07:46:12 Q1ad9014900d05f2b Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed GIBBERISHSUB (Message failed GIBBERISHSUB test (78)). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed IPNOTINMX (). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 221.196.22.47 with no reverse DNS entry.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed WEIGHT1319 (Total weight between 13 and 19.). Action=ATTACH. 11/05/2003 07:46:12 Q1ad9014900d05f2b L1 Message OK 11/05/2003 07:46:12 Q1ad9014900d05f2b Subject: hello1nqr7 11/05/2003 07:46:12 Q1ad9014900d05f2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.196.22.47 ID: 11/05/2003 07:46:12 Q1ad9014900d05f2b Last action = IGNORE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
I do have an external whitelist, but it consists of stuff like WHITELIST FROM @amazon.com WHITELIST FROM @ebay.com WHITELIST FROM @expedia.com And is a total of 22 entries long. Then I have AUTOWHITELIST ON so my users can make their own white lists. There are only two entries in my book (aliases.txt), and of course this is affecting everyone; not just me. Interestingly, there appears to be a blank line in my address book drop-down; both in the selector in the Compose window and in the addr book editor. I tried deleting it in the editor but no soap. Supposed to be there? The line -- which is on the first position in the webmail drop-down -- is not in the physical file. Looks like its built in to Imail's html select box for some reason. I also have WHITELIST AUTH set in global.cfg. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 05, 2003 8:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ATTACH Still not working. Bah. Look at last action, Ignore. Is there a White list anywhere that could affect that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Wednesday, November 05, 2003 7:58 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ATTACH Still not working. Bah. OK, I did what John said last nite (with the logs set to 'high' and the spool name on) and what Scott said (use the interim release) this morning. Here's the log entry. I picked something going to me so I could say for sure it showed up in my inbox (it did, and it most definitely was spam). Set the logs to 'debug' and will follow up with a sample shortly. 11/05/2003 07:46:12 Q1ad9014900d05f2b Triggered CONTAINS filter GIBBERISHSUB on qr [weight-0; qr7]. 11/05/2003 07:46:12 Q1ad9014900d05f2b GIBBERISHSUB:3 NOABUSE:3 NOPOSTMASTER:3 REVDNS:5 . Total weight = 14 11/05/2003 07:46:12 Q1ad9014900d05f2b Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed GIBBERISHSUB (Message failed GIBBERISHSUB test (78)). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed IPNOTINMX (). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 221.196.22.47 with no reverse DNS entry.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed WEIGHT1319 (Total weight between 13 and 19.). Action=ATTACH. 11/05/2003 07:46:12 Q1ad9014900d05f2b L1 Message OK 11/05/2003 07:46:12 Q1ad9014900d05f2b Subject: hello1nqr7 11/05/2003 07:46:12 Q1ad9014900d05f2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.196.22.47 ID: 11/05/2003 07:46:12 Q1ad9014900d05f2b Last action = IGNORE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Still working on Spool overflow
Scott, I have the system working with Imail and Declude JM, But when I configured Declude Virus with f-prot the processor goes to 100% and sets there then the spool starts to build. I can see anywhere from 5 to 150 NTVDM and Declude in the task manager. When I shut off Declude Virus the processor goes back to 7 to 25%. and the spool clears out.Any ideas Lenny Bauman LRBCG.COM, Inc. Phone 419-621-5770 Toll Free 1-800-NET-ACCESS (638-2223) E-mail [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
Matt: Not related to your question but... I highly recommend that you reconsider your WHITELIST FROM entries. We have the following instead. WHITELIST REVDNS .amazon.com WHITELIST REVDNS .ebay.com WHITELIST REVDNS .expedia.com As has been discussed in the list quite a lot lately, the above is much harder to forge. What you have will cause you get a lot of spam from the spammers that just use [EMAIL PROTECTED] Just an FYI. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Wednesday, November 05, 2003 11:54 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ATTACH Still not working. Bah. I do have an external whitelist, but it consists of stuff like WHITELIST FROM @amazon.com WHITELIST FROM @ebay.com WHITELIST FROM @expedia.com And is a total of 22 entries long. Then I have AUTOWHITELIST ON so my users can make their own white lists. There are only two entries in my book (aliases.txt), and of course this is affecting everyone; not just me. Interestingly, there appears to be a blank line in my address book drop-down; both in the selector in the Compose window and in the addr book editor. I tried deleting it in the editor but no soap. Supposed to be there? The line -- which is on the first position in the webmail drop-down -- is not in the physical file. Looks like its built in to Imail's html select box for some reason. I also have WHITELIST AUTH set in global.cfg. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, November 05, 2003 8:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ATTACH Still not working. Bah. Look at last action, Ignore. Is there a White list anywhere that could affect that? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Wednesday, November 05, 2003 7:58 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] ATTACH Still not working. Bah. OK, I did what John said last nite (with the logs set to 'high' and the spool name on) and what Scott said (use the interim release) this morning. Here's the log entry. I picked something going to me so I could say for sure it showed up in my inbox (it did, and it most definitely was spam). Set the logs to 'debug' and will follow up with a sample shortly. 11/05/2003 07:46:12 Q1ad9014900d05f2b Triggered CONTAINS filter GIBBERISHSUB on qr [weight-0; qr7]. 11/05/2003 07:46:12 Q1ad9014900d05f2b GIBBERISHSUB:3 NOABUSE:3 NOPOSTMASTER:3 REVDNS:5 . Total weight = 14 11/05/2003 07:46:12 Q1ad9014900d05f2b Using [incoming] CFG file C:\IMail\Declude\$default$.junkmail. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed GIBBERISHSUB (Message failed GIBBERISHSUB test (78)). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed IPNOTINMX (). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed REVDNS (This E-mail was sent from a MUA/MTA 221.196.22.47 with no reverse DNS entry.). Action=WARN. 11/05/2003 07:46:12 Q1ad9014900d05f2b Msg failed WEIGHT1319 (Total weight between 13 and 19.). Action=ATTACH. 11/05/2003 07:46:12 Q1ad9014900d05f2b L1 Message OK 11/05/2003 07:46:12 Q1ad9014900d05f2b Subject: hello1nqr7 11/05/2003 07:46:12 Q1ad9014900d05f2b From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 221.196.22.47 ID: 11/05/2003 07:46:12 Q1ad9014900d05f2b Last action = IGNORE. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] ---
Re: [Declude.JunkMail] Still working on Spool overflow
The first thing to do is to switch from F-Prot.exe (16-bit) to fpcmd.exe (32-bit), as quite a few servers have serious troubles when there are too many 16-bit processes (for no apparent reason). What is the setting in the virus.cfg for fpcmd.exe How many E-mails do you send/receive per day on this server? What is the CPU power of the server? I'm guessing you are processing about 250,000 E-mails/day on that server. At 250,000 E-mails/day, you're quickly approaching IMail's limitations -- specifically, at that volume, you only have 10 seconds to process each E-mail. That includes scanning for viruses (which is quick, but CPU-intensive), scanning for spam (which takes time, but little CPU power), and actually delivery (quick for local mailboxes, lengthy for outgoing E-mail). I ran DOMLIST and is showed 249,070 To scan 250,000 E-mails/day for viruses, you should be dealing with at least 2.5GHz of CPU power (1 2.5GHz CPU, 2 1.3GHz CPUs, etc.). Running on a P4 3.0 gig with WinNT4.0 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Still working on Spool overflow
Fred, No we are running the f-prot.exe with the switches Lenny Bauman LRBCG.COM, Inc. Phone 419-621-5770 Toll Free 1-800-NET-ACCESS (638-2223) E-mail [EMAIL PROTECTED] - Original Message - From: Frederick Samarelli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 12:18 PM Subject: Re: [Declude.JunkMail] Still working on Spool overflow Are you using this line in the Virus.cfg SCANFILEC:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt - Original Message - From: Lenny Bauman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 11:59 AM Subject: [Declude.JunkMail] Still working on Spool overflow Scott, I have the system working with Imail and Declude JM, But when I configured Declude Virus with f-prot the processor goes to 100% and sets there then the spool starts to build. I can see anywhere from 5 to 150 NTVDM and Declude in the task manager. When I shut off Declude Virus the processor goes back to 7 to 25%. and the spool clears out.Any ideas Lenny Bauman LRBCG.COM, Inc. Phone 419-621-5770 Toll Free 1-800-NET-ACCESS (638-2223) E-mail [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Still working on Spool overflow
Lenny: This is what we have: SCANFILEC:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE 3 VIRUSCODE 6 REPORT Infection: Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lenny Bauman Sent: Wednesday, November 05, 2003 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Still working on Spool overflow The first thing to do is to switch from F-Prot.exe (16-bit) to fpcmd.exe (32-bit), as quite a few servers have serious troubles when there are too many 16-bit processes (for no apparent reason). What is the setting in the virus.cfg for fpcmd.exe How many E-mails do you send/receive per day on this server? What is the CPU power of the server? I'm guessing you are processing about 250,000 E-mails/day on that server. At 250,000 E-mails/day, you're quickly approaching IMail's limitations -- specifically, at that volume, you only have 10 seconds to process each E-mail. That includes scanning for viruses (which is quick, but CPU-intensive), scanning for spam (which takes time, but little CPU power), and actually delivery (quick for local mailboxes, lengthy for outgoing E-mail). I ran DOMLIST and is showed 249,070 To scan 250,000 E-mails/day for viruses, you should be dealing with at least 2.5GHz of CPU power (1 2.5GHz CPU, 2 1.3GHz CPUs, etc.). Running on a P4 3.0 gig with WinNT4.0 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Still working on Spool overflow
The first thing to do is to switch from F-Prot.exe (16-bit) to fpcmd.exe (32-bit), as quite a few servers have serious troubles when there are too many 16-bit processes (for no apparent reason). What is the setting in the virus.cfg for fpcmd.exe It's in the manual. :) It's the same as with F-Prot.exe, except that you must remove the /NOFLOPPY and /NOBOOT switches. I ran DOMLIST and is showed 249,070 Running on a P4 3.0 gig with WinNT4.0 At that volume, you may have to go to some great lengths to get everything running smoothly on one server. One thing that may be worthwhile in your situation is adding a line AVAFTERJM to the \IMail\Declude\virus.cfg file, which will prevent Declude Virus scanning any E-mail that Declude JunkMail blocks. However, there is a VERY IMPORTANT WARNING when doing this -- any E-mail that Declude JunkMail blocks will not be scanned for viruses, so if you re-deliver E-mail that has been held by Declude JunkMail, you will need to be careful. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Still working on Spool overflow
At that volume, you may have to go to some great lengths to get everything running smoothly on one server. One other thing that you should make sure of is that you are using PRESCAN ON in the \IMail\Declude\virus.cfg file (assuming you are running Declude Virus Pro, which you should if you are processing millions of E-mails a week). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Still working on Spool overflow
Change it to the setting I sent. - Original Message - From: Lenny Bauman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 12:42 PM Subject: Re: [Declude.JunkMail] Still working on Spool overflow Fred, No we are running the f-prot.exe with the switches Lenny Bauman LRBCG.COM, Inc. Phone 419-621-5770 Toll Free 1-800-NET-ACCESS (638-2223) E-mail [EMAIL PROTECTED] - Original Message - From: Frederick Samarelli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 12:18 PM Subject: Re: [Declude.JunkMail] Still working on Spool overflow Are you using this line in the Virus.cfg SCANFILEC:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE /NOBOOT /DUMB /REPORT=report.txt - Original Message - From: Lenny Bauman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 11:59 AM Subject: [Declude.JunkMail] Still working on Spool overflow Scott, I have the system working with Imail and Declude JM, But when I configured Declude Virus with f-prot the processor goes to 100% and sets there then the spool starts to build. I can see anywhere from 5 to 150 NTVDM and Declude in the task manager. When I shut off Declude Virus the processor goes back to 7 to 25%. and the spool clears out.Any ideas Lenny Bauman LRBCG.COM, Inc. Phone 419-621-5770 Toll Free 1-800-NET-ACCESS (638-2223) E-mail [EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam via Dialup
I'm finding that it's incredibly common that dialup/dsl/cable clients are sending spam directly. It is widely assumed that they are running a trojan or are set up as an open relay following the six iterations of the SoBig worm. This isn't new, but the scale of the available resources to the spammers from the SoBig infections is certainly new. It's easy for me to say that ISPs no longer can whitelist their own IP space for mail handling... very hard for me to tell an ISP what they definitely should do! Andrew 8( -Original Message- From: Danny Klopfer [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 10:40 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Spam via Dialup I just tracked down a client sending out spam via dialup connection. I doubt they even know it happened. Anyone seen this before? I think that they must have a virus or worm that did this. Received: from adornmen.com [207.231.66.244] by ncwebsurfer.com with ESMTP (SMTPD32-8.03) id AC253E6E0228; Wed, 05 Nov 2003 10:06:29 -0800 Message-ID: [EMAIL PROTECTED] From: Brittne Uppal [EMAIL PROTECTED] Subject: Buy viagraST, prozac, Fioricet, zanaflexnayuxidesgeqkblyrzf Date: Wed, 05 Nov 2003 18:06:48 + MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit X-IMAIL-SPAM-VALHELO: (1047396904) X-IMAIL-SPAM-VALFROM: (1047396904) X-RBL-Warning: WEIGHT10: Weight of 15 reaches or exceeds the limit of 10. X-Declude-Sender: [EMAIL PROTECTED] [207.231.66.244] X-Declude-Spoolname: D3c253e6e022892c9.SMD Order some viagrast, Soma Online a href=http://[EMAIL PROTECTED] bxrcbot.bswvbicjxiocdibahiahbfuj.propouvr.biz/vpr6636/?href=www.bbbrsqdjlif. mhsgocqrlnk.jdejopcufpilvddehejfbujvquljbojchcuqymblywccrekproceed here/abr lkugbybxpf tyzzrjczxgmpld jsvrincshoymab --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] McAfee Hoax
Yes, a description is here for an existing suite of viruses that use that text: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] html Dunno if it's the official name, but this description matches and claims to be brand new, so maybe there is a new variant that still uses the same old text: http://www.bitdefender.ro/virusi/virusi_descrieri.php?virus_id=108 Andrew 8) -Original Message- From: Dan Geiser [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] McAfee Hoax Hello, All, Has anybody seen this new nastygram? X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD Received: from 65.54.166.99 ([193.68.14.212]) by mc9-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 5 Nov 2003 11:06:20 -0800 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 05 Nov 03 21:04:02 Subject: McAfee Antivirus Monthly Report MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_000W_CR76L9KJ.SAS1JHRH X-Priority: 3 Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Nov 2003 19:06:21.0671 (UTC) FILETIME=[E6785770:01C3A3CF] --=_NextPart_000_000W_CR76L9KJ.SAS1JHRH Content-Type: text/html; charset=us-ascii HTMLBODYMcAfee Antivirus warns about several new viruses exploitingBR Microsoft Internet Explorer. They register themselves as ActiveXBR controls and subsequently grant access to the local resources ofBR the visitors. This type of internet viruses is very dangerous,BR because they delete various files of the operating system.BR BR Due to the significant increase of viruses exploiting this vulnerability,BR McAfee Antivirus supports clients of Microsoft Windows with à patch, whichBR fixes this bug in Internet Explorer 5.5 and minor versions. Customers whoBR have applied this patch are already protected against the vulnerabilityBR and do not need to take additional action.BR BR BR -BR McAfee AntivirusBR A HREF=http://www.McAfee.com; TARGET=_blankwww.McAfee.com/A /BODY/HTML --=_NextPart_000_000W_CR76L9KJ.SAS1JHRH Content-Type: application/x-msdownload; name=IE_0216_Setup.exe Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=IE_0216_Setup.exe TVqQAAME//8AALgAQAAA 6A4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v etc... Just Curious, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Still working on Spool overflow
Processor is now running at 7 to 45% ... OK, that means that the CPU usage is now under control. ... and the spool and overflow is fill fast 1200 plus in each but when I go into the queue it shows only 30 messages being queued Most likely, that is due to a Declude JunkMail test that died a long time ago. You should go through your \IMail\Declude\global.cfg file and look for any dead tests (such as any references to osirusoft, monkeys, or orbz). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
John wrote: Where was the message sent from? Various spammers all over the planet. Since this morning Scott and I have been trading detailed debug logs, and doing stuff to try to track this down. I had to sit back for a bit while a client of mine did a big mailer to their membership (I throttle down their mail xmit rate via ColdFusion, so the wait was awhile). Can't have a debug log when something like that is passing thru. Just got a reading and am passing it off to Scott. I did find that I had catchallmails enabled, although it wasn't actually doing anything. That may have been the problem. -- Original Message -- From: John Tolmachoff \(Lists\) [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 5 Nov 2003 13:02:04 -0800 I also have WHITELIST AUTH set in global.cfg. Time for a DEBUG log. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
Just got a reading and am passing it off to Scott. I did find that I had catchallmails enabled, although it wasn't actually doing anything. That may have been the problem. Gotcha. I just got back from a client and had not seen any update. BTW, the catchallmails has called other problems before. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] ATTACH Still not working. Bah.
John wrote: BTW, the catchallmails has called other problems before. I'm not surprised. I had no idea I was running it. Must've del'd the comment by accident as I've never used the thing. Easy to fix. Unfortunately a short time after I received more of the same, so that wasn't it. :-( -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude behind a Firewall
Hi. My company recently set up a firewall which we put all our servers behind, including our mail server running declude. As soon as we did this, declude stopped working. From what I understood in the log, it looked like declude wasn't able to get out and check spam databases. There were a lot of lines in the log that looked like this: TEST 08 - SPAM COP didn't get a response I assume the firewall is blocking declude. Anybody have an idea of how to allow it access? Is there a certain port I have to open up for declude to get out? Or maybe do I have to set up declude to use a proxy? Thanks, jim --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude behind a Firewall
Ok, here you go... discounts are only available on multiple server installations. Single server installations are always the same price for everyone. You can download the latest version of Alligate anytime at: http://www.alligate.com/downloads.asp Here are your Alligate activation codes: LICENSE: 98B17332995AA601 KEY: 94B9A54A6BB58CB1 Your license will expire on: 12/5/2003 This product is licensed for use on IP address: 65.123.51.1 Your license type is: Alligate 1 Domain For questions or support, please contact [EMAIL PROTECTED] On 11/05/03 5:14pm you wrote... Hi. My company recently set up a firewall which we put all our servers behind, including our mail server running declude. As soon as we did this, declude stopped working. From what I understood in the log, it looked like declude wasn't able to get out and check spam databases. There were a lot of lines in the log that looked like this: TEST 08 - SPAM COP didn't get a response I assume the firewall is blocking declude. Anybody have an idea of how to allow it access? Is there a certain port I have to open up for declude to get out? Or maybe do I have to set up declude to use a proxy? Thanks, jim --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] one more try...
Hi all, I've asked a couple of times over the past couple of weeks, but thought I'd ask one more time... I get a lot of spam with return addresses that start with b. ie: [EMAIL PROTECTED] Is there anyway to filter that in declude or in the Imail kill list? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] one more try...
Filter file. MAILFROM(weighttoadd) STARTSWITH b. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of andyb Sent: Wednesday, November 05, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] one more try... Hi all, I've asked a couple of times over the past couple of weeks, but thought I'd ask one more time... I get a lot of spam with return addresses that start with b. ie: [EMAIL PROTECTED] Is there anyway to filter that in declude or in the Imail kill list? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Upon reading the on-line junk mail manual, this point isn't clear. First time using the filter file. I'm using a dual weight system, 1st tier is hold, 2nd tier deletes. Thanks, andy - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:03 PM Subject: RE: [Declude.JunkMail] one more try... Filter file. MAILFROM (weighttoadd) STARTSWITH b. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of andyb Sent: Wednesday, November 05, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] one more try... Hi all, I've asked a couple of times over the past couple of weeks, but thought I'd ask one more time... I get a lot of spam with return addresses that start with b. ie: [EMAIL PROTECTED] Is there anyway to filter that in declude or in the Imail kill list? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the 5 in the MYFILTER filter line) plus the weight for each line that matches (the MAILFROM 5 line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] one more try...
If you wanted to add 5 to any message caught by anything in the filter, you would add five in the test definition in the Global.cfg. However, if you want to add weight to each line in the filter, you would leave the weight on the test itself to 0 and put the weight value in the second column in the filter file. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of andyb Sent: Wednesday, November 05, 2003 4:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Upon reading the on-line junk mail manual, this point isn't clear. First time using the filter file. I'm using a dual weight system, 1st tier is hold, 2nd tier deletes. Thanks, andy - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 6:03 PM Subject: RE: [Declude.JunkMail] one more try... Filter file. MAILFROM (weighttoadd) STARTSWITH b. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of andyb Sent: Wednesday, November 05, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] one more try... Hi all, I've asked a couple of times over the past couple of weeks, but thought I'd ask one more time... I get a lot of spam with return addresses that start with b. ie: [EMAIL PROTECTED] Is there anyway to filter that in declude or in the Imail kill list? Thanks, Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] 4000020e with Outlook 2003
I had seen the problem with a beta install of Outlook 2003 and had hoped that the release version would have that worked out. I soon found that to not be the case. Of course, I've seen other programs (Goldmine is a notable example) that trip the spamheaders test. Forms from webpages fail it as well. I still assign the test a weight (and a fairly high one, at that), but the action for that test itself is just set to SUBJECT in my config. ~Katie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Winberg Sent: Monday, November 03, 2003 2:50 PM To: DLAnalyzer Support Subject: Re[2]: [Declude.JunkMail] 420e with Outlook 2003 Build I have is: 11.5608.5606 (release build) Scott Monday, November 3, 2003, 1:13:32 PM, you wrote: DLAnalyzer Is anyone else compensating for this with a filter? DLAnalyzer HEADERS -3 CONTAINS X-Mailer: Microsoft Office Outlook, Build 11.0 DLAnalyzer Has anyone else seen any different builds? The build below DLAnalyzer should be the DLAnalyzer release build. DLAnalyzer X-Mailer: Microsoft Office Outlook, Build 11.0.5510 DLAnalyzer Darrell DLAnalyzer DLAnalyzer Check Out DLAnalyzer a comprehensive reporting tool for DLAnalyzer Declude Junkmail Logs - http://www.dlanalyzer.com DLAnalyzer R. Scott Perry writes: Good morning, I just started using Outlook 2003 and I am now failing the Spamheader test with code Code: 420e. The E-mail failed the SPAMHEADERS test. This is due to a bug in Outlook 2003 -- I'm not aware of a Microsoft fix for it yet. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. DLAnalyzer --- DLAnalyzer [This E-mail was scanned for viruses by Declude Virus DLAnalyzer (http://www.declude.com)] DLAnalyzer --- DLAnalyzer This E-mail came from the Declude.JunkMail mailing list. To DLAnalyzer unsubscribe, just send an E-mail to [EMAIL PROTECTED], DLAnalyzer and type unsubscribe Declude.JunkMail. The archives can DLAnalyzer be found at http://www.mail-archive.com. -- Scottmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the 5 in the MYFILTER filter line) plus the weight for each line that matches (the MAILFROM 5 line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? No. That will give E-mails that do NOT fail the test a weight of 5. Test name, test type, 2 pieces of test-specific information, standard weight, negative (pass) weight. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] one more try...
Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0 Then the original reply (adjusted a little)... Matt Actually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be: MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things. I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary. Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/ Matt andyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- === Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] === headers.zip Description: Zip compressed data
Re: [Declude.JunkMail] one more try...
BTW, actually two of those three headers are from the same company. You can also easily identify this spam company with a filter for the following unique code which might be safer than the other technique (though, only slightly more so): HEADERS 0 CONTAINS X-JLH: Be sure to include a space after the colon just to be safe. You might want to pack this together with the others just in case he stops using the @b. technique, but still, knowing the IP's would be the best. Matt Matthew Bramble wrote: Andy, I tried sending this twice, but I think Scott's server blocked it because of the content in the headers, so the headers are attached as a zip this time. Your global.cfg would have something like the following and the adjusted filter file is in the original reply pasted below (name the filter whatever you wish). [EMAIL PROTECTED] filter C:\IMail\Declude\Filters\[EMAIL PROTECTED] x 5 0 Then the original reply (adjusted a little)... Matt Actually, I think this one is in the format of [EMAIL PROTECTED], so the filter would need to be: MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] MAILFROM 0 CONTAINS [EMAIL PROTECTED] I put a number before the domain because it appears that this spammer uses VERP and the pattern always has a number before the "@b." so this will help protect from false positives. I just wouldn't necessaarily kill it for just this one thing, and I don't think you have to because this stuff isn't getting through my server, so it's picking up points from RBL's and other things. I've seen this stuff coming through my own machine and noted it because of the question earlier. I fear that the pattern is only temporary, but if I'm not mistaken, this is from one of the contest type of spammers with a set group of IP's that they send out from. You could more effectively search for hits and take the IP addresses out and then filter for those as long-term prevention in the event that this pattern fails (which I expect it will). Bill could probably grep that info from his logs in seconds :) Be sure to share if you do. I wouldn't bother with the domain names because they seem to be very temporary. Here are three such headers from this spammer, and all of the domain names were registered recently through pairNIC.com, http://whois.pairnic.com/ Matt andyb wrote: So, the line MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? Thanks, Andy - Original Message - From: "R. Scott Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 7:13 PM Subject: Re: [Declude.JunkMail] one more try... to be sure, the syntax would be: in Global.cfg: MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 In myfilter.txt: MAILFROM5STARTSWITH b. That would work fine. Isn't this adding the weight of 5 twice? I'd like it to only be added once. Yes, that would add the weight twice. The total weight for the test is a combination of the general weight for the test (the "5" in the "MYFILTER filter" line) plus the weight for each line that matches (the "MAILFROM 5" line). In this case, you might instead want to use: MAILFROM0STARTSWITH b. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] one more try...
Here is the format: TESTNAME testtype 1stparameter 2ndparameter failweight passweight Here are the various types: WEIGHT weight notused notused triggerweightfail WEIGHTRANGE weightrange notused notused triggerweightstart triggerweightend DNSTEST ip4r testaddress returncode(ifneeded) failweight passweight DNSTEST rhsbl testaddress returncode(ifneeded) failweight passweight FROMFILE fromfile filelocation notused failweight passweight FILTER filter filelocation notused failweight passweight EXTERNAL external returncode programlocationandswitches failweight passweight It appears that is because for the MYFILTER test, c:\Imail\declude\myfilter.txt is used in place of the first x? Yes. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of andyb Sent: Wednesday, November 05, 2003 7:06 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] one more try... I believe my confusion is that all of the other tests are listed as x x 5 0 And this one only has one X Thanks for the help. Andy - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 05, 2003 9:20 PM Subject: Re: [Declude.JunkMail] one more try... MYFILTER filter C:\IMail\Declude\myfilter.txt x x 5 0 should have 2 x's because of the 2 tiered weighting system I'm using? No. That will give E-mails that do NOT fail the test a weight of 5. Test name, test type, 2 pieces of test-specific information, standard weight, negative (pass) weight. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
