RE: [Declude.JunkMail] MAILFROM like Imail Test..

[Alejandro Valenzuela]

Here are the headers...  How this can be caught with Declude ??

12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL
FROM) mail.fanosa.com FAILED to validate MAIL FROM address
[EMAIL PROTECTED]
12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL
FROM) [EMAIL PROTECTED] user does not exist on remote system
12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL
FROM) mail.fanosa.com FAILED to validate MAIL FROM address
[EMAIL PROTECTED]
12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL
FROM) [EMAIL PROTECTED] user does not exist on remote system

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alejandro
Valenzuela
Sent: Thursday, December 04, 2003 11:40 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] MAILFROM like Imail Test..


Declude MAILFROM test check only the domain on the MAILFROM address
But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED]
since hotmail.com is a valid Domain, then the message pass the test

Is there a test like the Mailfrom of Imail that test that the 
user really exists on the remote server ??

[EMAIL PROTECTED]  (In Imail this will fail...)

Thanks..






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
Sent: Thursday, December 04, 2003 5:21 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] sniffer


FYI, I believe the demo consolidates everything into two separate tests:
General  Malware.  However, it will still give you a very good idea of the
overall effectiveness of running Sniffer with Declude.

Bill
- Original Message - 
From: T. Bradley Dean [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, December 04, 2003 4:02 PM
Subject: RE: [Declude.JunkMail] sniffer


Declude is optimized to run the external test only once

That was going to be my next question, it looked terribly in-efficient at
first!

Thanks for the responses guys. I just installed the demo.

~Brad

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Wednesday, December 03, 2003 8:10 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] sniffer


Brad,

That's right.
:-)

Heuristics for patterns are grouped by the spam that prompts us to generate
them, or by how we created them. Most of the time they are at least close
to classifying the type of spam. Each system that uses Message Sniffer is
encouraged to specify adjustable weights for each rule group so that the
results from the pattern matching tests can be tuned for the greatest
accuracy on that system and according to it's unique mix of incoming spam
and the users being served.

Declude is optimized to run the external test only once and allow the
result code to be evaluated for all of the tests that define that external
test... so in the example shown below sniffer would be called once and it's
result code would be evaluated many times.

Message Sniffer will typically match many patterns in a given spam.
Currently the voting system that decides the winning pattern match uses the
following rule: Chose the first pattern match found with the lowest symbol.

Within the standard rulebase, rule groups are loosely grouped so that the
least specific patterns have the largest symbols. The combination of these
arrangements tends toward selecting the most specific pattern match
available for a given message.

If anyone has other questions that are specific to sniffer then please feel
free to contact us off list at our support@ sortmonster.com address.

Thanks,

_M

At 10:20 PM 12/3/2003, you wrote:
Brad, Sniffer does message based pattern matching (Pete, correct me if
I am wrong).  If you opt to separate the 20 or so tests that Sniffer
currently supports, then you can set whatever weight you want to each
individual test. Here is how I currently have the individual Sniffer
tests defined in my global.cfg (License ID and Authentication Code
obscured):

SNIFFER-WHITELIST external 000
M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode -5 0
SNIFFER-TRAVEL  external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 07 0
SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 10 0
SNIFFER-AV-PUSH  external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 07 0
SNIFFER-WAREZ  external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 10 0
SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 10 0
SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 10 0
SNIFFER-SCAMS  external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 10 0
SNIFFER-PORN  external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 12 0
SNIFFER-MALWARE  external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
AuthenticationCode 12 0

RE: [Declude.JunkMail] MAILFROM like Imail Test..

[John Tolmachoff \(Lists\)]

In a filter file:

HEADERS (weight)CONTAINSX-IMAIL-SPAM-INVALIDFROM

Imail is checking to see if the sender exists and places that into the
header. (If you have Imail configured to add headers.)

HOWEVER, this does not work for @yahoo.com addresses.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela
 Sent: Thursday, December 04, 2003 10:45 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] MAILFROM like Imail Test..
 
 Here are the headers...  How this can be caught with Declude ??
 
 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL
 FROM) mail.fanosa.com FAILED to validate MAIL FROM address
 [EMAIL PROTECTED]
 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL
 FROM) [EMAIL PROTECTED] user does not exist on remote system
 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL
 FROM) mail.fanosa.com FAILED to validate MAIL FROM address
 [EMAIL PROTECTED]
 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL
 FROM) [EMAIL PROTECTED] user does not exist on remote system
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro
 Valenzuela
 Sent: Thursday, December 04, 2003 11:40 PM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] MAILFROM like Imail Test..
 
 
 Declude MAILFROM test check only the domain on the MAILFROM address
 But we recive a lot of SPAM with mailfrom like this.
 [EMAIL PROTECTED]
 since hotmail.com is a valid Domain, then the message pass the test
 
 Is there a test like the Mailfrom of Imail that test that the
 user really exists on the remote server ??
 
 [EMAIL PROTECTED]  (In Imail this will fail...)
 
 Thanks..
 
 
 
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry
 Sent: Thursday, December 04, 2003 5:21 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] sniffer
 
 
 FYI, I believe the demo consolidates everything into two separate tests:
 General  Malware.  However, it will still give you a very good idea of
 the
 overall effectiveness of running Sniffer with Declude.
 
 Bill
 - Original Message -
 From: T. Bradley Dean [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Thursday, December 04, 2003 4:02 PM
 Subject: RE: [Declude.JunkMail] sniffer
 
 
 Declude is optimized to run the external test only once
 
 That was going to be my next question, it looked terribly in-efficient at
 first!
 
 Thanks for the responses guys. I just installed the demo.
 
 ~Brad
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, December 03, 2003 8:10 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] sniffer
 
 
 Brad,
 
 That's right.
 :-)
 
 Heuristics for patterns are grouped by the spam that prompts us to
 generate
 them, or by how we created them. Most of the time they are at least close
 to classifying the type of spam. Each system that uses Message Sniffer is
 encouraged to specify adjustable weights for each rule group so that the
 results from the pattern matching tests can be tuned for the greatest
 accuracy on that system and according to it's unique mix of incoming spam
 and the users being served.
 
 Declude is optimized to run the external test only once and allow the
 result code to be evaluated for all of the tests that define that external
 test... so in the example shown below sniffer would be called once and
 it's
 result code would be evaluated many times.
 
 Message Sniffer will typically match many patterns in a given spam.
 Currently the voting system that decides the winning pattern match uses
 the
 following rule: Chose the first pattern match found with the lowest
 symbol.
 
 Within the standard rulebase, rule groups are loosely grouped so that the
 least specific patterns have the largest symbols. The combination of these
 arrangements tends toward selecting the most specific pattern match
 available for a given message.
 
 If anyone has other questions that are specific to sniffer then please
 feel
 free to contact us off list at our support@ sortmonster.com address.
 
 Thanks,
 
 _M
 
 At 10:20 PM 12/3/2003, you wrote:
 Brad, Sniffer does message based pattern matching (Pete, correct me if
 I am wrong).  If you opt to separate the 20 or so tests that Sniffer
 currently supports, then you can set whatever weight you want to each
 individual test. Here is how I currently have the individual Sniffer
 tests defined in my global.cfg (License ID and Authentication Code
 obscured):
 
 SNIFFER-WHITELIST external 000
 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
 AuthenticationCode -5 0
 SNIFFER-TRAVEL  external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe
 AuthenticationCode 07 0
 SNIFFER-INSURANCE external 048
 

RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance

[Mark Smith]

BTW,
I forwarded this issue to a colleague, Sue Moser of Slipstick Systems
http://www.slipstick.com and Windows magazine contributor.

Mark

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of R.
 Scott Perry
 Sent: Thursday, December 04, 2003 2:19 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] A little CMA documentation
 for Outlook 2003 RFC non-compliance 2003 RFC non-compliance


 I have a customer who was having trouble with his messages sent to
 users on servers that use spam filters not being delivered.
 I had him
 send a message to me so I could see what tests it fails.  As some of
 you may have already guessed, he's got a new pc with Outlook
 2003 and
 the messages fail the spam headers test.  I informed him that among
 mail server and/or spamfilter administrators this is a known issue.
 So, he calls MS.  MS says it's OEM software, call the
 vendor.  Dell says I'm full of it.
 
 So...
 
 Would someone with more thorough and better understanding than mine
 please send me something (with permission to quote or I'd just lift
 from
 archives) that I can send to this customer?  I'm looking for
 what it is
 that Outlook 2003 does wrong and what RFC it is not
 conforming to.  He
 wants to then show it to Dell and request an exchange for
 Office 2002.

 It's really a Microsoft issue (it's a bug -- er, new
 feature -- in Outlook 2003), but they may have a special
 arrangement with Dell.  Microsoft had a few complaints from
 people using Outlook that their machine name was leaked in
 the Message-ID header.  Instead of ignoring the complaint, or
 making the host name used in the Message-ID: header
 configurable, they chose to remove the Message-ID: header.

 Microsoft is technically RFC-compliant, *if* they understand
 the consequences of what they did.  In order words, it is
 only RFC-compliant if accept the fact that the E-mail sent
 from Outlook 2003 may be marked as spam.

 Microsoft's position, from what we understand, is that they
 expect all mailservers to whitelist outgoing E-mail from
 Outlook 2003 users, and add the Message-ID: header.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail
 mailservers.
 Declude Virus: Catches known viruses and is the leader in
 mailserver vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day
 evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be
 found at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance

[Mark Smith]

I'm assuming that this only happens with Outlook 2003 used with a
non-Exchange (POP3/IMAP/SMTP mode)?

Here are two headers from Outlook 2003 installed by Office 2003 Pro
Microsoft Volume Licensing (not OEM)

From Outlook/MAPI via Exchange 2003

-0-

Received: from us-inboundmx.blank.com [61.220.41.95] by popmail.domain2.com
with ESMTP
  (SMTPD32-8.03) id AFB28130208; Fri, 05 Dec 2003 05:36:34 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: testing
Date: Fri, 5 Dec 2003 05:36:34 -0500
Message-ID:
[EMAIL PROTECTED]
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: testing
Thread-Index: AcO7G6c5ASWwh2hOTRWz0b/pUSbfKw==
From: Mark E. Smith [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-Note: Weight: 0 - This E-mail was scanned by NETrends Systems
(www.netrends.com) for spam.
X-Spam-Tests-Failed: Whitelisted
X-Spam-Prob: 0.169437
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 341408898

-0-

From Outlook/POP3/SMTP via iMail SMTP

-0-

Microsoft Mail Internet Headers Version 2.0
Received: from ussmtpin2.blank.com ([10.7.4.111]) by us-inboundmx.blank.com
with Microsoft SMTPSVC(6.0.3790.0);
 Fri, 5 Dec 2003 05:40:53 -0500
Received: from popmail.domain2.com [16.196.89.161] by ussmtpin2.blank.com
with ESMTP
  (SMTPD32-8.03) id A0B38CD0118; Fri, 05 Dec 2003 05:40:51 -0500
Received: from msmithd800xp [162.83.21.69] by popmail.domain2.com with ESMTP
  (SMTPD32-8.03) id A0AF8330208; Fri, 05 Dec 2003 05:40:47 -0500
From: Mark Smith [EMAIL PROTECTED]
To: Mark E. Smith [EMAIL PROTECTED]
Subject: Testing from domain2
Date: Fri, 5 Dec 2003 05:40:47 -0500
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Thread-Index: AcO7HD5aazFkluigRS2DXlE/jJeQ9w==
Message-Id: [EMAIL PROTECTED]
X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
[420e].
X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
test (27)
X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
(46)
X-Note: Weight: 3 - This E-mail was scanned by NETrends Systems
(www.netrends.com) for spam.
X-RBL-Warning: WHITELISTFILE: Message failed WHITELISTFILE test (100)
X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (27)
X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
test (27)
X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
(37)
X-Note: Weight: -110 - This E-mail was scanned by NETrends Systems
(www.netrends.com) for viruses and spam.
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 05 Dec 2003 10:40:53.0729 (UTC)
FILETIME=[42002510:01C3BB1C]

-0-





 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of R.
 Scott Perry
 Sent: Thursday, December 04, 2003 2:19 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] A little CMA documentation
 for Outlook 2003 RFC non-compliance 2003 RFC non-compliance


 I have a customer who was having trouble with his messages sent to
 users on servers that use spam filters not being delivered.
 I had him
 send a message to me so I could see what tests it fails.  As some of
 you may have already guessed, he's got a new pc with Outlook
 2003 and
 the messages fail the spam headers test.  I informed him that among
 mail server and/or spamfilter administrators this is a known issue.
 So, he calls MS.  MS says it's OEM software, call the
 vendor.  Dell says I'm full of it.
 
 So...
 
 Would someone with more thorough and better understanding than mine
 please send me something (with permission to quote or I'd just lift
 from
 archives) that I can send to this customer?  I'm looking for
 what it is
 that Outlook 2003 does wrong and what RFC it is not
 conforming to.  He
 wants to then show it to Dell and request an exchange for
 Office 2002.

 It's really a Microsoft issue (it's a bug -- er, new
 feature -- in Outlook 2003), but they may have a special
 arrangement with Dell.  Microsoft had a few complaints from
 people using Outlook that their machine name was leaked in
 the Message-ID header.  Instead of ignoring the complaint, or
 making the host name used in the Message-ID: header
 configurable, they chose to remove the Message-ID: header.

 Microsoft is technically RFC-compliant, *if* they understand
 the consequences of what they did.  In order words, it is
 only RFC-compliant if accept the fact that the E-mail sent
 from Outlook 2003 may be marked as spam.

 Microsoft's position, from what we understand, is that they
 expect all mailservers to whitelist outgoing E-mail from
 Outlook 2003 users, and add the Message-ID: header.

 -Scott
 ---
 Declude JunkMail: The 

RE: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released

[Kami Razvan]

Hi;

I am still a little shaky on what END does.

If we have a filter file and have the following line - lets say on line 1:

HEADERS  END  CONTAINS  X-IMAIL-SPAM-VALREVDNS

If this condition is met then the filter will exit?  So anytime an END
condition is satisfied the rest of the filter is not to be analyzed.

The idea was originally proposed to help with the Anti-filter concept.. But
I am not sure how it will work.

Regards,
Kami




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, December 04, 2003 7:17 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released

We have just released Declude Virus v1.77 (beta).  See
http://www.declude.com/junkmail/manual.htm .  Notable changes since the last
beta include:

 o BOUNCE action renamed to BOUNCEONLYIFYOUMUST (please read the
information on this action in the manual before using it).
 o filter test type now can have MAXWEIGHT/MINWEIGHT option.
 o filter test type now can have END in place of the weight
 o filter test type now has SKIPIFWEIGHT option to bypass filters
if a certain weight has already been reached.
 o HIDETESTS option to hide tests from X-Spam-Tests-Failed: header.
 o Numerous minor fixes

Other additions and fixes can be found in the release notes, at
http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service
Agreement is entitled to free upgrades (see http://www.declude.com/agree.htm
for information on the Declude Service Agreement).

---

Quick Resource Reference:

Tech Support:  [EMAIL PROTECTED]
Mailing List: Send E-mail to [EMAIL PROTECTED] with subscribe 
declude.junkmail your name in the body
New Releases List: Send E-mail to [EMAIL PROTECTED] with subscribe 
declude.releases your name in the body
Troubleshooting: See manual URL above; look at Troubleshooting section
Emergency Uninstall:  See manual URL above; look at Emergency Uninstall 
section
Urgent Support: urgent @declude.com (for urgent/time-sensitive issues only)
Declude Addons/Tools URL: http://www.declude.com/tools
Manual: http://www.declude.com/junkmail/manual.htm

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] MAILFROM like Imail Test..

[R. Scott Perry]

Declude MAILFROM test check only the domain on the MAILFROM address
But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED]
since hotmail.com is a valid Domain, then the message pass the test
Is there a test like the Mailfrom of Imail that test that the
user really exists on the remote server ??
No.  The problem is that such a test is very resource intensive -- 
specifically, it will use about 10 times as much bandwidth as the MAILFROM 
test, and will often have false negatives (E-mail addresses that do not 
exist, but pass the test), and occasional false positives (E-mail addresses 
that do exist, but fail the test).  Also, it will delay the delivery of the 
E-mail by anywhere from several seconds to a minute or so (lots of 
mailservers take a long time to respond to commands), as there are about 8 
round trips that need to be made rather than just 1 -- and those round 
trips also require more effort on the remote end.

Then, imagine if a spammer joe jobs you, using your E-mail address as the 
return address.  If everyone plays this game, then your mailserver is going 
to receive thousands to millions of hits in a very short period of time, 
causing a DDoS attack on your server.

So I'm not a big fan of this type of test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released

[R. Scott Perry]

I am still a little shaky on what END does.

If we have a filter file and have the following line - lets say on line 1:

HEADERS  END  CONTAINS  X-IMAIL-SPAM-VALREVDNS

If this condition is met then the filter will exit?
Correct.

So anytime an END condition is satisfied the rest of the filter is not to 
be analyzed.
Correct.

The idea was originally proposed to help with the Anti-filter concept.. But
I am not sure how it will work.
I think that there are two purposes for END:

[1] It will reduce CPU usage for large filters, if you know they do not 
need to be used for some reason.
[2] It will allow you to have weights applied only under certain 
conditions.  For example, If the E-mail contains 'example.com' but not 
'example.net', apply a weight of 5 (with ANYWHERE END CONTAINS 
example.net and ANYWHERE 5 CONTAINS example.com).
-Scott

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance

[Tyler Jensen]

I installed a full retail copy of Office 2003 Professional and I have the
same issue. Missing headers.

Tyler

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Mark Smith
 Sent: Friday, December 05, 2003 5:48 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] A little CMA documentation for Outlook
 2003 RFC non-compliance 2003 RFC non-compliance


 I'm assuming that this only happens with Outlook 2003 used with a
 non-Exchange (POP3/IMAP/SMTP mode)?

 Here are two headers from Outlook 2003 installed by Office 2003 Pro
 Microsoft Volume Licensing (not OEM)

 From Outlook/MAPI via Exchange 2003

 -0-

 Received: from us-inboundmx.blank.com [61.220.41.95] by
 popmail.domain2.com
 with ESMTP
   (SMTPD32-8.03) id AFB28130208; Fri, 05 Dec 2003 05:36:34 -0500
 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
 Content-class: urn:content-classes:message
 MIME-Version: 1.0
 Content-Type: text/plain;
   charset=us-ascii
 Content-Transfer-Encoding: quoted-printable
 Subject: testing
 Date: Fri, 5 Dec 2003 05:36:34 -0500
 Message-ID:
 [EMAIL PROTECTED]
 X-MS-Has-Attach:
 X-MS-TNEF-Correlator:
 Thread-Topic: testing
 Thread-Index: AcO7G6c5ASWwh2hOTRWz0b/pUSbfKw==
 From: Mark E. Smith [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 X-Note: Weight: 0 - This E-mail was scanned by NETrends Systems
 (www.netrends.com) for spam.
 X-Spam-Tests-Failed: Whitelisted
 X-Spam-Prob: 0.169437
 X-RCPT-TO: [EMAIL PROTECTED]
 Status: U
 X-UIDL: 341408898

 -0-

 From Outlook/POP3/SMTP via iMail SMTP

 -0-

 Microsoft Mail Internet Headers Version 2.0
 Received: from ussmtpin2.blank.com ([10.7.4.111]) by
 us-inboundmx.blank.com
 with Microsoft SMTPSVC(6.0.3790.0);
Fri, 5 Dec 2003 05:40:53 -0500
 Received: from popmail.domain2.com [16.196.89.161] by ussmtpin2.blank.com
 with ESMTP
   (SMTPD32-8.03) id A0B38CD0118; Fri, 05 Dec 2003 05:40:51 -0500
 Received: from msmithd800xp [162.83.21.69] by popmail.domain2.com
 with ESMTP
   (SMTPD32-8.03) id A0AF8330208; Fri, 05 Dec 2003 05:40:47 -0500
 From: Mark Smith [EMAIL PROTECTED]
 To: Mark E. Smith [EMAIL PROTECTED]
 Subject: Testing from domain2
 Date: Fri, 5 Dec 2003 05:40:47 -0500
 X-Mailer: Microsoft Office Outlook, Build 11.0.5510
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
 Thread-Index: AcO7HD5aazFkluigRS2DXlE/jJeQ9w==
 Message-Id: [EMAIL PROTECTED]
 X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam
 [420e].
 X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
 X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
 test (27)
 X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
 (46)
 X-Note: Weight: 3 - This E-mail was scanned by NETrends Systems
 (www.netrends.com) for spam.
 X-RBL-Warning: WHITELISTFILE: Message failed WHITELISTFILE test (100)
 X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0.
 X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (27)
 X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM
 test (27)
 X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test
 (37)
 X-Note: Weight: -110 - This E-mail was scanned by NETrends Systems
 (www.netrends.com) for viruses and spam.
 Return-Path: [EMAIL PROTECTED]
 X-OriginalArrivalTime: 05 Dec 2003 10:40:53.0729 (UTC)
 FILETIME=[42002510:01C3BB1C]

 -0-





  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of R.
  Scott Perry
  Sent: Thursday, December 04, 2003 2:19 PM
  To: [EMAIL PROTECTED]
  Subject: Re: [Declude.JunkMail] A little CMA documentation
  for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
 
 
  I have a customer who was having trouble with his messages sent to
  users on servers that use spam filters not being delivered.
  I had him
  send a message to me so I could see what tests it fails.  As some of
  you may have already guessed, he's got a new pc with Outlook
  2003 and
  the messages fail the spam headers test.  I informed him that among
  mail server and/or spamfilter administrators this is a known issue.
  So, he calls MS.  MS says it's OEM software, call the
  vendor.  Dell says I'm full of it.
  
  So...
  
  Would someone with more thorough and better understanding than mine
  please send me something (with permission to quote or I'd just lift
  from
  archives) that I can send to this customer?  I'm looking for
  what it is
  that Outlook 2003 does wrong and what RFC it is not
  conforming to.  He
  wants to then show it to Dell and request an exchange for
  Office 2002.
 
  It's really a Microsoft issue (it's a bug -- er, new
  feature -- in Outlook 2003), but they may have a special
  arrangement with Dell.  Microsoft had a few complaints from
  people using Outlook that their machine name was leaked in
  the Message-ID header.  Instead of ignoring the complaint, or
  making the host name used in the Message-ID: header
  configurable, they chose to 

[Declude.JunkMail] Fw: [IMail Forum] November 2003 Spam Statistics

[Jeff Pereira]

- Original Message -
From: Jeff Pereira [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:26 AM
Subject: Re: [IMail Forum] November 2003 Spam Statistics


 Scott -

 Is it possible to post the configuration files for Declude Junkmail that
 were used to produce the results obtained in the November 2003 Spam
 Statistics?

 I am sure that there are a number of other users out there like myself
that
 have limited resources to devode to spam control and for whom spam control
 is a secondary or tertiary responsibility.

 It would be nice to know that I could start with a given a set of
 configuration files that are able to generate what I feel to be very
 impressive statistics.

 Thank you.

 Jeff

 ---
 [This E-mail scanned for viruses by Declude Virus]


 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
 List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
 Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
 ---
 [This E-mail scanned for viruses by Declude Virus]



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Dan Geiser]

Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Reverse DNS...

[Kami Razvan]

What can we do 
when the likes of Amazon don't have reverse DNS?

==
X-Declude-Sender: 
[EMAIL PROTECTED] 
[12.32.32.130]X-Declude-Spoolname: D938c00b8023227dd.SMDX-Note: This 
E-mail was scanned  filtered by Declude [1.77] for SPAM  
virus.X-Weight: 57X-Note: Sent from Reverse DNS: [No 
Reverse DNS]X-Hello: 
boi1-app-101.amazon.comX-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, 
NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL, FILTER-SPAM-HTML, 
FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, SPAMDOMAINS, WEIGHT20s, 
WEIGHT20rX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: 
UNITED STATES-destinationX-RCPT-TO: [EMAIL PROTECTED]

Incredible...


Regards,
Kami

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Kami Razvan]

Dan:

We made a decision a long time ago to whitelist REVDNS of all the folks you
had listed.

We now have two REVDNS negative files.

1:  Whitelist as entered in the Global.cfg (I only hope one day Scott moves
these entries to their own files).

2:  Negative reverseDNS files that adds negative weight to the ones that are
legitimate and used by our users.

That took care of a lot of problems..

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 10:10 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Dan Geiser]

Kami:
I've been taking a look at your configuration files every few weeks and
based on what I saw there a couple of months ago, I also started
WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
probably many I'm not seeing as flagged by SPAMCOP because of the whitelist.
It just so happened that the 3 I listed had not been whitelisted.  I know
that whitelisting will fix the problems but I also know that there's is
definitely something up with SPAMCOP.

Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
to go past that limit and/or else offload those into a separate file?

How do you do the negative Reverse DNS entries?  Is that just by using the
FILTER test?

Thanks,
Dan

- Original Message - 
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:24 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


 Dan:

 We made a decision a long time ago to whitelist REVDNS of all the folks
you
 had listed.

 We now have two REVDNS negative files.

 1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
moves
 these entries to their own files).

 2:  Negative reverseDNS files that adds negative weight to the ones that
are
 legitimate and used by our users.

 That took care of a lot of problems..

 Regards,
 Kami


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, December 05, 2003 10:10 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

 Hello, All,
 Has anyone noticed in the last few days that the IP addresses of a lot of
 legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
 I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
and
 a few others.  Does anyone think it's possible that SPAMCOP's databases
are
 being gamed by Spammers by submitting lots of e-mails with legit IP
 addresses and pretend that they came across as spam?  Or maybe there are
 uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
 representative of spam?  Or even that IronPort's purchase of SPAMCOP has
 somehow affected the way that they do things?

 Just curious.  These legit IPs showing up on SPAMCOP are really throwing
 lots of False Positives in my weighting system.

 Thanks,
 Dan
 [EMAIL PROTECTED]

 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
 just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
 Declude.JunkMail.  The archives can be found at
 http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[R. Scott Perry]

Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
to go past that limit and/or else offload those into a separate file?
Actually, it's a limit of 200.

The WHITELIST FROM entries can be offloaded to a separate file (with 
unlimited entries), using the WHITELISTFILE option.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Kami Razvan]

Yes...

Like a filter file:

REVDNS -20 ENDSWITH .amazon.com

I put the period before Amazon to just make sure no funky domain like
.spamamazon.com can get through.

Regards,
Kami


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 10:39 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

Kami:
I've been taking a look at your configuration files every few weeks and
based on what I saw there a couple of months ago, I also started
WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
probably many I'm not seeing as flagged by SPAMCOP because of the whitelist.
It just so happened that the 3 I listed had not been whitelisted.  I know
that whitelisting will fix the problems but I also know that there's is
definitely something up with SPAMCOP.

Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
to go past that limit and/or else offload those into a separate file?

How do you do the negative Reverse DNS entries?  Is that just by using the
FILTER test?

Thanks,
Dan

- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:24 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


 Dan:

 We made a decision a long time ago to whitelist REVDNS of all the folks
you
 had listed.

 We now have two REVDNS negative files.

 1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
moves
 these entries to their own files).

 2:  Negative reverseDNS files that adds negative weight to the ones that
are
 legitimate and used by our users.

 That took care of a lot of problems..

 Regards,
 Kami


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, December 05, 2003 10:10 AM
 To: [EMAIL PROTECTED]
 Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

 Hello, All,
 Has anyone noticed in the last few days that the IP addresses of a lot of
 legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
 I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
and
 a few others.  Does anyone think it's possible that SPAMCOP's databases
are
 being gamed by Spammers by submitting lots of e-mails with legit IP
 addresses and pretend that they came across as spam?  Or maybe there are
 uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
 representative of spam?  Or even that IronPort's purchase of SPAMCOP has
 somehow affected the way that they do things?

 Just curious.  These legit IPs showing up on SPAMCOP are really throwing
 lots of False Positives in my weighting system.

 Thanks,
 Dan
 [EMAIL PROTECTED]

 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
 just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
 Declude.JunkMail.  The archives can be found at
 http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Burzin Sumariwalla]

Hi Dan,

I've only seen one FP from SpamCop in the last week.  I routinely see email 
sent by legitimate firms get tagged as spam, but usually
these firms are using third party mailers to send information.

Burzin

At 09:10 AM 12/5/2003, you wrote:
Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?
Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.
Thanks,
Dan
[EMAIL PROTECTED]
---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude Virus]
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Reverse DNS...

[IS - Systems Eng. (Karl Drugge)]

Do what I do I have
a rule defined that subtracts the points my REVDNS rule adds, and put the
domains I ned to get through in that list. Kind of clunky and mna-power
intensive, but it works for me. I couldnt imagine doing it for hundreds
of domains



Karl Drugge















-Original Message-
From: Kami Razvan
[mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 05, 2003 10:11 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail]
Reverse DNS...





What can we do when the likes of
Amazon don't have reverse DNS?











==





X-Declude-Sender: [EMAIL PROTECTED]
[12.32.32.130]
X-Declude-Spoolname: D938c00b8023227dd.SMD
X-Note: This E-mail was scanned  filtered by Declude [1.77] for SPAM 
virus.
X-Weight: 57
X-Note: Sent
from Reverse DNS: [No Reverse DNS]
X-Hello: boi1-app-101.amazon.com
X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL,
FILTER-SPAM-HTML, FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH,
SPAMDOMAINS, WEIGHT20s, WEIGHT20r
X-Note: Recipient(s): [EMAIL PROTECTED]
X-Country-Chain: UNITED STATES-destination
X-RCPT-TO: [EMAIL PROTECTED]











Incredible...

















Regards,





Kami

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Dan Geiser]

Hi, Scott,
If I am using...

WHITELIST REVDNS .ebay.com

or

WHITELIST HELO .mail.yahoo.com

entries in my GLOBAL.CFG can those also be offloaded into a separate file?
Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG?

Thanks,
Dan

- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:46 AM
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses



 Am I correct that you can only add 100 WHITELIST entries to the
GLOBAL.CFG
 file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there
anyway
 to go past that limit and/or else offload those into a separate file?

 Actually, it's a limit of 200.

 The WHITELIST FROM entries can be offloaded to a separate file (with
 unlimited entries), using the WHITELISTFILE option.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] MAILFROM like Imail Test..

[Alejandro Valenzuela]

Ok, I didn't noticed how easy could spam pass this test.
Thanks Scott.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 6:00 AM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] MAILFROM like Imail Test..



Declude MAILFROM test check only the domain on the MAILFROM address
But we recive a lot of SPAM with mailfrom like this.
[EMAIL PROTECTED]
since hotmail.com is a valid Domain, then the message pass the test

Is there a test like the Mailfrom of Imail that test that the
user really exists on the remote server ??

No.  The problem is that such a test is very resource intensive -- 
specifically, it will use about 10 times as much bandwidth as the MAILFROM 
test, and will often have false negatives (E-mail addresses that do not 
exist, but pass the test), and occasional false positives (E-mail addresses 
that do exist, but fail the test).  Also, it will delay the delivery of the 
E-mail by anywhere from several seconds to a minute or so (lots of 
mailservers take a long time to respond to commands), as there are about 8 
round trips that need to be made rather than just 1 -- and those round 
trips also require more effort on the remote end.

Then, imagine if a spammer joe jobs you, using your E-mail address as the 
return address.  If everyone plays this game, then your mailserver is going 
to receive thousands to millions of hits in a very short period of time, 
causing a DDoS attack on your server.

So I'm not a big fan of this type of test.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Markus Gufler]

 Yes...
 
 Like a filter file:
 
 REVDNS -20 ENDSWITH .amazon.com
 
 I put the period before Amazon to just make sure no funky 
 domain like .spamamazon.com can get through.


Hmmpfff

I hoped already that that could be a reason for unlimited IPBYPASS
entries...  ;-)

Markus 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

[David Sullivan]

I want to use Sniffer to whitelist messages that would fail other
Declude tests, not just Sniffer alone AND I want to retain the
original Sniffer failure code if the message did fail Sniffer.

Sohere's where I'm headed.

Keep my single Sniffer weighted test for spam detection and add this
(per Scott's recommendation):

SNIFFER-WHITELIST externalplus P:\IMail\Declude\Sniffer\LicenseID.exe 
AuthenticationCode

to do this, I will have my Sniffer rule base re-coded to return a 1 on
my custom whitelists instead of a 0.  With externalplus, 1 indicates
Whitelist.

Based on my reading of the last sniffer thread, this will not cause
degradation in performance because Declude is smart enough to only
call sniffer once for multiple tests, but

1. What if the tests are different types, in this case external and
externalplus?

2. What performance impact is there in adding the additional action?

4. If the message gets my subject line modification because it fails
weighting, but is whitelisted per the new external plus test, will
that negate the action on weighting?  If so, should I also give the
externalplus test weights like this:

-200 0

3. Anyone see any problems with this scenario?
  

-- 
Best regards,
 David  mailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] ROUTETO Not Working

[Dan Geiser]

Hello, All,
I am trying to learn a little bit about the ROUTETO action and I can't seem
to get it to work as expected.  I am using DJM Pro.

My current DELETE weight is 40.  In the per-domain $default$.junkmail
files for two of my highest spam volume domains I changed the action from
DELETE to ROUTETO myuser@hotmail.com (both without the quotes).  I
expected messages which were previously being deleted by my DJM
configuration to start showing up in my Hotmail inbox but I'm not receiving
anything there.

As a test I switched the address listed after the ROUTTEO action from
myuser@hotmail.com to one of the e-mail addresses I have on the local
IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing
up immediately.

Does anyone know why if I used an externally hosted e-mail after the ROUTETO
action that I wouldn't get the e-mail but if I used an e-mail address hosted
on my local e-mail server that I would?  Perhaps this doesn't have anything
to do with it being external but instead it's just a Hotmail issue?

Here are the relevant entries from my GLOBAL.CFG...
-
WEIGHT-DELETE  weight  x x 40 0
-

Here are the relevant entries from one of my $default$.junkmail files...
-
WEIGHT-DELETE  ROUTETO [EMAIL PROTECTED]
-

Here are the entries from my DJM log file for a message which did NOT show
up at my Hotmail account...
-
12/05/2003 11:21:24 Qb07f13c SPAMCOP:7 SBL:5 NOABUSE:2 NOPOSTMASTER:1
BASE64:4 HELOBOGUS:6 REVDNS:4 SPAMHEADERS:3 CBL:5 CSMA-SBL:5 SPAMDOMAINS:10
.  Total weight = 52
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMCOP (Blocked - see
http://www.spamcop.net/bl.shtml?202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SBL
(http://www.spamhaus.org/SBL/sbl.lasso?query=SBL7535). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOABUSE (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOPOSTMASTER (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed BASE64 (A binary encoded text or
HTML section was found in this E-mail.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed HELOBOGUS (Domain WJQ-Q8OLH5GE22P
has no MX or A records.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed REVDNS (This E-mail was sent from a
MUA/MTA 202.102.142.58 with no reverse DNS entry.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [420f].). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed WEIGHT-DELETE (Weight of 52 reaches
or exceeds the limit of 40.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed CBL (Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed CSMA-SBL
(http://bl.csma.biz/cgi-bin/listing.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMDOMAINS (Spamdomain '@yahoo.com'
found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].).
Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c R1 Message OK
12/05/2003 11:21:24 Qb07f13c Using [incoming] CFG file
d:\iMail\Declude\american-apex.com\$default$.junkmail.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMCOP (Blocked - see
http://www.spamcop.net/bl.shtml?202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SBL
(http://www.spamhaus.org/SBL/sbl.lasso?query=SBL7535). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOABUSE (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed NOPOSTMASTER (Not supporting
[EMAIL PROTECTED]). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed BASE64 (A binary encoded text or
HTML section was found in this E-mail.). Action=WARN.
12/05/2003 11:21:24 Qb07f13c Msg failed HELOBOGUS (Domain WJQ-Q8OLH5GE22P
has no MX or A records.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed REVDNS (This E-mail was sent from a
MUA/MTA 202.102.142.58 with no reverse DNS entry.). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMHEADERS (This E-mail has headers
consistent with spam [420f].). Action=WARN.
12/05/2003 11:21:24 Qb07f13c Msg failed CATCHALLMAILS (). Action=COPYTO.
12/05/2003 11:21:24 Qb07f13c Msg failed WEIGHT-DELETE (Weight of 52 reaches
or exceeds the limit of 40.). Action=ROUTETO.
12/05/2003 11:21:24 Qb07f13c Msg failed CBL (Blocked - see
http://cbl.abuseat.org/lookup.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed CSMA-SBL
(http://bl.csma.biz/cgi-bin/listing.cgi?ip=202.102.142.58). Action=IGNORE.
12/05/2003 11:21:24 Qb07f13c Msg failed SPAMDOMAINS (Spamdomain '@yahoo.com'
found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].).
Action=WARN.
12/05/2003 11:21:24 Qb07f13c L2 Message OK
12/05/2003 11:21:24 Qb07f13c Subject: Buy Valium Cheap
12/05/2003 11:21:24 Qb07f13c From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED]  IP: 202.102.142.58 ID:
12/05/2003 11:21:24 Qb07f13c Last action = IGNORE.
-

Thanks,
Dan Geiser

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Dan Geiser]

Kami,
What is the name of the filter file that you have entries of those type in?

Thanks,
Dan

- Original Message - 
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:51 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


 Yes...

 Like a filter file:

 REVDNS -20 ENDSWITH .amazon.com

 I put the period before Amazon to just make sure no funky domain like
 .spamamazon.com can get through.

 Regards,
 Kami


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, December 05, 2003 10:39 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

 Kami:
 I've been taking a look at your configuration files every few weeks and
 based on what I saw there a couple of months ago, I also started
 WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
 probably many I'm not seeing as flagged by SPAMCOP because of the
whitelist.
 It just so happened that the 3 I listed had not been whitelisted.  I know
 that whitelisting will fix the problems but I also know that there's is
 definitely something up with SPAMCOP.

 Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
 file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
 to go past that limit and/or else offload those into a separate file?

 How do you do the negative Reverse DNS entries?  Is that just by using the
 FILTER test?

 Thanks,
 Dan

 - Original Message -
 From: Kami Razvan [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, December 05, 2003 10:24 AM
 Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


  Dan:
 
  We made a decision a long time ago to whitelist REVDNS of all the folks
 you
  had listed.
 
  We now have two REVDNS negative files.
 
  1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
 moves
  these entries to their own files).
 
  2:  Negative reverseDNS files that adds negative weight to the ones that
 are
  legitimate and used by our users.
 
  That took care of a lot of problems..
 
  Regards,
  Kami
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
  Sent: Friday, December 05, 2003 10:10 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
 
  Hello, All,
  Has anyone noticed in the last few days that the IP addresses of a lot
of
  legitimate e-mailers are showing up on SPAMCOP's blocklists?
Specifically
  I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
 and
  a few others.  Does anyone think it's possible that SPAMCOP's databases
 are
  being gamed by Spammers by submitting lots of e-mails with legit IP
  addresses and pretend that they came across as spam?  Or maybe there are
  uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
  representative of spam?  Or even that IronPort's purchase of SPAMCOP has
  somehow affected the way that they do things?
 
  Just curious.  These legit IPs showing up on SPAMCOP are really throwing
  lots of False Positives in my weighting system.
 
  Thanks,
  Dan
  [EMAIL PROTECTED]
 
  ---
  Sign up for virus-free and spam-free e-mail with Nexus Technology Group
  http://www.nexustechgroup.com/mailscan
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
  just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
  Declude.JunkMail.  The archives can be found at
  http://www.mail-archive.com.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
  ---
  Sign up for virus-free and spam-free e-mail with Nexus Technology Group
  http://www.nexustechgroup.com/mailscan
 
 

 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL 

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Dan Geiser]

Scott,
Do you have plans to offer offloading for WHITELIST HELO and WHITELIST
REVDNS?

Thanks,
Dan

- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 11:07 AM
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses



 Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG?

 Only the WHITELIST FROM lines can be moved out of the global.cfg file.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Hosting Support]

I'm not sure if everyone has heard, but IronPort bought SpamCop.  It's
likely that they're fiddling with it.  There's an article on Slashdot from
Wednesday about it.

http://yro.slashdot.org/article.pl?sid=03/12/03/2016218mode=threadtid=111tid=126tid=137tid=187

Personally, After seeing so many FPs as a result of SpamCop weighting, I
stopped using it a year ago.

Darin.


- Original Message - 
From: Dan Geiser [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:10 AM
Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


Hello, All,
Has anyone noticed in the last few days that the IP addresses of a lot of
legitimate e-mailers are showing up on SPAMCOP's blocklists?  Specifically
I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and
a few others.  Does anyone think it's possible that SPAMCOP's databases are
being gamed by Spammers by submitting lots of e-mails with legit IP
addresses and pretend that they came across as spam?  Or maybe there are
uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
representative of spam?  Or even that IronPort's purchase of SPAMCOP has
somehow affected the way that they do things?

Just curious.  These legit IPs showing up on SPAMCOP are really throwing
lots of False Positives in my weighting system.

Thanks,
Dan
[EMAIL PROTECTED]

---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

_
[This E-mail virus scanned by 4C Web]


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[R. Scott Perry]

Do you have plans to offer offloading for WHITELIST HELO and WHITELIST
REVDNS?
Not at this time, simply because we can't envision there being a need for 
200 such entries.  :)

However, the WHITELIST limit is something that comes up frequently, so it 
is quite possible that more changes will be made to allow for more 
WHITELIST entries.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

[R. Scott Perry]

As a test I switched the address listed after the ROUTTEO action from
myuser@hotmail.com to one of the e-mail addresses I have on the local
IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing
up immediately.
What version of Declude JunkMail are you running (\IMail\Declude -diag 
from a command prompt will show you)?  With versions before 1.67, the 
ROUTETO action would not work on outgoing E-mail.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

[Dan Geiser]

Hello, Scott,
We are running Declude v1.75.

Any ideas?

Thanks,
Dan

- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 12:25 PM
Subject: Re: [Declude.JunkMail] ROUTETO Not Working



 As a test I switched the address listed after the ROUTTEO action from
 myuser@hotmail.com to one of the e-mail addresses I have on the local
 IMail server, [EMAIL PROTECTED], and the ROUTEd spam started
showing
 up immediately.

 What version of Declude JunkMail are you running (\IMail\Declude -diag
 from a command prompt will show you)?  With versions before 1.67, the
 ROUTETO action would not work on outgoing E-mail.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

[Kami Razvan]

Dan:

FILTER-REVDNS filterC:\IMail\Declude\Filters\IMail_Filter_REVDNS.txt
x 0 0

This is our Global entry for the file.

Regards,
Kami

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
Sent: Friday, December 05, 2003 12:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

Kami,
What is the name of the filter file that you have entries of those type in?

Thanks,
Dan

- Original Message -
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 10:51 AM
Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


 Yes...

 Like a filter file:

 REVDNS -20 ENDSWITH .amazon.com

 I put the period before Amazon to just make sure no funky domain like
 .spamamazon.com can get through.

 Regards,
 Kami


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
 Sent: Friday, December 05, 2003 10:39 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses

 Kami:
 I've been taking a look at your configuration files every few weeks and
 based on what I saw there a couple of months ago, I also started
 WHITELISTing based on Reverse DNS and HELO a few months back.  So there's
 probably many I'm not seeing as flagged by SPAMCOP because of the
whitelist.
 It just so happened that the 3 I listed had not been whitelisted.  I know
 that whitelisting will fix the problems but I also know that there's is
 definitely something up with SPAMCOP.

 Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG
 file?  Is that 100 each for REVDNS and HELO or 100 total?  Is there anyway
 to go past that limit and/or else offload those into a separate file?

 How do you do the negative Reverse DNS entries?  Is that just by using the
 FILTER test?

 Thanks,
 Dan

 - Original Message -
 From: Kami Razvan [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, December 05, 2003 10:24 AM
 Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses


  Dan:
 
  We made a decision a long time ago to whitelist REVDNS of all the folks
 you
  had listed.
 
  We now have two REVDNS negative files.
 
  1:  Whitelist as entered in the Global.cfg (I only hope one day Scott
 moves
  these entries to their own files).
 
  2:  Negative reverseDNS files that adds negative weight to the ones that
 are
  legitimate and used by our users.
 
  That took care of a lot of problems..
 
  Regards,
  Kami
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser
  Sent: Friday, December 05, 2003 10:10 AM
  To: [EMAIL PROTECTED]
  Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
 
  Hello, All,
  Has anyone noticed in the last few days that the IP addresses of a lot
of
  legitimate e-mailers are showing up on SPAMCOP's blocklists?
Specifically
  I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM
 and
  a few others.  Does anyone think it's possible that SPAMCOP's databases
 are
  being gamed by Spammers by submitting lots of e-mails with legit IP
  addresses and pretend that they came across as spam?  Or maybe there are
  uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as
  representative of spam?  Or even that IronPort's purchase of SPAMCOP has
  somehow affected the way that they do things?
 
  Just curious.  These legit IPs showing up on SPAMCOP are really throwing
  lots of False Positives in my weighting system.
 
  Thanks,
  Dan
  [EMAIL PROTECTED]
 
  ---
  Sign up for virus-free and spam-free e-mail with Nexus Technology Group
  http://www.nexustechgroup.com/mailscan
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe,
  just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
  Declude.JunkMail.  The archives can be found at
  http://www.mail-archive.com.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
  ---
  Sign up for virus-free and spam-free e-mail with Nexus Technology Group
  http://www.nexustechgroup.com/mailscan
 
 

 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing 

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

[Bill Landry]

I must have missed something along the way.  What is externalplus?

Bill
- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:06 AM
Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer



 Based on my reading of the last sniffer thread, this will not cause
 degradation in performance because Declude is smart enough to only
 call sniffer once for multiple tests, but
 
 1. What if the tests are different types, in this case external and
 externalplus?

 That's not a problem.  The test will still only be run once.  If the test
 has been run before in the same way (same program name and parameters), it
 will not be run again, regardless of whether it is defined as external or
 externalplus.

 If the program is called in a different way (with different parameters,
for
 example), then it will be run again.

 2. What performance impact is there in adding the additional action?

 There should be very little degradation in performance.  It should not be
 noticeable.

 4. If the message gets my subject line modification because it fails
 weighting, but is whitelisted per the new external plus test, will
 that negate the action on weighting?

 That is correct.  When an E-mail is whitelisted, it is forced to pass all
 the spam tests, so no action will be taken.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

[R. Scott Perry]

I must have missed something along the way.  What is externalplus?
It's a test type that lets you run an external test that is can do more 
than a standard test.  Instead of returning an exit code that designates 
pass/fail or a weight to use, it can return codes to tell Declude JunkMail 
to do specific things.  Right now, an exit code of 1 will whitelist an 
E-mail.  Exit codes of 2-9 are reserved for future use, as needed.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

[Bill Landry]

Nevermind, guess I should have checked the manual before sending...  ;-)

Bill
- Original Message - 
From: Bill Landry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 9:48 AM
Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer


 I must have missed something along the way.  What is externalplus?

 Bill
 - Original Message - 
 From: R. Scott Perry [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, December 05, 2003 9:06 AM
 Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer


 
  Based on my reading of the last sniffer thread, this will not cause
  degradation in performance because Declude is smart enough to only
  call sniffer once for multiple tests, but
  
  1. What if the tests are different types, in this case external and
  externalplus?
 
  That's not a problem.  The test will still only be run once.  If the
test
  has been run before in the same way (same program name and parameters),
it
  will not be run again, regardless of whether it is defined as external
or
  externalplus.
 
  If the program is called in a different way (with different parameters,
 for
  example), then it will be run again.
 
  2. What performance impact is there in adding the additional action?
 
  There should be very little degradation in performance.  It should not
be
  noticeable.
 
  4. If the message gets my subject line modification because it fails
  weighting, but is whitelisted per the new external plus test, will
  that negate the action on weighting?
 
  That is correct.  When an E-mail is whitelisted, it is forced to pass
all
  the spam tests, so no action will be taken.
 
  -Scott
  ---
  Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
  Declude Virus: Catches known viruses and is the leader in mailserver
  vulnerability detection.
  Find out what you've been missing: Ask about our free 30-day evaluation.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

[R. Scott Perry]

We are running Declude v1.75.

Any ideas?
The next step would be to check the IMail SMTP log file to see what it says.

If that doesn't provide enough information, the debug mode would be the 
next step.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Finding reason for white list

[Keith Purtell]

This mystery turned out to be postmaster error. We had white listed our own domain 
name (I know some
people don't think that's a good idea), and neglected to include the @ symbol. So 
incoming mail
appeared to be white listed because a spammer was sending us garbage from
[EMAIL PROTECTED]. I'm posting this embarrassing fact
for the benefit of anyone who encounters a similar problem.

Keith Purtell, Web/Network Administrator
VantageMed Operations (Kansas City)

CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole 
use of the
intended recipient(s) and may contain confidential and privileged information. Any 
unauthorized
review, use, disclosure or distribution is prohibited. If you are not the intended 
recipient, please
contact the sender by reply email and destroy all copies of the original message.


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry
 Sent: Monday, December 01, 2003 5:31 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Finding reason for white list



   What is the exact message in the E-mail headers saying that
   it was whitelisted?
 
 X-Tests-Failed: Whitelisted
 
  
   Are you using WHITELIST AUTH or AUTOWHITELIST?
 
 No and yes. In the case of the particular user whose incoming mail I
 extracted the spam from, none
 of the spammer addresses where in her address book. I also
 checked her
 AutoWhite list.

 This looks like a case for the DEBUG mode.

 To use the debug mode, you can change the LOGLEVEL LOW line in
 \IMail\Declude\global.cfg to LOGLEVEL DEBUG.  Then, after
 this problem
 occurs again, you can then switch back to LOGLEVEL LOW (the
 debug mode
 adds huge amounts of information to the log file).  You can
 then E-mail me
 the \IMail\spool\dec.log file (as an attachment, NOT sent
 from web
 messaging), and I can take a look at it to see what is happening.

 -Scott


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help with 'fromfile'

[T. Bradley Dean]

v1.75

~Brad 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Thursday, December 04, 2003 5:55 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Help with 'fromfile'



And this in junkmail_blockedsendrs.cfg:

sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam

I do see BLOCKEDSENDERS firing for other things, but not for this. I'm 
assuming my error is in junkmail_blockedsenders.cfg, right? Should I 
change it to @cooldude.sweet-n-sour.com and just hope they don't send 
from other sub-domains?

What version of Declude are you running (\IMail\Declude -diag from a 
command prompt wil show you)?  I believe there was a version that had a 
problem if the return address was more than 32 characters long, which it is 
in this case.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help with 'fromfile'

[R. Scott Perry]

And this in junkmail_blockedsendrs.cfg:

sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam

I do see BLOCKEDSENDERS firing for other things, but not for this. I'm
assuming my error is in junkmail_blockedsenders.cfg, right? Should I
change it to @cooldude.sweet-n-sour.com and just hope they don't send
from other sub-domains?
In this case, it's time for the debug mode.  To use the debug mode, you can 
change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL 
DEBUG.  Then, after an E-mail gets through that should have failed the 
BLOCKEDSENDERS test, you can then switch back to LOGLEVEL LOW (the debug 
mode adds huge amounts of information to the log file).  You can then send 
me the \IMail\spool\dec.log file (as an attachment, NOT sent from web 
messaging), and I can take a look at it to see what is happening.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

[David Sullivan]

Hello David,

Friday, December 5, 2003, 11:44:41 AM, you wrote:

DS 3. Anyone see any problems with this scenario?

Ok, I'll answer my own question.  In thinking about this more, this
isn't going to work.

If I recode my rule base to return a 1 instead of 0 on whitelist, then
the original sniffer test will interpret the 1 as a spam, then the
externalplus test will interpret the 1 as whitelist and override the
sniffer external test.

So, I still lose the original reason for sniffer failure since sniffer
will always be returning a 1, right?




-- 
Best regards,
 Davidmailto:[EMAIL PROTECTED]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Spam Lion Functionality

[Burzin Sumariwalla]

Hello,

Is anyone familiar with a product called Spam Lion.  It's too pricey for my 
organization, but it seems to do the following:

Upon receipt of incoming email it checks to see if the sender is 
authorized.  If the sender is authorized, the message is passed along to 
the intended reciepients.  If the sender is not authorzied, the message is 
quarantined and the sender is notified by email and asked to perform a 1 
time registration.  Presumably the quarantine spool is automatically 
cleaned on a recurring basis.

Is it possible to do something similar with Declude?

Thanks,
Burzin
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Whitelistfile options question

[R. Scott Perry]

I read through the new Junkmail manual (I know, shocking).

This line in the manual prompted this question:
Note the file you use with the WHITELISTFILE option does NOT use the same
format as the WHITELIST entries in the global.cfg file.
Does the WHITELISTFILE option support subdomains? i.e. .example.com?
Yes, it does.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam Lion Functionality

[R. Scott Perry]

Is anyone familiar with a product called Spam Lion.  It's too pricey for 
my organization, but it seems to do the following:

Upon receipt of incoming email it checks to see if the sender is 
authorized.  If the sender is authorized, the message is passed along to 
the intended reciepients.  If the sender is not authorzied, the message is 
quarantined and the sender is notified by email and asked to perform a 1 
time registration.  Presumably the quarantine spool is automatically 
cleaned on a recurring basis.
That is called challenge/response, and has many, many drawbacks.  In 
short, you end up becoming a spammer, and your users end up losing a lot of 
mail.

Even if our customers convinced us that it would be a worthwhile action in 
Declude JunkMail, someone decided to buy a patent for it, so it would 
likely cost a large amount of money to take on such a test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

[brian]

Actually what Chris was *supposed* to say was that the gateway version of
Alligate does a much better job than the Declude version, not Declude itself.
The Declude version is now outdated and had not been updated for several
months. The Declude version was not dumped however it is not currently
available. We won't offer something for sale unless it is the best we can do.

We got in a couple of new copies of IMail last week so we can set up new test
platforms. We have been unable to test the Declude version because our gateway
now handles all incoming mail and there is no spam coming into our mail
servers to test. The new test platforms will allow us to move some domains out
of the normal loop and we will be able to update the Declude version again
(shortly we hope).

Brian
 
On 12/04/03 4:34pm you wrote...
I *believe* I spoke to Chris.  If it wasn't dump it was drop.  I didn't 
interpret this as negative statement,
just friendly marketing or another opinion among many. I don't think Chris 
intended this as a put down.
Just an opinion on a competing product.  You'd hardly expect the person 
answering the sales line to say
anything else.

What I am certain about was that I was told that Alligate would do a better 
job (albeit as its own Gateway)
than Declude at blocking spam.

If I've offended or misunderstood anyone, please feel free to correct me.

Thanks,
Burzin

t 03:51 PM 12/4/2003, you wrote:
Was the exact phrase Dump Declude used? If so, who did you speak with?

Yes, SpamManager is Alligate is NOXMail. (Original name.)

They have made a business decision and I hope them all the luck, as they
are
doing very well.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

[Robert Grosshandler]

Brian wrote - 


The new test platforms will allow us to move some domains out of the normal
loop and we will be able to update the
Declude version again (shortly we hope).

For those of us who use the Declude version of Alligate (alongside Sniffer)
we hope that's soon!  It is great having two full-featured engines that let
us rest comfortably if we delete e-mail without inspection.  If both engines
agree that something is spam, it is probably spam!

Rob

www.iGive.com
Turn your holiday shopping into cash for your cause.


---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Kami Razvan]

Upon receipt of incoming email it checks to see if the sender is 
authorized.  If the sender is authorized, the message is passed along 
to the intended reciepients.

PLEASE RECONSIDER..

Challenge response systems are killing us ..

Your users will lose a lot of email specially if they shop online.

Right now we are having a very difficult time with Earthlink's challenge
response and our online receipts being sent to donors.  Every single email
has to be manually attended to ..

I have sent several messages to companies like Earthlink and suggested to
them the idea of creating a universal whitelist for online systems that
generate receipts automatically.. If this is not attended to or looked into
either online commerce has to die or challenge response.

Regards,
Kami

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] New phishing..

[Kami Razvan]

Hi;

We just got the 
following: - a Phishing attempt.

Actually quite 
interesting.. I clicked on the link to see where it goes. It goes to the 
actual Visa site but a small window pops up and asks for your visa and various 
other info for verification.

If only they could 
use their talents elsewhere..

=

Received: from 
81.15.163.193 [81.15.163.193] by foroosh.com (SMTPD32-8.04) id 
A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500Date: Fri, 05 Dec 2003 22:15:45 
-0500From: Visa International Service [EMAIL PROTECTED]X-Mailer: 
Microsoft Outlook Express 6.00.2800.1158Reply-To: Visa International Service 
[EMAIL PROTECTED]Organization: 
Visa International ServiceX-Priority: 3 (Normal)To: Subject: 
[53~]Visa Security UpdateMime-Version: 1.0Content-Type: text/html; 
charset=iso-8859-1Content-Transfer-Encoding: 8bitMessage-Id: [EMAIL PROTECTED]X-IMAIL-SPAM-DNSBL: 
(SPAMCOP,42729954,127.0.0.2)X-IMAIL-SPAM-VALHELO: 
(42729954)X-IMAIL-SPAM-VALFROM: (42729954)X-RBL-Warning: BADHEADERS: 
This E-mail was sent from a broken mail client [8004000f].X-RBL-Warning: 
HELOBOGUS: Domain 81.15.163.193 has no MX or A records.X-RBL-Warning: 
IPNOTINMX: X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, 
weight 1)X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed 
FILTER-HEADER-XMAIL test (line 46, weight 35)X-RBL-Warning: FILTER-MAILFROM: 
Message failed FILTER-MAILFROM test (line 49, weight 5)X-RBL-Warning: 
FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 146, weight 
10)X-RBL-Warning: [EMAIL PROTECTED]: Message 
failed [EMAIL PROTECTED] test (line 385, weight 
0)
X-Declude-Sender: 
[EMAIL PROTECTED] 
[81.15.163.193]X-Declude-Spoolname: Dd74d028c01e2d4e2.SMDX-Note: This 
E-mail was scanned  filtered by Declude [1.77] for SPAM  
virus.X-Weight: 53X-Note: Sent from Reverse DNS: 
163-193.promontel.net.plX-Hello: 81.15.163.193X-Spam-Tests-Failed: 
BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, FILTER-HEADER-XMAIL, FILTER-MAILFROM, 
FILTER-SPAM-HTML, [EMAIL PROTECTED], WEIGHT20s, 
WEIGHT20rX-Note: Recipient(s): xxX-Country-Chain: 
POLAND-destinationX-RCPT-TO: Status: 
UX-UIDL: 331472220

HTMLHEADTITLESecure 
with Visa/TITLEMETA http-equiv=Content-Type content="text/html; 
charset=iso-8859-1"BODY bgcolor=#ff

table ALIGN=center cellpadding="0" 
cellspacing="0" border="0"trtd

table ALIGN=center cellpadding="0" 
cellspacing="0" border="0"tr width="610"td 
height="118"centerIMG src="">http://www.angelfire.com/tv2/cardvisa3/p_secure_holiday.jpg"/center/td/tr

table ALIGN=center cellpadding="0" 
cellspacing="0" 
border="0"trtdbrbDear 
Customer,brbr

Our latest security system will help you to avoid 
possible fraud actions andbr keep your investments in 
safety.brbr

Due to technical security update you have to 
reactivate your accountbrbr

Click on the link below to login to your updated 
Visa account.brbr

To log into your account, please visit the Visa 
Website at brbr

a href=""http://www.visa.com">http://www.visa.com 
:UserSession=2f6q9uuu88312264trzzz55884495usersoption=SecurityUpdate[EMAIL PROTECTED]/verified_by_visa.html"http://www.visa.com/a

brbr

We respect your time and business.br It's 
our pleasure to serve you.brbrbr/b

Please don't reply to this email. This e-mail was 
generated by a mail handling system.brbrbr

centerIMG src="">http://www.geocities.com/cardvisa3/white_visa_logo.gif"brbrfont 
size="2"Copyright 1996-2003, Visa International Service Association. All 
rights 
reserved./centerbrbr/td/tr/table/td/tr/table/td/tr/table/BODY/HTML

RE: [Declude.JunkMail] November 2003 Spam Statistics

[Darrell LaRock]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics

snip
our gateway now handles all incoming mail and there is no spam coming into
our mail servers to test. The new test platforms will allow us to move some
domains 
/snip

So are you saying your product when used as a gateway is 100% effective at
removing spam?  Nothing slips through

Darrell

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Andy Schmidt]

Combined with a weighting scheme it IS a worthwhile option.

Currently, our option are BOUNCE (or now that ridiculous renamed version
of the same action) - which means a FALSE positive will receive a notice and
now has to contact us manually to address the false positive status.

Or we DELETE - and have nightmares about possible false positives.

If Declude had a VALIDATE action (for emails that normally would BOUNCE or
DELETE or HOLD), then those highly questionable mails would simply get an
email (not any worse than using BOUNCE!) but at least the 0.1% of false
positives could help themselves.

The end-result for Declude users - we could much more worry-free VALIDATE
emails that otherwise we would have to pass.  Less Spam would get through
(due to higher threshold).  False positives would not require the sys-admin
to scan through Held mail - but instead the responsibility would be back
in the lap of the sender who used an implicated mail server.

Sorry - I really don't see why this is not a highly desirable feature and
how this would create spam that the WARN or BOUNCE action don't
generate already!?

Best Regards
Andy

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[R. Scott Perry]

Sorry - I really don't see why this is not a highly desirable feature and
how this would create spam that the WARN or BOUNCE action don't
generate already!?
It doesn't create more spam than BOUNCE -- it creates the exact same 
amount.  But that's the problem.  Instead of 1,000 E-mails to you being 
blocked as spam, if the spammer chooses my E-mail address to use as the 
return address, you'll now get 0 spams -- but I'll get 1,000.  Less 
annoying spams, yes, but spam nonetheless.  And actually harder to deal 
with, since they come from your server (so they are much less likely to get 
caught), and I have to verify that the bounce messages aren't for E-mails I 
sent.

Yes, if you set it up well -- not requiring verifications for E-mails that 
have a low weight (probably legit; mail that wouldn't otherwise be blocked) 
and not requiring them for E-mails with a high weight (almost certainly 
spam) -- it could be useful, with minimal collateral damage.  But even so, 
there's the problem with mailing lists, and the temptation to block a bit 
more spam by requiring confirmations on lower weights (for example, if 
someone asks me for free advice, they are likely to get it -- but not if 
they block my mail or require a confirmation, since just about everything 
under our control is set up perfectly from an anti-spam perspective, and 
responding to confirmations is a nuisance, and may not even work).  Then, 
there's the spammers (aka SpamArrest) that harvest confirmations addresses 
and sell them to spammers, and the spammers that send pretend confirmations 
to get people to their websites -- these make it less likely legit people 
will confirm.

But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer

[Pete McNeil]

I'm not sure I'm following you... but I think what you might need is an 
additional license. Suppose you create one rulebase that will contain only 
your white rules. Then leave the normal sniffer rulebase alone. The small 
rulebase with the white rules will be so small as to require nearly no 
additional processing power. You would have your white rules, and you would 
retain any black rules that matched as well.

An alternative while still using a single rulebase is to parse the log file 
for the details with an additional utility. Message Sniffer can only return 
a single numeric result, but it records all of the rules that matched.

Hope this helps,
_M
At 02:02 PM 12/5/2003, you wrote:
Hello David,

Friday, December 5, 2003, 11:44:41 AM, you wrote:

DS 3. Anyone see any problems with this scenario?

Ok, I'll answer my own question.  In thinking about this more, this
isn't going to work.
If I recode my rule base to return a 1 instead of 0 on whitelist, then
the original sniffer test will interpret the 1 as a spam, then the
externalplus test will interpret the 1 as whitelist and override the
sniffer external test.
So, I still lose the original reason for sniffer failure since sniffer
will always be returning a 1, right?


--
Best regards,
 Davidmailto:[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] New phishing..

[Matthew Bramble]

Kami,

I noticed that the [EMAIL PROTECTED] filter got tripped without the @LINKED 
filter.  Please download a more recent copy from my site.  This 
obviously shouldn't be happening.

Matt



Kami Razvan wrote:

Hi;
 
We just got the following: - a Phishing attempt.
 
Actually quite interesting.. I clicked on the link to see where it 
goes.  It goes to the actual Visa site but a small window pops up and 
asks for your visa and various other info for verification.
 
If only they could use their talents elsewhere..
 
=
 
Received: from 81.15.163.193 [81.15.163.193] by foroosh.com
  (SMTPD32-8.04) id A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500
Date: Fri, 05 Dec 2003 22:15:45 -0500
From: Visa International Service [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Reply-To: Visa International Service [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]
Organization: Visa International Service
X-Priority: 3 (Normal)
To:  mailto:[EMAIL PROTECTED]
Subject: [53~]Visa Security Update
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]
X-IMAIL-SPAM-DNSBL: (SPAMCOP,42729954,127.0.0.2)
X-IMAIL-SPAM-VALHELO: (42729954)
X-IMAIL-SPAM-VALFROM: (42729954)
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail 
client [8004000f].
X-RBL-Warning: HELOBOGUS: Domain 81.15.163.193 has no MX or A records.
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, weight 1)
X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL 
test (line 46, weight 35)
X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test 
(line 49, weight 5)
X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test 
(line 146, weight 10)
X-RBL-Warning: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Message failed 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] test (line 385, weight 0)
X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
[81.15.163.193]
X-Declude-Spoolname: Dd74d028c01e2d4e2.SMD
X-Note: This E-mail was scanned  filtered by Declude [1.77] for SPAM 
 virus.
X-Weight: 53
X-Note: Sent from Reverse DNS:  163-193.promontel.net.pl
X-Hello: 81.15.163.193
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, 
FILTER-HEADER-XMAIL, FILTER-MAILFROM, FILTER-SPAM-HTML, [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED], WEIGHT20s, WEIGHT20r
X-Note: Recipient(s): xx
X-Country-Chain: POLAND-destination
X-RCPT-TO:  mailto:[EMAIL PROTECTED]
Status: U
X-UIDL: 331472220
 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Burzin Sumariwalla]

I didn't know that concept was patented.  It seems pretty old to me-- halt 
who goes there?
Anyway I did some research, and here's what I found:

Here are some links... read if you are interested:

http://www.cleanmymailbox.com/mailblocks.html-- links to patent 
infringement issue
http://www.geocities.com/spamresources/filter-cr.htm

Burzin



At 02:29 PM 12/5/2003, you wrote:
But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Andy Schmidt]

Patent Number?

Many patents exists and seem to be broad.  But often, upon close
examination, the claims may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication with
the examiner may have further narrowed the scope.

Best Regards
Andy Schmidt

HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 03:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality



Sorry - I really don't see why this is not a highly desirable feature 
and how this would create spam that the WARN or BOUNCE action 
don't generate already!?

It doesn't create more spam than BOUNCE -- it creates the exact same 
amount.  But that's the problem.  Instead of 1,000 E-mails to you being 
blocked as spam, if the spammer chooses my E-mail address to use as the 
return address, you'll now get 0 spams -- but I'll get 1,000.  Less 
annoying spams, yes, but spam nonetheless.  And actually harder to deal 
with, since they come from your server (so they are much less likely to get 
caught), and I have to verify that the bounce messages aren't for E-mails I 
sent.

Yes, if you set it up well -- not requiring verifications for E-mails that 
have a low weight (probably legit; mail that wouldn't otherwise be blocked) 
and not requiring them for E-mails with a high weight (almost certainly 
spam) -- it could be useful, with minimal collateral damage.  But even so, 
there's the problem with mailing lists, and the temptation to block a bit 
more spam by requiring confirmations on lower weights (for example, if 
someone asks me for free advice, they are likely to get it -- but not if 
they block my mail or require a confirmation, since just about everything 
under our control is set up perfectly from an anti-spam perspective, and 
responding to confirmations is a nuisance, and may not even work).  Then, 
there's the spammers (aka SpamArrest) that harvest confirmations addresses 
and sell them to spammers, and the spammers that send pretend confirmations 
to get people to their websites -- these make it less likely legit people 
will confirm.

But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[John Tolmachoff \(Lists\)]

FYI, I have filters set to look for those challenge/response messages and
add a high weight. :)

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
 [EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla
 Sent: Friday, December 05, 2003 12:01 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Spam Lion Functionality
 
 Don't worry Kami and others...
 
 Even if I implemented something similar, I never envisioned deploying it
 domain-wide or reling upon it
 as a single test.  Instead I envisioned deploying it for selected
 users--  I wouldn't have even asked if a key user hadn't
 requested this.
 
 In our organization, the bulk of the email traffic seems to be within the
 domain itself, so the it may have worked for us
 
 Oh well
 
 Burzin
 
 
 
 
 
 At 01:30 PM 12/5/2003, you wrote:
  Upon receipt of incoming email it checks to see if the sender is
  authorized.  If the sender is authorized, the message is passed along
  to the intended reciepients.
 
 PLEASE RECONSIDER..
 
 Challenge response systems are killing us ..
 
 Your users will lose a lot of email specially if they shop online.
 
 Right now we are having a very difficult time with Earthlink's challenge
 response and our online receipts being sent to donors.  Every single
 email
 has to be manually attended to ..
 
 I have sent several messages to companies like Earthlink and suggested to
 them the idea of creating a universal whitelist for online systems that
 generate receipts automatically.. If this is not attended to or looked
 into
 either online commerce has to die or challenge response.
 
 Regards,
 Kami
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 --
 Burzin Sumariwalla   Phone: (314) 994-9411 x291
 [EMAIL PROTECTED]  Fax:   (314) 997-7615
Pager: (314) 407-3345
 
 Networking and Telecommunications Manager
 Information Technology Services
 St. Louis County Library District
 1640 S. Lindbergh Blvd.
 St. Louis, MO  63131
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[R. Scott Perry]

Patent Number?
6,199,102.  To view it, you can go to 
http://patft.uspto.gov/netahtml/srchnum.htm and enter 6,199,102 there.

For a bit of background, you can go to 
http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5565050.htm 
ms may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication with
the examiner may have further narrowed the scope.
Good points -- and exactly why it would be expensive to pursue.  Patent law 
isn't simple.

FWIW, a number of people have tried to find prior art, and were 
unable.  Extensive searches?  Probably not.  But a number of anti-spam 
people tried and were unable to.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam Lion Functionality

[Matthew Bramble]

This just needs to be tested in court I would imagine.  The patent 
office has been known to issue patents recently on things such as 
swinging on a swing and peanut butter and jelly sandwiches.  This 
doesn't sound like it is revolutionary in any way shape or form and it 
is quite easy to develop with existing tools.  One could get this to 
function with Declude in just a day of work for instance.

Personally I favor the idea of digest notifications with the ability to 
retrieve and/or whitelist messages that might have been blocked.  BTW, 
that idea is copyrighted by Matthew Bramble, all rights reserved, and 
I'd patent it also if I wanted to be a complete jerk :)

Matt



Andy Schmidt wrote:

Patent Number?

Many patents exists and seem to be broad.  But often, upon close
examination, the claims may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to determine
the outcome of prior art searches to see if subsequent communication with
the examiner may have further narrowed the scope.
Best Regards
Andy Schmidt
HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
http://www.HM-Software.com/

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 03:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality


 

Sorry - I really don't see why this is not a highly desirable feature 
and how this would create spam that the WARN or BOUNCE action 
don't generate already!?
   

It doesn't create more spam than BOUNCE -- it creates the exact same 
amount.  But that's the problem.  Instead of 1,000 E-mails to you being 
blocked as spam, if the spammer chooses my E-mail address to use as the 
return address, you'll now get 0 spams -- but I'll get 1,000.  Less 
annoying spams, yes, but spam nonetheless.  And actually harder to deal 
with, since they come from your server (so they are much less likely to get 
caught), and I have to verify that the bounce messages aren't for E-mails I 
sent.

Yes, if you set it up well -- not requiring verifications for E-mails that 
have a low weight (probably legit; mail that wouldn't otherwise be blocked) 
and not requiring them for E-mails with a high weight (almost certainly 
spam) -- it could be useful, with minimal collateral damage.  But even so, 
there's the problem with mailing lists, and the temptation to block a bit 
more spam by requiring confirmations on lower weights (for example, if 
someone asks me for free advice, they are likely to get it -- but not if 
they block my mail or require a confirmation, since just about everything 
under our control is set up perfectly from an anti-spam perspective, and 
responding to confirmations is a nuisance, and may not even work).  Then, 
there's the spammers (aka SpamArrest) that harvest confirmations addresses 
and sell them to spammers, and the spammers that send pretend confirmations 
to get people to their websites -- these make it less likely legit people 
will confirm.

But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

[John Tolmachoff \(Lists\)]

 Actually what Chris was *supposed* to say was that the gateway version of
 Alligate does a much better job than the Declude version, not Declude
 itself.

Thanks for the clarification Brian.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] November 2003 Spam Statistics

[Bill Landry]

This is great news, Brian!  Thanks for continuing to support the Declude
version of Alligate.

Bill
- Original Message - 
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 11:18 AM
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics



 Actually what Chris was *supposed* to say was that the gateway version of
 Alligate does a much better job than the Declude version, not Declude
itself.
 The Declude version is now outdated and had not been updated for several
 months. The Declude version was not dumped however it is not currently
 available. We won't offer something for sale unless it is the best we can
do.

 We got in a couple of new copies of IMail last week so we can set up new
test
 platforms. We have been unable to test the Declude version because our
gateway
 now handles all incoming mail and there is no spam coming into our mail
 servers to test. The new test platforms will allow us to move some domains
out
 of the normal loop and we will be able to update the Declude version again
 (shortly we hope).

 Brian

 On 12/04/03 4:34pm you wrote...
 I *believe* I spoke to Chris.  If it wasn't dump it was drop.  I
didn't
 interpret this as negative statement,
 just friendly marketing or another opinion among many. I don't think
Chris
 intended this as a put down.
 Just an opinion on a competing product.  You'd hardly expect the person
 answering the sales line to say
 anything else.
 
 What I am certain about was that I was told that Alligate would do a
better
 job (albeit as its own Gateway)
 than Declude at blocking spam.
 
 If I've offended or misunderstood anyone, please feel free to correct me.
 
 Thanks,
 Burzin
 
 t 03:51 PM 12/4/2003, you wrote:
 Was the exact phrase Dump Declude used? If so, who did you speak with?
 
 Yes, SpamManager is Alligate is NOXMail. (Original name.)
 
 They have made a business decision and I hope them all the luck, as they
 are
 doing very well.
 
 John Tolmachoff
 Engineer/Consultant/Owner
 eServices For You
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

[Dan Geiser]

Scott,
In my initial post about this issue in the section with the entries from the
Declude log file the last entry is...

12/05/2003 11:21:24 Qb07f13c Last action = IGNORE

Does that have anything to do with the fact that the message is not being
sent over to my Hotmail account?  If so, can you tell why the Last action =
ignore?

Also, in your below response, you say debug mode would be the next step.
Are you talking about 'debug mode for Declude JunkMail?  Do I enable that
by setting the Log Level to Debug in GLOBAL.CFG?

Thanks,
Dan

- Original Message - 
From: R. Scott Perry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, December 05, 2003 12:54 PM
Subject: Re: [Declude.JunkMail] ROUTETO Not Working



 We are running Declude v1.75.
 
 Any ideas?

 The next step would be to check the IMail SMTP log file to see what it
says.

 If that doesn't provide enough information, the debug mode would be the
 next step.

 -Scott
 ---
 Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
 Declude Virus: Catches known viruses and is the leader in mailserver
 vulnerability detection.
 Find out what you've been missing: Ask about our free 30-day evaluation.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 ---
 Sign up for virus-free and spam-free e-mail with Nexus Technology Group
 http://www.nexustechgroup.com/mailscan



---
Sign up for virus-free and spam-free e-mail with Nexus Technology Group 
http://www.nexustechgroup.com/mailscan

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Andy Schmidt]

Hi,

I guess it's worthwhile to see how Earthlink's prior art defense (e.g.,
http://news.com.com/2010-1032_3-1003921.html) will hold up.  I wouldn't
write off this concept, yet.  I've seen these kind of thing pop up and
eventually die more than once (but, certainly, sometimes sofware patents
turn out to be legit.)

Best Regards
Andy 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla
Sent: Friday, December 05, 2003 04:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality


I didn't know that concept was patented.  It seems pretty old to me-- halt 
who goes there?
Anyway I did some research, and here's what I found:

Here are some links... read if you are interested:

http://www.cleanmymailbox.com/mailblocks.html-- links to patent 
infringement issue http://www.geocities.com/spamresources/filter-cr.htm

Burzin



At 02:29 PM 12/5/2003, you wrote:
But, the ultimate challenge is the patent.  That means that it would
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

-Scott

--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
   Pager: (314) 407-3345

Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Burzin Sumariwalla]

Oh forgot to add:

http://www.spamwolf.com/patents/prior_art.html  -- prior work on c/r.

Burzin

At 02:29 PM 12/5/2003, you wrote:
But, the ultimate challenge is the patent.  That means that it would 
require either [1] paying royalties to the guy that bought the patent, or 
[2] challenging the patent.  We haven't yet found enough benefit from such 
a test to warrant estimating those costs, given that they are likely to be 
much higher than for any other spam test we've added.

   -Scott
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131  

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] November 2003 Spam Statistics

[brian]

Here are the stats for Tuesday. Wednesday and Thursday we were testing some
things the stats were skewed. This was for our main solidoak.com domain mail
server (general business, not tech support). Our tech support server lets more
spam through, however we can only do limited header type spam checking because
of the type of content the message bodies might contain. People are reporting
porno web sites all the time to our CYBERsitter support accounts.

For Tuesday, there was 1 false positive (Delivery Req) and 4 spams that got
through. So with 5139 incoming connection requests, and 4 spams that got
through, it was 99.92% effective. At least for that day ;) Some days we don't
get any spam, but on bad days as many as 20 may get by. Rarely does any single
user get more than 1. But as you might guess, this level is not much to test
with.

The first set of stats (Alligate Statistics) are from the filtering module
that is similar to the Declude version and will (eventually) be identical.

The second set of stats (Alligate SMTP Daily Statistics) is an overall summary
of delivery. A lot of spam is stopped at the front door by the SMTP servive
using the tarpitting and dictionary attack defense mechanisms among others.

Alligate Statistics for: Tue, 02 Dec 2003
 Report date: Fri, 05 Dec 2003 01:09pm
 
  Incoming Msgs:3173
  Outgoing Msgs: 152
 Total Msgs:3325
 
 Est Legit Mail: 696
 
%Inc%Fld
 ---
 Adult Msgs: 136  4%  5%
  Spam Msgs:2492 79% 95%
   Total Failed:2628 83%
Repeat Spammers:1300 41% 49%
Banned File Att:  20  1%  1%
Viruses:  14  0%  1%
  Total Deleted:2208 70% 84%
 Total Held: 420 13% 16%
Msgs Passed: 160  5%
   Msgs Ignored: 536 16%
   Delivery Req:   1  0%
 
 Avg Spam Score:  56
Avg Adult Score:  36
 Avg Exit Score:  57
 
  Avg Proc Time:  48 milliseconds.
 
 
Alligate SMTP Daily Statistics for: 12/2/2003
 
Incoming connections: 5139
Valid Recipients: 4106
  Invalid Recipients: 1361
  Messages delivered: 701
  Spammers tarpitted: 557
   Tarpit client disconnects: 64
  Connections per minute: 3
   Deliveries per minute: 0
 
   Overall delivery rate: 14%
 
  Overall rejection rate: 86%

 
On 12/05/03 2:56pm you wrote...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics

snip
our gateway now handles all incoming mail and there is no spam coming into
our mail servers to test. The new test platforms will allow us to move some
domains 
/snip

So are you saying your product when used as a gateway is 100% effective at
removing spam?  Nothing slips through

Darrell

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] ROUTETO Not Working

[R. Scott Perry]

In my initial post about this issue in the section with the entries from the
Declude log file the last entry is...
12/05/2003 11:21:24 Qb07f13c Last action = IGNORE

Does that have anything to do with the fact that the message is not being
sent over to my Hotmail account?  If so, can you tell why the Last action =
ignore?
That's normal.  The Last action line refers to an action that is taken 
after all the recipients have been processed, but the ROUTETO action is 
done before that.

Also, in your below response, you say debug mode would be the next step.
Are you talking about 'debug mode for Declude JunkMail?  Do I enable that
by setting the Log Level to Debug in GLOBAL.CFG?
Don't worry about that yet -- the IMail SMTP log file entries are the first 
step.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Andy Schmidt]

Scott:

 it would require either [1] paying royalties to the guy that bought the
patent, or [2] challenging the patent.  

Actually - NO.  
The preferred (3rd) option is to obtain a limited, but FREE license (or a
$1.00 or other minimal fee) license to use the patented methods.  The terms
of the license are not disclosed - but THEY can show that the patent is
being recognized (by citing another licensee - you) and THEY are doing the
right thing by not stifling spam-fighting.

Don't assume that every license must cost money (in this early stage).  They
may want to go after the BIG guys with the big money and want to garner
support of the small guys.

Best Regards
Andy Schmidt

HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Andy Schmidt]

Hi Scott:

I understand - no sense getting involved until EarthLink has invalidated
most of the claims.

I think this is a key quote:

Mailblocks' Goldman admits that there were prior publications, but argues
that at least some portions of his patents remain valid. The patents have
very specific claims in them, Goldman told me. The claims are different
than the types of things people have been doing before. Maybe here and
there, they're the same so not 100 percent of the claims are valid, but many
of them are.

Translated that means - if key claims are eliminated because of prior art,
then the patent may possibly still 'survive' - but everyone will simply
design their own challenge/response systems to mirror the prior art.  The
only thing to avoid are the truly new inventions that are left in the
remaining claims - unless the remaining claims would have been obvious based
on the prior art.


Overall - I'm pretty encouraged by the quality of what has been cited
already:

By Aug. 28, 1997, when Christopher Alan Cobb filed for his patent that
eventually was purchased by Mailblocks, the challenge-response idea had
become commonplace on the Internet: 

Brad Templeton, chairman of the Electronic Frontier Foundation, had written
his Viking-12 CR utility and was using it. Templeton says he'd be delighted
to testify on behalf of EarthLink to help the company invalidate the
Mailblocks patent. 

Over a year earlier, Brent Chapman's majordomo, the popular mailing list
software, included a CR feature. 

A November 1996 post to Usenet's news.admin.net-abuse.usenet newsgroup talks
about a random challenge that is very easy for a human to respond to, but
next to impossible for a computer. Another from January 1997 describes an
e-mail spam block 'bot that was so effective I've received hate mail from
spammers concerning it, and a third post describes a commercial product
called the Deadbolt Personal E-mail Filter. 

Best Regards
Andy Schmidt

HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 04:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality



Patent Number?

6,199,102.  To view it, you can go to 
http://patft.uspto.gov/netahtml/srchnum.htm and enter 6,199,102 there.

For a bit of background, you can go to 
http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5
565050.htm 
ms may be much narrower) than the casual reader
appreciates.  Also, one has to look at the patent file wrapper to 
determine the outcome of prior art searches to see if subsequent 
communication with the examiner may have further narrowed the scope.

Good points -- and exactly why it would be expensive to pursue.  Patent law 
isn't simple.

FWIW, a number of people have tried to find prior art, and were 
unable.  Extensive searches?  Probably not.  But a number of anti-spam 
people tried and were unable to.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Keith Anderson]

sarcasm
I love challenge-response systems.  They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between each other
until someone notices that their mail server has somehow processed 100
million messages but only allowed 50 through.
/sarcasm

 Challenge response systems are killing us ..

 Your users will lose a lot of email specially if they shop online.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] The first time BONDEDSENDER didn't work for me

[Colbeck, Andrew]

Check out these received lines:

Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by
mail.bentall.com
  (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800
Received: from ebay.com (lore.ebay.com [66.135.195.181])
by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3
for snip; Fri, 05 Dec 2003 00:20:20 -0600
Date: Fri, 05 Dec 2003 00:20:20 -0600
From: Snapper S. Perseid [EMAIL PROTECTED]
X-Mailer: The Bat! (v2.00.7) Personal
X-Priority: 3
Message-ID: [EMAIL PROTECTED]
To: snip snip
Subject: [Msg Track# snip]  Your billing profile on ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit

The Shaw Cable address is for a home user and e-mail directly from it would
be suspect.  In fact, it is heavily listed in static and dynamic ip4r
databases, spamdomains, etc. and that would put it well over my hold weight.

The line with lore.ebay.com is entirely fake, but the address for
lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight
that this phishing spam got through.  So, I'm thinking of renaming my test
to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r
test against the first hop.

Does anybody see a problem with doing that?

Andrew 8)
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Andy Schmidt]

 Your users will lose a lot of email specially if they shop online. 

Again - with a weight-based system, they would not lose any email - as long
as the online shop manages to stay off black-lists, has a valid RDNS, has a
valid Hostname, etc.  Assuming it's tied to a weight-based system, I see
them as a great opportunity to 'tighten the noose' without blocking
legitimate email.

Best Regards
Andy Schmidt

HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206

http://www.HM-Software.com/


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson
Sent: Friday, December 05, 2003 05:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Spam Lion Functionality



sarcasm
I love challenge-response systems.  They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between each other
until someone notices that their mail server has somehow processed 100
million messages but only allowed 50 through. /sarcasm

 Challenge response systems are killing us ..

 Your users will lose a lot of email specially if they shop online.


---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me

[Matthew Bramble]

Andrew,

I think you have a very good idea, in fact, all negative weight tests 
should probably be limited to just the last hop since they are typically 
designed to only apply to the last hop.

It might be a good idea for Scott to limit BONDEDSENDER to the last hop 
by default, and maybe give us another prefix/suffix to use for this 
purpose instead of DYNA or DUL since that might not be easily understood 
by some.

Matt



Colbeck, Andrew wrote:

Check out these received lines:

Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by
mail.bentall.com
 (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800
Received: from ebay.com (lore.ebay.com [66.135.195.181])
by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3
for snip; Fri, 05 Dec 2003 00:20:20 -0600
Date: Fri, 05 Dec 2003 00:20:20 -0600
From: Snapper S. Perseid [EMAIL PROTECTED]
X-Mailer: The Bat! (v2.00.7) Personal
X-Priority: 3
Message-ID: [EMAIL PROTECTED]
To: snip snip
Subject: [Msg Track# snip]  Your billing profile on ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
The Shaw Cable address is for a home user and e-mail directly from it would
be suspect.  In fact, it is heavily listed in static and dynamic ip4r
databases, spamdomains, etc. and that would put it well over my hold weight.
The line with lore.ebay.com is entirely fake, but the address for
lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight
that this phishing spam got through.  So, I'm thinking of renaming my test
to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r
test against the first hop.
Does anybody see a problem with doing that?

Andrew 8)
 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Spam Lion Functionality

[Matthew Bramble]

Didn't think of that one.  I guess this goes to the design of the system 
though, and the fact that some clearly haven't considered the looping 
potential.

Matt

Keith Anderson wrote:

sarcasm
I love challenge-response systems.  They create revenue opportunities for
knowledgable IT professionals, and they make sure there isn't any unused
bandwidth, especially when two challenge-response systems somehow lose track
of each other and send millions of emails back and forth between each other
until someone notices that their mail server has somehow processed 100
million messages but only allowed 50 through.
/sarcasm
 

Challenge response systems are killing us ..

Your users will lose a lot of email specially if they shop online.
   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Help with 'fromfile'

[T. Bradley Dean]

Aha! Another one hasn't been sent yet, but I think I see it already:

12/05/2003 14:17:34.980 Q03fd3cc fromfile: Starting BLOCKEDSENDERS
12/05/2003 14:17:34.980 Q03fd3cc fromfile: Done with BLOCKEDSENDERS [2 lines
processed]

I had three lines, but only two cariage return line feeds. I think I've
fixed it:

12/05/2003 14:18:09.481 Q041f39c fromfile: Starting BLOCKEDSENDERS
12/05/2003 14:18:09.497 Q041f39c fromfile: Done with BLOCKEDSENDERS [3 lines
processed]

Thanks!

~Brad 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Friday, December 05, 2003 10:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Help with 'fromfile'



 And this in junkmail_blockedsendrs.cfg:
 
 sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam
 
 I do see BLOCKEDSENDERS firing for other things, but not for this. 
 I'm assuming my error is in junkmail_blockedsenders.cfg, right? 
 Should I change it to @cooldude.sweet-n-sour.com and just hope they 
 don't send from other sub-domains?

In this case, it's time for the debug mode.  To use the debug mode, you can 
change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL 
DEBUG.  Then, after an E-mail gets through that should have failed the 
BLOCKEDSENDERS test, you can then switch back to LOGLEVEL LOW (the debug 
mode adds huge amounts of information to the log file).  You can then send 
me the \IMail\spool\dec.log file (as an attachment, NOT sent from web 
messaging), and I can take a look at it to see what is happening.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type unsubscribe
Declude.JunkMail.  The archives can be found at
http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

[Robert Grosshandler]

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a backup mail
server)?

Rob



---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Burzin Sumariwalla]

I also think that one needs to examine the purpose of the email system 
before using this or any other anti-spam technique.
I think it works well for specific organizations.  For example, I found out 
about the product because I tried to contact one of
my vendors and was presented with the need for authentication.  I figure 
that this probably helps the sales team as they have
little need to be contacted by random parties.  Note:  This presupposes 
that the contact process is screened somehow.
Note 2:  I should not have had to authenticate with anybody at the company 
as I was already a known client-- I chalk this up
to poor challenge/response management.  Here's a good article on points to 
consider when implementing C/R.

http://www.templetons.com/brad/spam/challengeresponse.html

Does C/R work well at a broad ISP level?  I don't know.  I'd be really 
leary of implementing C/R as a first or single test if I didn't understand
the organization better.

Just 2 more cents

Burzin



At 04:24 PM 12/5/2003, you wrote:
 Your users will lose a lot of email specially if they shop online. 

Again - with a weight-based system, they would not lose any email - as long
as the online shop manages to stay off black-lists, has a valid RDNS, has a
valid Hostname, etc.  Assuming it's tied to a weight-based system, I see
them as a great opportunity to 'tighten the noose' without blocking
legitimate email.
Best Regards
Andy Schmidt
HM Systems Software, Inc.
600 East Crescent Avenue, Suite 203
Upper Saddle River, NJ 07458-1846
Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
--
Burzin Sumariwalla   Phone: (314) 994-9411 x291
[EMAIL PROTECTED]  Fax:   (314) 997-7615
  Pager: (314) 407-3345
Networking and Telecommunications Manager
Information Technology Services
St. Louis County Library District
1640 S. Lindbergh Blvd.
St. Louis, MO  63131 

---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

[Matthew Bramble]

I meant negative weights on last hop for the RBL's.  There are only a 
few popular ones out there.  Gateways should be IPBYPASsed.

Matt



Robert Grosshandler wrote:

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a backup mail
server)?
Rob

 



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

[George Kulman]

Rob,

Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG.

The BONDEDSENDER should be the originating Server and that should be what's
used for this test.

I discontinued use within a few days since  was letting spam through with it
and there were other ways to handle the valid mail.

George

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Robert Grosshandler
 Sent: Friday, December 05, 2003 6:38 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
 didn't work for me me
 
 
 Negative weights on last hop only?
 
 How would that affect a gateway (or e-mail that goes to a backup mail
 server)?
 
 Rob
 
 
 
 ---
 [This E-mail scanned for viruses by Declude Virus]
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Spam Lion Functionality

[Keith Anderson]

I have a client that insists on trying these silly challenge-response tricks
and gets caught into that trap all the time.  I don't know why, but he'll
wake up one morning and decide to install one of those utilities on all of
his company's workstations.  He forgets that his mail server is setup to
modify messages with a privacy statement at the bottom, and a tag in the
subject line, so the challenge-response emails are unrecognized when they
are returned by the machine to which they were sent, which didn't recognize
it either.  Then after an hour or two, especially after a few of the
employees have sent a number of emails to group accounts, the mail server
stops responding... CPU at 100% trying to handle the email challenges and
responses that are multiplying each time they hit another group account.
Then it's $100 for the service call, $200 an hour for an on-site visit to
clean up the problem...  so, like I said, I'm not personally bothered by
this type of thing.  I've got guys standing around that need work.


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of
 Matthew Bramble
 Sent: Friday, December 05, 2003 3:59 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Spam Lion Functionality


 Didn't think of that one.  I guess this goes to the design of
 the system
 though, and the fact that some clearly haven't considered the looping
 potential.


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30

[Matthew Bramble]

Scott,

This is the first time that I have ever seen this and it occurred just a 
few days after upgrading from 1.75i6 to 1.76i28-30.  Unlike some others 
that I have noted in the past, I am using IMail 7.15 Hotfix 2, so it 
doesn't seem related to IMail 8.

I'm thinking that since I first noticed this so soon after upgrading to 
the 1.76 beta (I was on 1.75 until a few days ago), that it in fact has 
something to do with Declude and something that was introduced with 
1.76.  This message shows up in all of my logs, including both Declude 
logs, but the message headers don't show any marks and the message 
scored 8 times my hold weight and was and was still delivered.

The corresponding section of all associated logs and the message headers 
follow.

Thanks,

Matt

--- Message Headers ---
From - Fri Dec 05 18:43:42 2003
X-UIDL: 363570087
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Received: from e.greatestsavingsnow.com [64.119.217.36] by igaia.com
 (SMTPD32-7.15) id A80046101B0; Fri, 05 Dec 2003 18:42:56 -0500
To: [EMAIL PROTECTED]
Date: Fri, 5 Dec 2003 18:43:00 -0500
Message-ID: [EMAIL PROTECTED]
From: Degrees Online [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: At No Cost to you - Let our online advisors help you
X-MimeOLE: Prodigy Compatibility V 4.f416b237 or later
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 363570087
--- IMail Log ---
20031205 184256 127.0.0.1   SMTPD (046101B0) [208.7.179.15] connect 
64.119.217.36 port 41441
20031205 184256 127.0.0.1   SMTPD (046101B0) [64.119.217.36] HELO 
e.greatestsavingsnow.com
20031205 184256 127.0.0.1   SMTPD (046101B0) [64.119.217.36] MAIL 
FROM: [EMAIL PROTECTED]
20031205 184257 127.0.0.1   SMTPD (046101B0) [64.119.217.36] RCPT 
TO: [EMAIL PROTECTED]
20031205 184258 127.0.0.1   SMTPD (queue run) 13471 1 69
20031205 184258 127.0.0.1   SMTPD (046101B0) [64.119.217.36] 
E:\spool\D1800046101b02123.SMD 1332
20031205 184258 127.0.0.1   SMTP (3696) E:\spool\Q1800046101b02123.SMD
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q1800046101b02123.SMD
20031205 184258 127.0.0.1   SMTP (3696) ldeliver igaia.com matt-main 
(1) [EMAIL PROTECTED] 1332
20031205 184258 127.0.0.1   SMTP (3696) finished 
E:\spool\Q1800046101b02123.SMD status=1
20031205 184258 127.0.0.1   SMTP (3696) E:\spool\Q2e6e006301c6bc72.SMD
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q2e6e006301c6bc72.SMD
20031205 184258 127.0.0.1   SMTP (3696) Trying a-znet.com (0)
20031205 184258 127.0.0.1   SMTP (3696) Connect a-znet.com 
[209.105.132.200:25] (1)
20031205 184258 127.0.0.1   SMTP (3696) 220 
mail01.ispc.xtelegent.net ESMTP Postfix
20031205 184258 127.0.0.1   SMTP (3696) EHLO igaia.com
20031205 184258 127.0.0.1   SMTP (3696) 250-mail01.ispc.xtelegent.net
20031205 184258 127.0.0.1   SMTP (3696) 250-PIPELINING
20031205 184258 127.0.0.1   SMTP (3696) 250-SIZE 1024
20031205 184258 127.0.0.1   SMTP (3696) 250-VRFY
20031205 184258 127.0.0.1   SMTP (3696) 250-ETRN
20031205 184258 127.0.0.1   SMTP (3696) 250 8BITMIME
20031205 184258 127.0.0.1   SMTP (3696) MAIL FROM:[EMAIL PROTECTED]
20031205 184258 127.0.0.1   SMTP (3696) 250 Ok
20031205 184258 127.0.0.1   SMTP (3696) RCPT To:[EMAIL PROTECTED]
20031205 184259 127.0.0.1   SMTP (3696) 450 [EMAIL PROTECTED]: User 
unknown in local recipient table
20031205 184259 127.0.0.1   SMTP (3696) QUIT
20031205 184259 127.0.0.1   SMTP (3696) 221 Bye
20031205 184259 127.0.0.1   SMTP (3696) requeuing 
E:\spool\Q2e6e006301c6bc72.SMD R0 T68
20031205 184259 127.0.0.1   SMTP (3696) finished 
E:\spool\Q2e6e006301c6bc72.SMD status=3
20031205 184259 127.0.0.1   SMTP (3696) E:\spool\Q2f32139d013ebc15.SMD
20031205 184259 127.0.0.1   SMTP (3696) processing 
E:\spool\Q2f32139d013ebc15.SMD
20031205 184259 127.0.0.1   SMTP (3696) Trying a-znet.com (0)
20031205 184259 127.0.0.1   SMTP (3696) Connect a-znet.com 
[209.105.132.200:25] (1)
20031205 184259 127.0.0.1   SMTP (3696) 220 
mail02.ispc.xtelegent.net ESMTP Postfix
20031205 184259 127.0.0.1   SMTP (3696) EHLO igaia.com
20031205 184259 127.0.0.1   SMTP (3696) 250-mail02.ispc.xtelegent.net
20031205 184259 127.0.0.1   SMTP (3696) 250-PIPELINING
20031205 184259 127.0.0.1   SMTP (3696) 250-SIZE 1024
20031205 184259 127.0.0.1   SMTP (3696) 250-VRFY
20031205 184259 127.0.0.1   SMTP (3696) 250-ETRN
20031205 184259 127.0.0.1   SMTP (3696) 250 8BITMIME
20031205 184259 127.0.0.1   SMTP (3696) MAIL FROM:[EMAIL PROTECTED]
20031205 184259 127.0.0.1   SMTP (3696) 250 Ok
20031205 184259 127.0.0.1   SMTP (3696) RCPT To:[EMAIL PROTECTED]
20031205 184300 127.0.0.1   SMTP (3696) 450 [EMAIL PROTECTED]: User 
unknown in local recipient table
20031205 184300 127.0.0.1   SMTP (3696) QUIT
20031205 184300 127.0.0.1   SMTP

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

[Matthew Bramble]

George,

The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would 
definitely prevent it from scanning prior hops.  I find this test to be 
useful as it is IP based and helps some very important E-mail that tends 
to have issues with several major RBL's.  I haven't started to scan on 
multiple hops yet, so this doesn't come into play.

Matt



George Kulman wrote:

Rob,

Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG.

The BONDEDSENDER should be the originating Server and that should be what's
used for this test.
I discontinued use within a few days since  was letting spam through with it
and there were other ways to handle the valid mail.
George

 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Robert Grosshandler
Sent: Friday, December 05, 2003 6:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
didn't work for me me

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a backup mail
server)?
Rob

   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

[George Kulman]

Matt,

I do scan multiple hops.

George

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Matthew Bramble
 Sent: Friday, December 05, 2003 7:14 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER 
 didn't work for me me
 
 
 George,
 
 The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would 
 definitely prevent it from scanning prior hops.  I find this 
 test to be 
 useful as it is IP based and helps some very important E-mail 
 that tends 
 to have issues with several major RBL's.  I haven't started 
 to scan on 
 multiple hops yet, so this doesn't come into play.
 
 Matt
 
 
 
 George Kulman wrote:
 
 Rob,
 
 Your backup and gateways should have IPBYPASS entries in the 
 GLOBAL.CFG.
 
 The BONDEDSENDER should be the originating Server and that 
 should be what's
 used for this test.
 
 I discontinued use within a few days since  was letting spam 
 through with it
 and there were other ways to handle the valid mail.
 
 George
 
   
 
 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Robert Grosshandler
 Sent: Friday, December 05, 2003 6:38 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
 didn't work for me me
 
 
 Negative weights on last hop only?
 
 How would that affect a gateway (or e-mail that goes to a 
 backup mail
 server)?
 
 Rob
 
 
 
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Request for a possible new feature - Whitelist Reason

[J.D. Springer]

Scott:

Would it be possible to indicate why a email is whitelisted the headers?
Like:
Whitelisted(Auth)
Whitelisted(Auto)
Whitelisted(CFG)
Whitelisted(File)

This would make easier to determine why an email is whitelisted.

Sincerely,
J.D. Springer




---
[This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30 H2 with Declude 1.76i30 Declude 1.76i30 H2 with Declude 1.76i30

[Matthew Bramble]

Well, I was really hoping it would have been a Declude problem...that 
way it probably would have been fixed in days as opposed to requiring me 
to get an upgrade to IMail 8 for them to fix the issue.

I'm going to reduce my queue from running every 15 minutes to every hour 
just to lessen the possibility of this happening.  Please keep us posted 
if you hear anything.  I imagine it will take them a while and IMail 7 
users may be out in the dark.

Matt



R. Scott Perry wrote:


This is the first time that I have ever seen this and it occurred 
just a few days after upgrading from 1.75i6 to 1.76i28-30.  Unlike 
some others that I have noted in the past, I am using IMail 7.15 
Hotfix 2, so it doesn't seem related to IMail 8.


This is getting scary.  It looks like there is a serious bug in IMail 
v7 and v8 that is just starting to be discovered:

--- IMail Log ---
20031205 184256 127.0.0.1   SMTPD (046101B0) [208.7.179.15] 
connect 64.119.217.36 port 41441
20031205 184258 127.0.0.1   SMTPD (queue run) 13471 1 69
20031205 184258 127.0.0.1   SMTPD (046101B0) [64.119.217.36] 
E:\spool\D1800046101b02123.SMD 1332
20031205 184258 127.0.0.1   SMTP (3696) processing 
E:\spool\Q1800046101b02123.SMD
12/05/2003 18:43:02 Q1800046101b02123 Scanned: Virus Free [MIME: 1 765]
12/05/2003 18:43:04 Q1800046101b02123 Msg failed DELETE (Weight of 80 
reaches or exceeds the limit of 30.). Action=DELETE.


This is the same pattern that we tracked in another E-mail:

[1] IMail's SMTPD process starts receiving the E-mail.
[2] IMail starts a queue run to deliver E-mail in the spool
[3] IMail's SMTPD process saves the E-mail to the hard drive
[4] IMail's queue run delivers the E-mail
[5] IMail's SMTPD process starts Declude
[6] IMail tries to deliver the E-mail that Declude scanned
Ipswitch has been notified that there is a problem here; hopefully, 
they will take care of it.

   -Scott


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me

[Matthew Bramble]

That's why you should name it BONDEDSENDER-DYNA and why it doesn't 
matter on my system.

The trick here is that Declude will skip over the DNS-based tests on 
anything beyond the first hop if the name has DUL or DYNA in it.  
Someone else is using CBL-DYNA in order to keep that test from throwing 
FP's when the originating computer's IP address is on the list, but used 
a legit mail server to send the E-mail (instead of direct delivery which 
is the real issue).

Scanning multiple hops seems to be mostly useful in places where E-mail 
is being forwarded, which only exposes the legit forwarding machine.  It 
would be great if there was some other way to identify when a message 
has been forwarded at the server level, and skip the last hop when that 
happenes.  I kind of doubt that this would be possible.  In the 
mean-time, I am going to try IPBYPASSing the mail servers that are known 
to be forwarding to my server which should have the same effect as a 
selective use of multiple hop scanning.

Matt



George Kulman wrote:

Matt,

I do scan multiple hops.

George

 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Matthew Bramble
Sent: Friday, December 05, 2003 7:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER 
didn't work for me me

George,

The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would 
definitely prevent it from scanning prior hops.  I find this 
test to be 
useful as it is IP based and helps some very important E-mail 
that tends 
to have issues with several major RBL's.  I haven't started 
to scan on 
multiple hops yet, so this doesn't come into play.

Matt



George Kulman wrote:

   

Rob,

Your backup and gateways should have IPBYPASS entries in the 
 

GLOBAL.CFG.
   

The BONDEDSENDER should be the originating Server and that 
 

should be what's
   

used for this test.

I discontinued use within a few days since  was letting spam 
 

through with it
   

and there were other ways to handle the valid mail.

George



 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Robert Grosshandler
Sent: Friday, December 05, 2003 6:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER 
didn't work for me me

Negative weights on last hop only?

How would that affect a gateway (or e-mail that goes to a 
   

backup mail
   

server)?

Rob

  
   



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.