[Declude.JunkMail] Bounce
We have a rare situation where we've been asked to bounce emails with a specific criteria for one customer. We are using the BOUNCE action as stated in the comments of the sample file, but we get the logged error Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? Here is the file for this customer. The test is named AH Thanks # BOUNCE will send a standard bounce message (and not deliver the E-mail) # SWENBLOCK ATTACH WEIGHTLOW ATTACH WEIGHTMEDIUMATTACH WEIGHTHIGH DELETE AH BOUNCE --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] text before spam.. defeating content filter
Hi; We are getting a lot of spam lately that are being caught primarily with IP4r tests as well as the likes of spamdomain or helobogus .. but not content filters. This is, as discussed before, because a large amount of text (almost chapter 1 of Gone with the Wind :)) is put at the top of the email. In checking the content.. this is the only thing I see before the long text.. could this be used as a filter? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29DContent-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bit then before the actual spam: --=_NextPart_000_0951_7DF4E03D.3CA8D29DContent-Type: text/htmlContent-Transfer-Encoding: quoted-printable Does anyone know if the first part: Content-Transfer-Encoding: 7bit can be used a filter?Pro? Con? There has to be something that makes the body of email not show such a long text.. it is not a white font .. what is it? Regards, Kami
RE: [Declude.JunkMail] Bounce
As follows: AH filter m:\Imail\declude\as_ho__s.txtx 9 0 I have verified that the test itself is working and assigning the correct weight to these emails. -Original Message- From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Saturday, November 22, 2003 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Bounce How is the test AH defined in the Global.cfg? John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Saturday, November 22, 2003 6:49 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Bounce We have a rare situation where we've been asked to bounce emails with a specific criteria for one customer. We are using the BOUNCE action as stated in the comments of the sample file, but we get the logged error Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? Here is the file for this customer. The test is named AH Thanks # BOUNCE will send a standard bounce message (and not deliver the E- mail) # SWENBLOCK ATTACH WEIGHTLOW ATTACH WEIGHTMEDIUMATTACH WEIGHTHIGH DELETE AH BOUNCE --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bounce
We have a rare situation where we've been asked to bounce emails with a specific criteria for one customer. We are using the BOUNCE action as stated in the comments of the sample file, but we get the logged error Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? With the latest interim release, the BOUNCE action has been renamed to BOUNCEONLYIFYOUMUST. We're estimating that we have hundreds of customers who are using the BOUNCE action with no clue as to what it does, and are hoping by renaming it these people will learn a bit more about the bounce action before using it. In your case it looks like you have a good reason for using the bounce action. But a lot of people assume that the spammer will get the bounce message, and don't realize that by using the bounce action they themselves are spamming. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] text before spam.. defeating content filter
Hi John: Yes that is what we are doing but that is a reactive measure.. How can one detect large texts that are not showing up. I guess I am trying to learn how they do it? How can you have a chapter of a book at top of email and yet it does not show up? The two lines I posted are the only things I see before the long section.. is that what causes it not to show up? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29DContent-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bit Can someone explain if it is the 7bit or the iso-8859-1 that causes the text simply not exist although it does.. if so then we can filter it... Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists)Sent: Saturday, November 22, 2003 10:51 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] text before spam.. defeating content filter Kami, I have been looking at subject lines and MAILFROMs on these type. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami RazvanSent: Saturday, November 22, 2003 7:20 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] text before spam.. defeating content filter Hi; We are getting a lot of spam lately that are being caught primarily with IP4r tests as well as the likes of spamdomain or helobogus .. but not content filters. This is, as discussed before, because a large amount of text (almost chapter 1 of Gone with the Wind :)) is put at the top of the email. In checking the content.. this is the only thing I see before the long text.. could this be used as a filter? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29DContent-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bit then before the actual spam: --=_NextPart_000_0951_7DF4E03D.3CA8D29DContent-Type: text/htmlContent-Transfer-Encoding: quoted-printable Does anyone know if the first part: Content-Transfer-Encoding: 7bit can be used a filter?Pro? Con? There has to be something that makes the body of email not show such a long text.. it is not a white font .. what is it? Regards, Kami
Re: [Declude.JunkMail] Bounce
Keith, If you are using a new interim release the bounce action has changed to bounceonlyifyoumust. Darrell Check Out DLAnalyzer a comprehensive reporting tool for Declude Junkmail Logs - http://www.dlanalyzer.com Keith Anderson writes: We have a rare situation where we've been asked to bounce emails with a specific criteria for one customer. We are using the BOUNCE action as stated in the comments of the sample file, but we get the logged error Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? Here is the file for this customer. The test is named AH Thanks # BOUNCE will send a standard bounce message (and not deliver the E-mail) # SWENBLOCK ATTACH WEIGHTLOW ATTACH WEIGHTMEDIUM ATTACH WEIGHTHIGH DELETE AH BOUNCE --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] text before spam.. defeating content filter
The problem I am seeing is the spammers know that body filters are the most expensive in terms of processing and are often limited to the first so many characters. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, November 22, 2003 8:08 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] text before spam.. defeating content filter Hi John: Yes that is what we are doing but that is a reactive measure.. How can one detect large texts that are not showing up. I guess I am trying to learn how they do it? How can you have a chapter of a book at top of email and yet it does not show up? The two lines I posted are the only things I see before the long section.. is that what causes it not to show up? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Can someone explain if it is the 7bit or the iso-8859-1 that causes the text simply not exist although it does.. if so then we can filter it... Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, November 22, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] text before spam.. defeating content filter Kami, I have been looking at subject lines and MAILFROMs on these type. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, November 22, 2003 7:20 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] text before spam.. defeating content filter Hi; We are getting a lot of spam lately that are being caught primarily with IP4r tests as well as the likes of spamdomain or helobogus .. but not content filters. This is, as discussed before, because a large amount of text (almost chapter 1 of Gone with the Wind :)) is put at the top of the email. In checking the content.. this is the only thing I see before the long text.. could this be used as a filter? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit then before the actual spam: --=_NextPart_000_0951_7DF4E03D.3CA8D29D Content-Type: text/html Content-Transfer-Encoding: quoted-printable Does anyone know if the first part: Content-Transfer-Encoding: 7bit can be used a filter?Pro? Con? There has to be something that makes the body of email not show such a long text.. it is not a white font .. what is it? Regards, Kami
RE: [Declude.JunkMail] text before spam.. defeating content filter
How can you have a chapter of a book at top of email and yet it does not show up? My guess is that since so many mail clients default to displaying HTML, they can just get away with a text segment that is a chapter of a book, and then an HTML segment with the spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce
Can someone point me to a URL that contains a list of changes made in these releases? Thanks -Original Message- From: DLAnalyzer Support [mailto:[EMAIL PROTECTED] Sent: Saturday, November 22, 2003 9:16 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Bounce Keith, If you are using a new interim release the bounce action has changed to bounceonlyifyoumust. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bounce
Can someone point me to a URL that contains a list of changes made in these releases? Thanks http://www.declude.com/relnotes.htm lists changes in each new release and beta. There is no public list of changes in the interim releases. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bounce
Scott, I would prefer to bounce the small percentage of blocked E-mail that fails within 100% of my lowest fail weight in order to help with FP issues on personal E-mail. It would be very nice though to be able to configure bounces for only when the From address matches the HELO domain and the MAILFROM domain. That would greatly reduce the number of bogus bounces that my server sends out. My though here is that all three should match for personal E-mail however they are very likely to be different with spam. So how about BOUNCEONLYIFALLTHREETHINGSMATCH? :) Matt R. Scott Perry wrote: We have a rare situation where we've been asked to bounce emails with a specific criteria for one customer. We are using the BOUNCE action as stated in the comments of the sample file, but we get the logged error Warning: misconfiguration in following line in configuration file (BOUNCE is not an ACTION). May be a duplicate test definition? With the latest interim release, the BOUNCE action has been renamed to BOUNCEONLYIFYOUMUST. We're estimating that we have hundreds of customers who are using the BOUNCE action with no clue as to what it does, and are hoping by renaming it these people will learn a bit more about the bounce action before using it. In your case it looks like you have a good reason for using the bounce action. But a lot of people assume that the spammer will get the bounce message, and don't realize that by using the bounce action they themselves are spamming. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] text before spam.. defeating content filter
I'll bet that spammers are doing this in order to exceed the amount of text that will be parsed by filters in many different spam blocking programs. Scott said that there was a limit of 32K here. If you use the text portion of the E-mail to reach the 32K without having any damning words in it, then you can do whatever you want with the HTML displayable text (figuring correctly that most mail readers will show the HTML portion and not the text portion). Hopefully before this becomes predominant, Declude will be able to parse out the MIME parts and scan just the areas that might contain HTML or text, and not worry about counting 32K from the top of the message, but the top of each part (figuring you would want to scan all such parts). Matt Kami Razvan wrote: Hi John: Yes that is what we are doing but that is a reactive measure.. How can one detect large texts that are not showing up. I guess I am trying to learn how they do it? How can you have a chapter of a book at top of email and yet it does not show up? The two lines I posted are the only things I see before the long section.. is that what causes it not to show up? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Can someone explain if it is the 7bit or the iso-8859-1 that causes the text simply not exist although it does.. if so then we can filter it... Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, November 22, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] text before spam.. defeating content filter Kami, I have been looking at subject lines and MAILFROMs on these type. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, November 22, 2003 7:20 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] text before spam.. defeating content filter Hi; We are getting a lot of spam lately that are being caught primarily with IP4r tests as well as the likes of spamdomain or helobogus .. but not content filters. This is, as discussed before, because a large amount of text (almost chapter 1 of Gone with the Wind :)) is put at the top of the email. In checking the content.. this is the only thing I see before the long text.. could this be used as a filter? This is a multi-part message in MIME format. --=_NextPart_000_0951_7DF4E03D.3CA8D29D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit then before the actual spam: --=_NextPart_000_0951_7DF4E03D.3CA8D29D Content-Type: text/html Content-Transfer-Encoding: quoted-printable Does anyone know if the first part: Content-Transfer-Encoding: 7bit can be used a filter? Pro? Con? There has to be something that makes the body of email not show such a long text.. it is not a white font .. what is it? Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] GIBBERISH v1.0.7 and GIBBERISHSUB v1.0.6 updates
I just updated the GIBBERISH and GIBBERISHSUB filters as follows: GIBBERISH v1.0.7 Added several additional character string exceptions, counterbalances for VIN and ASR numbers as well as an exception for UNICODE encoded attachments. GIBBERISHSUB v1.0.6 Added several additional character string exceptions and counterbalances for VIN and ASR numbers. They can be downloaded from the following site (as always)... MailPure :: Filter Software :: Declude Filters http://www.mailpure.com/software/decludefilters/ Enjoy, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] failed to fail test ?
I have the following two tests in my global.cfg (along with others) HELOBOGUS helovalid x x 6 0 IPNOTINMX ipnotinmx x x 0 -3 REVDNS revdnsexistsx x 7 0 NOLEGITCONTENT nolegitcontent x x 0 -8 Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ? Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600 Received: from DJQ92P11 [192.168.123.124] by fament.com with eSMTP; Sat, 22 Nov 2003 19:27:21 -0600 Message-ID: [EMAIL PROTECTED] From: ryan [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Tests-Failed: IPNOTINMX, REVDNS. X-Note: Total spam weight of this E-mail is -2. By default everything supposed to be -11 on a good e-mail. 63.165.214.42 is NOT a valid MX record for fament.com Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ? And how could the score end up at -2 ? What is the math behind it. The -3 and -8 in the 6th column are the only - I have in that column anywhere. So if it's -8 + 7 then shouldn't the weight be -1 and not -2 ? But most important how can I punish servers that claim to be fament.com if they are not ? Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries -- -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.