Re: [Declude.JunkMail] failed to fail test ?
Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ? Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600 That's because the HELO is fament.com, and fament.com has an MX record. Therefore, it is a valid HELO. However, 63.165.214.42 is not in the MX record of fament.com, so: X-Tests-Failed: IPNOTINMX, REVDNS. it failed the IPNOTINMX test. Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ? HELOBOGUS just looks for bogus HELO entries (such as random characters, IPs masquerading as hostnames, and made-up domains). IPNOTINMX checks for IPs that aren't listed in the sender domain's MX records (note that it is not unusual for legitimate mail to be sent this way). In this case, SPAMDOMAINS may be the best answer, as it will require the reverse DNS entry of the sending computer to include the domain name in the return address -- but only for domains that you specify. So if you list fament.com, this mail would have been caught. But if you do list your domain, you need to be sure that people sending mail through your server come from IPs with your domain in the reverse DNS entry. And how could the score end up at -2 ? What is the math behind it. Declude JunkMail adds all the weights for the E-mail, which came out to -2 here. The confusing parts are things like negative weights (either kind -- a test that has a weight of -2, or a test that has a weight that is added for E-mail that does NOT fail the test, like the IPNOTINMX and NOLEGITCONTENT tests), and filters where multiple lines can match. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Article On Reuters UK
A novel idea which I can't imagine will do anything... Darrell http://www.reuters.co.uk/newsArticle.jhtml;jsessionid=EBA1FMHYFTOGUCRBAE0CF EY?type=internetNewsstoryID=3875381section=news U.S. passes anti-Internet spam bill Sat 22 November, 2003 12:09 By Andy Sullivan WASHINGTON (Reuters) - The U.S. House of Representatives has voted overwhelmingly for a bill to outlaw most Internet spam and create a do not spam registry for those who do not wish to receive unsolicited junk e-mail. Online marketers who flood e-mail in boxes with pornography and get-rich-quick schemes would face multimillion dollar fines and jail time under the measure. It passed by a vote of 392-5 at dawn on Saturday, following an all-night session of the House that was largely devoted to a separate Medicare bill. The Senate unanimously passed a similar anti-spam bill last month, but it must assent to the House changes before the measure can become law. The Senate is expected to do so in the coming days. Anti-spam bills have died in Congress for six years while unsolicited commercial e-mail has grown from a nuisance to a plague that threatens to derail the Internet's most popular means of communication. Spam now makes up more than half of all e-mail, according to several surveys, and even online marketers have come to support some restrictions. Lawmakers said spam has become a top constituent concern, and they also faced hundreds of unwanted messages daily. Spam cripples computer networks and makes regular e-mail checking a seemingly endless hassle, said House Energy and Commerce Chairman Billy Tauzin. Lawmakers faced additional pressure to put a national law into place after California passed a tough anti-spam bill earlier this year. Online marketers say it would be difficult to comply with a patchwork of conflicting state laws. The House bill, which would override state anti-spam laws, would allow businesses to send unsolicited e-mail to Internet users until they are asked to stop, an approach that some anti-spam activists say would only lead to more spam. It would outlaw spammers' attempts to cover their tracks by requiring marketers to identify themselves clearly and avoid misleading subject lines or return addresses. Pornographic messages would have to be clearly labelled as such to allow users to more easily filter them out. Violators would face millions of dollars in fines and up to five years in jail. The bill would not allow individuals to sue spammers. The bill also authorises the Federal Trade Commission to set up a Do Not Spam registry of Internet users who wish to receive no unsolicited e-mail at all, similar to the Federal Trade Commission's popular Do Not Call list. It also would outlaw cell-phone spam, which is commonplace in Europe and Asia. Under the provision, subscribers to cell phone services would not receive text message spam unless they have provided express authorisation. America Online Inc. applauded the bill, saying it would help turn the tide against spam. This law will be a significant weapon for the online industry in the ongoing fight to can the spam and thwart the spam kingpins, the company said in a statement. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Log warning messages
Scott, what do these warning message mean (JunkMail logs): Q629310f000ba565b WARNING: Problem with IPTEXT: 1298b9 1298d7 Received: from nsim (w008.z064003028.sea [ConcentricHost SMTP Relay 1.16] --- Q84b5060d006aab89 WARNING: Problem with IPTEXT: 129856 12986b Received: from sf1.isc.org (mx-1.isc.org [IPv6:2001:4f8:0:2::1c]) (using TLSv1 wi Q84b5060d006aab89 WARNING: Problem with IPTEXT: 12985f 129888 Received: from drugs.dv.isc.org (drugs.d [IPv6:2001:470:1f00:820:208:74ff:fe9f:ee --- Q1681044f008c3069 WARNING: Problem with IPTEXT: 129847 129847 Received: from phpmailer ([]) by with H []) by with HTTP (); Sat, 22 Nov 2003 Q1681044f008c3069 WARNING: Problem with IPTEXT: 129853 129853 Received: from localhost.localdomain ([] [])by duke.nmailer.com (Merak 6. I am also randomly seeing entries like these, as well: JunkMail: Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. Qc5a800120092619c WARNING: Could not unlock M:\IMail\spool\_c5a800120092619c.~MD; it has been deleted. Virus: Qc5a800120092619c Error 183 creating temp directory M:\IMail\spool\Dc5a800120092619c.vir\. Qc5a800120092619c Scanned: Error starting scanner Qc5a800120092619c Scanned: Virus Free [MIME: 1 1130] Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. No on-access scanners running and nothing scanning the IMail directory or any sub-directories under it except when called by Declude. Running Declude v1.76i26. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Log warning messages
Bill We had a similar issue with McAfee a while back.. It had to do with the C:\Temp directory .. It seems like McAfee copies a copy of the email in a temp directory before releasing it and the errors were because of it. We added C:\Temp to the exclusion list and it was fine. I don't know what virus scanner you are using but just in case the above experience helps any.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, November 23, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Log warning messages Scott, what do these warning message mean (JunkMail logs): Q629310f000ba565b WARNING: Problem with IPTEXT: 1298b9 1298d7 Received: from nsim (w008.z064003028.sea [ConcentricHost SMTP Relay 1.16] --- Q84b5060d006aab89 WARNING: Problem with IPTEXT: 129856 12986b Received: from sf1.isc.org (mx-1.isc.org [IPv6:2001:4f8:0:2::1c]) (using TLSv1 wi Q84b5060d006aab89 WARNING: Problem with IPTEXT: 12985f 129888 Received: from drugs.dv.isc.org (drugs.d [IPv6:2001:470:1f00:820:208:74ff:fe9f:ee --- Q1681044f008c3069 WARNING: Problem with IPTEXT: 129847 129847 Received: from phpmailer ([]) by with H []) by with HTTP (); Sat, 22 Nov 2003 Q1681044f008c3069 WARNING: Problem with IPTEXT: 129853 129853 Received: from localhost.localdomain ([] [])by duke.nmailer.com (Merak 6. I am also randomly seeing entries like these, as well: JunkMail: Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. Qc5a800120092619c WARNING: Could not unlock M:\IMail\spool\_c5a800120092619c.~MD; it has been deleted. Virus: Qc5a800120092619c Error 183 creating temp directory M:\IMail\spool\Dc5a800120092619c.vir\. Qc5a800120092619c Scanned: Error starting scanner Qc5a800120092619c Scanned: Virus Free [MIME: 1 1130] Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. No on-access scanners running and nothing scanning the IMail directory or any sub-directories under it except when called by Declude. Running Declude v1.76i26. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log warning messages
Thanks Kami, I'll give that a try and report back. I am also excluding c:\winnt\temp, since that is the temp directory that is listed in the path statement. Bill - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 23, 2003 10:33 AM Subject: RE: [Declude.JunkMail] Log warning messages Bill We had a similar issue with McAfee a while back.. It had to do with the C:\Temp directory .. It seems like McAfee copies a copy of the email in a temp directory before releasing it and the errors were because of it. We added C:\Temp to the exclusion list and it was fine. I don't know what virus scanner you are using but just in case the above experience helps any.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Sunday, November 23, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Log warning messages Scott, what do these warning message mean (JunkMail logs): Q629310f000ba565b WARNING: Problem with IPTEXT: 1298b9 1298d7 Received: from nsim (w008.z064003028.sea [ConcentricHost SMTP Relay 1.16] --- Q84b5060d006aab89 WARNING: Problem with IPTEXT: 129856 12986b Received: from sf1.isc.org (mx-1.isc.org [IPv6:2001:4f8:0:2::1c]) (using TLSv1 wi Q84b5060d006aab89 WARNING: Problem with IPTEXT: 12985f 129888 Received: from drugs.dv.isc.org (drugs.d [IPv6:2001:470:1f00:820:208:74ff:fe9f:ee --- Q1681044f008c3069 WARNING: Problem with IPTEXT: 129847 129847 Received: from phpmailer ([]) by with H []) by with HTTP (); Sat, 22 Nov 2003 Q1681044f008c3069 WARNING: Problem with IPTEXT: 129853 129853 Received: from localhost.localdomain ([] [])by duke.nmailer.com (Merak 6. I am also randomly seeing entries like these, as well: JunkMail: Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. Qc5a800120092619c WARNING: Could not unlock M:\IMail\spool\_c5a800120092619c.~MD; it has been deleted. Virus: Qc5a800120092619c Error 183 creating temp directory M:\IMail\spool\Dc5a800120092619c.vir\. Qc5a800120092619c Scanned: Error starting scanner Qc5a800120092619c Scanned: Virus Free [MIME: 1 1130] Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. No on-access scanners running and nothing scanning the IMail directory or any sub-directories under it except when called by Declude. Running Declude v1.76i26. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log warning messages
Scott, what do these warning message mean (JunkMail logs): Q629310f000ba565b WARNING: Problem with IPTEXT: 1298b9 1298d7 Received: from nsim (w008.z064003028.sea [ConcentricHost SMTP Relay 1.16] The problem here is a very odd Received: header, that is implying that the E-mail came from an IP address of ConcentricHost SMTP Relay 1.16. These will only appear at LOGLEVEL HIGH or higher. JunkMail: Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. Qc5a800120092619c WARNING: Could not unlock M:\IMail\spool\_c5a800120092619c.~MD; it has been deleted. Is this with IMail v8? This would occur if IMail called Declude.exe twice for the same E-mail. It is unlikely that it would cause any problems. Virus: Qc5a800120092619c Error 183 creating temp directory M:\IMail\spool\Dc5a800120092619c.vir\. Qc5a800120092619c Scanned: Error starting scanner Qc5a800120092619c Scanned: Virus Free [MIME: 1 1130] Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. This looks like the same thing -- Declude getting started twice for the same E-mail. The Error 183 indicates that the .vir directory already exists -- but it should only be created by Declude. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Log warning messages
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Scott, what do these warning message mean (JunkMail logs): Q629310f000ba565b WARNING: Problem with IPTEXT: 1298b9 1298d7 Received: from nsim (w008.z064003028.sea [ConcentricHost SMTP Relay 1.16] The problem here is a very odd Received: header, that is implying that the E-mail came from an IP address of ConcentricHost SMTP Relay 1.16. These will only appear at LOGLEVEL HIGH or higher. Okay, thanks for the explanation. I am running at loglevel HIGH because it shows the Triggered CONTAINS lines which display all of the lines in a filter file that get triggered (BTW, thanks for adding this to the logs). JunkMail: Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. Qc5a800120092619c WARNING: Could not unlock M:\IMail\spool\_c5a800120092619c.~MD; it has been deleted. Is this with IMail v8? This would occur if IMail called Declude.exe twice for the same E-mail. It is unlikely that it would cause any problems. Yes, IMail v8. Virus: Qc5a800120092619c Error 183 creating temp directory M:\IMail\spool\Dc5a800120092619c.vir\. Qc5a800120092619c Scanned: Error starting scanner Qc5a800120092619c Scanned: Virus Free [MIME: 1 1130] Qc5a800120092619c Couldn't rename SMD to SM$ [32]. Priority back to 32. This looks like the same thing -- Declude getting started twice for the same E-mail. The Error 183 indicates that the .vir directory already exists -- but it should only be created by Declude. Okay, I will disregard then. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] failed to fail test ?
Thanks Scott for clearing things up for me.. Since all my dailup and highspeed customers have correct revdns and everyone outside our network have to use smtp auth (running WHITELIST AUTH) then there should be no implications to do a spamdomain with fament.com. If this is the case then time to add all my own domains in there and cut of another potential spamhole... Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries -- Yet this piece of mail did come though with a very low rate and didn't fail the HOLOBOGUS ? Received: from fament.com [63.165.214.42] by imail.fament.com with ESMTP (SMTPD32-8.03) id AD019930280; Sat, 22 Nov 2003 19:27:29 -0600 RSP That's because the HELO is fament.com, and fament.com has an MX RSP record. Therefore, it is a valid HELO. RSP However, 63.165.214.42 is not in the MX record of fament.com, so: X-Tests-Failed: IPNOTINMX, REVDNS. RSP it failed the IPNOTINMX test. Wouldn't helobogus add it's weight to it ? Or have I miss understood the helobogus test ? How can I punish servers that try claim be from my domain like the above ? RSP HELOBOGUS just looks for bogus HELO entries (such as random characters, IPs RSP masquerading as hostnames, and made-up domains). RSP IPNOTINMX checks for IPs that aren't listed in the sender domain's MX RSP records (note that it is not unusual for legitimate mail to be sent this way). RSP In this case, SPAMDOMAINS may be the best answer, as it will require the RSP reverse DNS entry of the sending computer to include the domain name in the RSP return address -- but only for domains that you specify. So if you list RSP fament.com, this mail would have been caught. But if you do list your RSP domain, you need to be sure that people sending mail through your server RSP come from IPs with your domain in the reverse DNS entry. And how could the score end up at -2 ? What is the math behind it. RSP Declude JunkMail adds all the weights for the E-mail, which came out to -2 RSP here. RSP The confusing parts are things like negative weights (either kind -- a test RSP that has a weight of -2, or a test that has a weight that is added for RSP E-mail that does NOT fail the test, like the IPNOTINMX and NOLEGITCONTENT RSP tests), and filters where multiple lines can match. RSP -Scott RSP --- RSP Declude JunkMail: The advanced anti-spam solution for IMail mailservers. RSP Declude Virus: Catches known viruses and is the leader in mailserver RSP vulnerability detection. RSP Find out what you've been missing: Ask about our free 30-day evaluation. RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. -- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] failed to fail test ?
Eje, There are instances where an entry for your local domain would fail SPAMDOMAINS on a legit E-mail. This generally happens as a result of E-mail scripts that forge the MAILFROM address so that it matches the submitted E-mail, it happens with things like greeting cards and send-a-links (americangreetings.com for instance), and it happens with some bulk-mailing E-mailers that your own customers might be using to send other local users legit E-mail. Watch this carefully if you add it because it definitely will result in some false positives, though it may be more or less problematic depending on your client base (individuals have bigger issues with greeting cards and send-a-links, and businesses have bigger issues with E-mail scripts and legit bulk mailers). I have this test scored only at 20% or 30% of my fail weight (I can't recall) Matt Eje Gustafsson wrote: Thanks Scott for clearing things up for me.. Since all my dailup and highspeed customers have correct revdns and everyone outside our network have to use smtp auth (running WHITELIST AUTH) then there should be no implications to do a spamdomain with fament.com. If this is the case then time to add all my own domains in there and cut of another potential spamhole... Best regards, Eje Aya Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 240-376-7272 - Your Full Time Professionals - Online Store http://www.wisp-router.com/ MikroTik, Star-OS, PACWireless, EnGenius, RF Industries --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.