RE: [Declude.JunkMail] SKIPIFWEIGHT and MAXWEIGHT
Hi Frederick: Here is what we do: # Version= 1.27i28: Skip the test if weight is reached SKIPIFWEIGHT 70 # Version= 1.27i28: Exit the test if weight is reached MAXWEIGHT60 REMOTEIP 0STARTSWITH 157.151.5 REMOTEIP 0STARTSWITH 193.216.245.227 REMOTEIP 0STARTSWITH 194.143.183.53 You have to be using Declude 1.27i27 or 28 (I don't remember) or higher.. Simply add them to the top of your filter files and it will do what they say they do.. Upon start of the filter if the total weight prior to entering the filter is 70 then the filter will not run and if during the run of the filter the weight associated with the filter reaches 60 then the filter exits. So if you have a weight of 50 going into the filter you can exit the filter with no more than 110 as weight. OR If you are running the filter and you are already at a weight of 70 then the filter will never run and you will exit with 70. Recommendation: Make sure you put all your weights that have negative weight prior to the ones with positive weight. That is what we do - all of our negative weights are on top of the global.cfg and we have structured our filters such that the bigger filters are the last to execute so hopefully if the weight is large enough prior to getting to them they will not run. Looking at our log files it is incredible how many of the filters are not even running anymore but they are there just in case... Hope that answers your question.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frederick Samarelli Sent: Friday, November 28, 2003 11:20 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SKIPIFWEIGHT and MAXWEIGHT Does any one have more information on these SKIPIFWEIGHT and MAXWEIGHT Thanks. Fred --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] %TESTSFAILED%
i just want an easy way (%variable%) to put in the header that will show all tests that contributed to the total weight, and their individual contribution that mean if a mail passes ipnotinmx, then ipnotinmx (-3) should show in the above %variable% The next release will allow for this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Simple logic..
Scott: Any thoughts on adding some logic to Declude.. Simple logic.. Like: Actions that set the result immediately in the filter. (e.g. ENDALLTests or Delete) So if an entry is found the email is immediately deleted or if END no more filters are checked .. This can simplify the weight actions.. Right now we have HEADER actions that if an email address (our trap email or the 10 year old emails that do not exist but are seen in the CC or BCC by spammers) is found in the header or AllRe.. The email should be deleted. But for this to work we first set the weight to a high value and then define delete in the default$ file. With the recent actions of skip exit - this can be done to an extent but I think simple action statements can increase the efficiency still more. Just some thoughts.. Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SpamDomains
Bill, it has been a lonnngg week. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering on Imail spam tests
Bill, The Imail headers X-IMAIL-SPAM- do indeed appear after the DJM headers. I thought other folks were integrating these Imail tests [phrase-list.txt and url-domain-bl.txt] into DJM however it doesn't seem to be possible. Note: I did convert these files to DJM format however the one filter is over 16,000 lines which is a lot for Declude to process - -Nick Hayer -- Original Message -- From: Bill Landry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 28 Nov 2003 22:23:03 -0800 Check the placement of the IMail headers from one of these messages. If the IMail headers show up under all of the Declude messages, then that would indicate that they are run after Declude, if above all of the Declude headers, then they were run before passed onto Declude. However, I think that only the IMail Statistical Filtering test runs after Declude. Let us know what you find... Bill - Original Message - From: nick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 28, 2003 6:42 PM Subject: Re: [Declude.JunkMail] Filtering on Imail spam tests Hi, Very sorry if this has been covered before - I searched and did not find a solution - I am having no luck filtering on HEADERS 0 CONTAINS X-IMAIL-SPAM-PHRASE and on HEADERS 0 CONTAIN X-IMAIL-SPAM-URL-DBL I cut and paste into an email from Imails phrase-list.txt send it to myself, the received email header is marked X-IMAIL-SPAM-PHRASE: 1010fast com however DJMP is not triggered. These Imail tests occur *after* DJM has run? Thanks Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering on Imail spam tests
Thanks Nick, that's good to know. So, it appears that all tests on the Content Filtering tabs (IMail v8) run after Declude. However, the tests on the Connection Filtering tab run before IMail hands-off the message to Declude, so these tests can be tracked by JunkMail via the IMail headers. Bill - Original Message - From: nick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 29, 2003 8:31 AM Subject: Re: [Declude.JunkMail] Filtering on Imail spam tests Bill, The Imail headers X-IMAIL-SPAM- do indeed appear after the DJM headers. I thought other folks were integrating these Imail tests [phrase-list.txt and url-domain-bl.txt] into DJM however it doesn't seem to be possible. Note: I did convert these files to DJM format however the one filter is over 16,000 lines which is a lot for Declude to process - -Nick Hayer -- Original Message -- From: Bill Landry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 28 Nov 2003 22:23:03 -0800 Check the placement of the IMail headers from one of these messages. If the IMail headers show up under all of the Declude messages, then that would indicate that they are run after Declude, if above all of the Declude headers, then they were run before passed onto Declude. However, I think that only the IMail Statistical Filtering test runs after Declude. Let us know what you find... Bill - Original Message - From: nick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 28, 2003 6:42 PM Subject: Re: [Declude.JunkMail] Filtering on Imail spam tests Hi, Very sorry if this has been covered before - I searched and did not find a solution - I am having no luck filtering on HEADERS 0 CONTAINS X-IMAIL-SPAM-PHRASE and on HEADERS 0 CONTAIN X-IMAIL-SPAM-URL-DBL I cut and paste into an email from Imails phrase-list.txt send it to myself, the received email header is marked X-IMAIL-SPAM-PHRASE: 1010fast com however DJMP is not triggered. These Imail tests occur *after* DJM has run? Thanks Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering on Imail spam tests
Nick wrote: These Imail tests occur *after* DJM has run? Yes. I wrote a ColdFusion program that converts the Imail files into Declude filter file and blacklist format, so I can run them from inside Declude as properly weighted tests. You're welcome to them if you can use CF. Cheers, --Matt Robertson-- MSB Designs, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT: Problems sending to yahoo
Yahoo had once blocked my server too, i contacted them, filled out a question form and they whiltelisted me -Original Message- From: Yahoo!Mail [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 6:39 PM To: [EMAIL PROTECTED] Subject: Follow-up to your whitelist application with Yahoo! (KMM1217722V33399L0KM) Hello, Thank you for writing to Yahoo! Mail. We are following up on your application for whitelisting. We have recently concluded the probationary period for your company's mailings and, based on the results, we have determined that your email is most appropriately delivered to the Inbox. The IP address/es you submitted to us has/have been updated in our system. Feel free to test things out and let us know if you experience any problems. For any future changes in mail server information, please make sure to notify us at this address so we can update your records accordingly. (Note: For all bulk mailings to our users, Yahoo! will continuously monitors consumer feedback and if necessary, we may, in our sole discretion, take the appropriate action, including but not limited to directing email to the Bulk Mail folder if we begin to see excessive negative feedback regarding your mailings.) Thank you for your cooperation throughout this process. Regards, Yahoo! Customer Care - Mail Investigations http://abuse.yahoo.com Sincerely, William J. Baumbach II [EMAIL PROTECTED] 9975 Pennsylvania Ave. Manassas, Va. 20110-2028 Ph: 703-367-7900 ext:1708 Fax: 703-691-0946 - - Original Message - From: Jason Newland [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 13, 2003 11:52 AM Subject: [Declude.JunkMail] OT: Problems sending to yahoo All, Just noticed that yahoo has blocked our mail server from communicating with their servers. Our servers are clean (not listed in blacklists/set up correctly). 66.140.194.140 is our mail IP if you want to check. Does anyone have any contact information for yahoo so we can get un blocked? Thanks, Jason --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ scanned for spam to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 11/13/2003 at 12:27:24-0500et. ] [ scanned for viruses to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 11/13/2003 at 12:27:29-0500et. ] [ scanned for spam to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 11/29/2003 at 14:51:15-0500et. ] This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email is prohibited. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message. [ scanned for viruses to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 11/29/2003 at 14:51:18-0500et. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering on Imail spam tests
Matt, Thanks for the confirmation and the offer. I converted the files as well however the url-domains-bl.txt filer is so large, over 16,000 lines, that my little server was choking when traffic was up. I was hoping to get Imail to do the dirty work... -Nick -- Original Message -- From: Matt Robertson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Sat, 29 Nov 2003 11:44:36 -0800 Nick wrote: These Imail tests occur *after* DJM has run? Yes. I wrote a ColdFusion program that converts the Imail files into Declude filter file and blacklist format, so I can run them from inside Declude as properly weighted tests. You're welcome to them if you can use CF. Cheers, --Matt Robertson-- MSB Designs, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS limitations
It is not very difficult. But it is difficult (costly, to be more precise, in terms of making very careful changes to the code and determining performance changes) to change it to an unlimited number of entries. So we need to decide how important such a change is, the maximum value we can see our customers using in the near future, and the effect of any extra memory allocation. Ok, I can understand this. What happens here is that if we say OK, this is a good use of the IPBYPASS feature, there are going to be people who use it like whitelisting, and want to enter hundreds or thousands of IPs. What's wrong with it? It's their decision. Or not? Then if you do not use the IPBYPASS option, and an E-mail comes from one of those IPs, Declude JunkMail will still scan the next hop (which is what you are getting with IPBYPASS). ? Doesn't mean HOPHIGH=1 that declude should scan two IPs? The first (connecting) one and -if present- the IP before. So I will accumulate in any case the (in my eyes false positive) points for this two IP blocks. Perhaps a filter that checks the reverse DNS entry, such as REVDNS -10 CONTAINS .example.com? For sure: This will work. But as I understand this will have the same result as with IP counterweights: The counterweight is static and I have to adapt manualy the changing listings of IP blacklists. Today this IP-blocks (or REVDNS names) are listed in only two blacklists. Tomorrow they can be listed in 8 or 10 blacklists and my static counterweight is far too low. This is also the reason why I've asked some weeks ago if it would be possible to query http://www.dnsstuff.com/tools/ip4r.ch by specifiing my own filter-list of IP blacklists (that I currently use in my cfg file). So it would be much much easier to check manualy what's the actual situation and what counterweight I have to assign. Better would be if I can post the ip4r- and rhbl-part of my filter file and the spam database lookup script would calculate and return my personal result. Amazing would be if I'm able to BYPASS certain IP ranges. That give me the possibility to use any external IP blacklist and if I have the opinion that certain IP-ranges in their list are wrong then I can simply bypass them. I know: The problem are the ISPs that are not able to get permanently out of the blacklists. But what should I do? Call them and explain what they should do? I think we all are using declude because we have decided to go in a defensive position and fight spam. If I really want to persuade ignorant mailserver admins (and maybe also spammers) then it would be better to become a preacher... ;-) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] X-Header filter weight reporting
Scott, would it make sense to report in the X-RBL-Warning filter headers the weights as defined by MAXWEIGHT in the filter file whenever the total filter score is more than what is defined by the MAXWEIGHT setting? That way when you visually add up all of the X-Header weights, the score will match that shown in the X-Note: Total spam test weight: %WEIGHT% header. Currently, when the filter score is higher than the MAXWEIGHT defined for the test, the X-Header filter weights being shown are the total filter weight rather than the MAXWEIGHT, but the score shown by the X-Note: Total spam test weight: %WEIGHT% header is the accurate weight being applied to the message as defined by the MAXWEIGHT settings. Thanks, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] IPBYPASS limitations
Scott, Doesn't mean HOPHIGH=1 that declude should scan two IPs? The first (connecting) one and -if present- the IP before. I understand - I think - about IPBYPASS but HOPHIGH is another story.. I am interested because often times mail is forwarded to my server and as such some tests are not as effective. As an example sombody@example.com send an email to a server that in turn forwards the email to one of my users. Spamdomains fails because the connecting server to me was not example.com but foo.com Would hophigh help me out with this - see who originally sent the email? What is the downside to HOPHIGH=1 other than more dns work and if that is the case is it negligible? What is its real purpose? Thanks! -Nick Hayer Perhaps a filter that checks the reverse DNS entry, such as REVDNS -10 CONTAINS .example.com? For sure: This will work. But as I understand this will have the same result as with IP counterweights: The counterweight is static and I have to adapt manualy the changing listings of IP blacklists. Today this IP-blocks (or REVDNS names) are listed in only two blacklists. Tomorrow they can be listed in 8 or 10 blacklists and my static counterweight is far too low. This is also the reason why I've asked some weeks ago if it would be possible to query http://www.dnsstuff.com/tools/ip4r.ch by specifiing my own filter-list of IP blacklists (that I currently use in my cfg file). So it would be much much easier to check manualy what's the actual situation and what counterweight I have to assign. Better would be if I can post the ip4r- and rhbl-part of my filter file and the spam database lookup script would calculate and return my personal result. Amazing would be if I'm able to BYPASS certain IP ranges. That give me the possibility to use any external IP blacklist and if I have the opinion that certain IP-ranges in their list are wrong then I can simply bypass them. I know: The problem are the ISPs that are not able to get permanently out of the blacklists. But what should I do? Call them and explain what they should do? I think we all are using declude because we have decided to go in a defensive position and fight spam. If I really want to persuade ignorant mailserver admins (and maybe also spammers) then it would be better to become a preacher... ;-) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] FABELSOURCES service dropped
Hello, everyone- I don't know whether this is news to anyone here, but I found this during my research for a replacement for EasyNet and thought I'd pass it along because it is still listed as active in the Declude DNS Database list. http://www.fabel.dk/relay/test/ === September 29th, 2003 Alright, that was fun! After running the relay tester for more than five years it's really time for us to take a break. The system was maintaining itself, but to be truly useful a number of updates were well overdue. So there, so long. ORDB will take care of all your relay checking needs. The dev.null.dk zone will be empty for now; but we might fill it with another source of bothersome IPs some day in the distant future. === Dave Doherty Skywaves, Inc. 301-652-8822 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filtering on Imail spam tests
I got the domain list to work fine as a blacklist, with performance times being acceptable at around 250ms for a complete run-thru of all of the 70-odd tests I run in Declude. I also turned it into a body filter file and it was absolutely stellar in its performance. Spam catching performance, that is. It was a disaster in terms of what it did to the server and I had to take it down after a day. Not a big surprise; running 17000 tests on the body of each mail piece. As soon as I can afford it I'm buying Message Sniffer. Running it as a trial, it proved itself to be an obvious winner. --Matt Robertson-- MSB Designs, Inc. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.