RE: [Declude.JunkMail] MAILFROM like Imail Test..
Here are the headers... How this can be caught with Declude ?? 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 11:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0
RE: [Declude.JunkMail] MAILFROM like Imail Test..
In a filter file: HEADERS (weight)CONTAINSX-IMAIL-SPAM-INVALIDFROM Imail is checking to see if the sender exists and places that into the header. (If you have Imail configured to add headers.) HOWEVER, this does not work for @yahoo.com addresses. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 10:45 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] MAILFROM like Imail Test.. Here are the headers... How this can be caught with Declude ?? 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:32 SMTPD(06E400CC) [0640] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) mail.fanosa.com FAILED to validate MAIL FROM address [EMAIL PROTECTED] 12:05 00:33 SMTPD(06E500CC) [2292] mail.fanosa.com VALIDATION: (MAIL FROM) [EMAIL PROTECTED] user does not exist on remote system -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Valenzuela Sent: Thursday, December 04, 2003 11:40 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? [EMAIL PROTECTED] (In Imail this will fail...) Thanks.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Thursday, December 04, 2003 5:21 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer FYI, I believe the demo consolidates everything into two separate tests: General Malware. However, it will still give you a very good idea of the overall effectiveness of running Sniffer with Declude. Bill - Original Message - From: T. Bradley Dean [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 4:02 PM Subject: RE: [Declude.JunkMail] sniffer Declude is optimized to run the external test only once That was going to be my next question, it looked terribly in-efficient at first! Thanks for the responses guys. I just installed the demo. ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, December 03, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] sniffer Brad, That's right. :-) Heuristics for patterns are grouped by the spam that prompts us to generate them, or by how we created them. Most of the time they are at least close to classifying the type of spam. Each system that uses Message Sniffer is encouraged to specify adjustable weights for each rule group so that the results from the pattern matching tests can be tuned for the greatest accuracy on that system and according to it's unique mix of incoming spam and the users being served. Declude is optimized to run the external test only once and allow the result code to be evaluated for all of the tests that define that external test... so in the example shown below sniffer would be called once and it's result code would be evaluated many times. Message Sniffer will typically match many patterns in a given spam. Currently the voting system that decides the winning pattern match uses the following rule: Chose the first pattern match found with the lowest symbol. Within the standard rulebase, rule groups are loosely grouped so that the least specific patterns have the largest symbols. The combination of these arrangements tends toward selecting the most specific pattern match available for a given message. If anyone has other questions that are specific to sniffer then please feel free to contact us off list at our support@ sortmonster.com address. Thanks, _M At 10:20 PM 12/3/2003, you wrote: Brad, Sniffer does message based pattern matching (Pete, correct me if I am wrong). If you opt to separate the 20 or so tests that Sniffer currently supports, then you can set whatever weight you want to each individual test. Here is how I currently have the individual Sniffer tests defined in my global.cfg (License ID and Authentication Code obscured): SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048
RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
BTW, I forwarded this issue to a colleague, Sue Moser of Slipstick Systems http://www.slipstick.com and Windows magazine contributor. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, December 04, 2003 2:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance I have a customer who was having trouble with his messages sent to users on servers that use spam filters not being delivered. I had him send a message to me so I could see what tests it fails. As some of you may have already guessed, he's got a new pc with Outlook 2003 and the messages fail the spam headers test. I informed him that among mail server and/or spamfilter administrators this is a known issue. So, he calls MS. MS says it's OEM software, call the vendor. Dell says I'm full of it. So... Would someone with more thorough and better understanding than mine please send me something (with permission to quote or I'd just lift from archives) that I can send to this customer? I'm looking for what it is that Outlook 2003 does wrong and what RFC it is not conforming to. He wants to then show it to Dell and request an exchange for Office 2002. It's really a Microsoft issue (it's a bug -- er, new feature -- in Outlook 2003), but they may have a special arrangement with Dell. Microsoft had a few complaints from people using Outlook that their machine name was leaked in the Message-ID header. Instead of ignoring the complaint, or making the host name used in the Message-ID: header configurable, they chose to remove the Message-ID: header. Microsoft is technically RFC-compliant, *if* they understand the consequences of what they did. In order words, it is only RFC-compliant if accept the fact that the E-mail sent from Outlook 2003 may be marked as spam. Microsoft's position, from what we understand, is that they expect all mailservers to whitelist outgoing E-mail from Outlook 2003 users, and add the Message-ID: header. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
I'm assuming that this only happens with Outlook 2003 used with a non-Exchange (POP3/IMAP/SMTP mode)? Here are two headers from Outlook 2003 installed by Office 2003 Pro Microsoft Volume Licensing (not OEM) From Outlook/MAPI via Exchange 2003 -0- Received: from us-inboundmx.blank.com [61.220.41.95] by popmail.domain2.com with ESMTP (SMTPD32-8.03) id AFB28130208; Fri, 05 Dec 2003 05:36:34 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: testing Date: Fri, 5 Dec 2003 05:36:34 -0500 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: testing Thread-Index: AcO7G6c5ASWwh2hOTRWz0b/pUSbfKw== From: Mark E. Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Note: Weight: 0 - This E-mail was scanned by NETrends Systems (www.netrends.com) for spam. X-Spam-Tests-Failed: Whitelisted X-Spam-Prob: 0.169437 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 341408898 -0- From Outlook/POP3/SMTP via iMail SMTP -0- Microsoft Mail Internet Headers Version 2.0 Received: from ussmtpin2.blank.com ([10.7.4.111]) by us-inboundmx.blank.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 5 Dec 2003 05:40:53 -0500 Received: from popmail.domain2.com [16.196.89.161] by ussmtpin2.blank.com with ESMTP (SMTPD32-8.03) id A0B38CD0118; Fri, 05 Dec 2003 05:40:51 -0500 Received: from msmithd800xp [162.83.21.69] by popmail.domain2.com with ESMTP (SMTPD32-8.03) id A0AF8330208; Fri, 05 Dec 2003 05:40:47 -0500 From: Mark Smith [EMAIL PROTECTED] To: Mark E. Smith [EMAIL PROTECTED] Subject: Testing from domain2 Date: Fri, 5 Dec 2003 05:40:47 -0500 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcO7HD5aazFkluigRS2DXlE/jJeQ9w== Message-Id: [EMAIL PROTECTED] X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0. X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM test (27) X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (46) X-Note: Weight: 3 - This E-mail was scanned by NETrends Systems (www.netrends.com) for spam. X-RBL-Warning: WHITELISTFILE: Message failed WHITELISTFILE test (100) X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0. X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (27) X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM test (27) X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (37) X-Note: Weight: -110 - This E-mail was scanned by NETrends Systems (www.netrends.com) for viruses and spam. Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Dec 2003 10:40:53.0729 (UTC) FILETIME=[42002510:01C3BB1C] -0- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, December 04, 2003 2:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance I have a customer who was having trouble with his messages sent to users on servers that use spam filters not being delivered. I had him send a message to me so I could see what tests it fails. As some of you may have already guessed, he's got a new pc with Outlook 2003 and the messages fail the spam headers test. I informed him that among mail server and/or spamfilter administrators this is a known issue. So, he calls MS. MS says it's OEM software, call the vendor. Dell says I'm full of it. So... Would someone with more thorough and better understanding than mine please send me something (with permission to quote or I'd just lift from archives) that I can send to this customer? I'm looking for what it is that Outlook 2003 does wrong and what RFC it is not conforming to. He wants to then show it to Dell and request an exchange for Office 2002. It's really a Microsoft issue (it's a bug -- er, new feature -- in Outlook 2003), but they may have a special arrangement with Dell. Microsoft had a few complaints from people using Outlook that their machine name was leaked in the Message-ID header. Instead of ignoring the complaint, or making the host name used in the Message-ID: header configurable, they chose to remove the Message-ID: header. Microsoft is technically RFC-compliant, *if* they understand the consequences of what they did. In order words, it is only RFC-compliant if accept the fact that the E-mail sent from Outlook 2003 may be marked as spam. Microsoft's position, from what we understand, is that they expect all mailservers to whitelist outgoing E-mail from Outlook 2003 users, and add the Message-ID: header. -Scott --- Declude JunkMail: The
RE: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released
Hi; I am still a little shaky on what END does. If we have a filter file and have the following line - lets say on line 1: HEADERS END CONTAINS X-IMAIL-SPAM-VALREVDNS If this condition is met then the filter will exit? So anytime an END condition is satisfied the rest of the filter is not to be analyzed. The idea was originally proposed to help with the Anti-filter concept.. But I am not sure how it will work. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, December 04, 2003 7:17 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released We have just released Declude Virus v1.77 (beta). See http://www.declude.com/junkmail/manual.htm . Notable changes since the last beta include: o BOUNCE action renamed to BOUNCEONLYIFYOUMUST (please read the information on this action in the manual before using it). o filter test type now can have MAXWEIGHT/MINWEIGHT option. o filter test type now can have END in place of the weight o filter test type now has SKIPIFWEIGHT option to bypass filters if a certain weight has already been reached. o HIDETESTS option to hide tests from X-Spam-Tests-Failed: header. o Numerous minor fixes Other additions and fixes can be found in the release notes, at http://www.declude.com/relnotes.htm . Anyone with an up-to-date Service Agreement is entitled to free upgrades (see http://www.declude.com/agree.htm for information on the Declude Service Agreement). --- Quick Resource Reference: Tech Support: [EMAIL PROTECTED] Mailing List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.junkmail your name in the body New Releases List: Send E-mail to [EMAIL PROTECTED] with subscribe declude.releases your name in the body Troubleshooting: See manual URL above; look at Troubleshooting section Emergency Uninstall: See manual URL above; look at Emergency Uninstall section Urgent Support: urgent @declude.com (for urgent/time-sensitive issues only) Declude Addons/Tools URL: http://www.declude.com/tools Manual: http://www.declude.com/junkmail/manual.htm --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] MAILFROM like Imail Test..
Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? No. The problem is that such a test is very resource intensive -- specifically, it will use about 10 times as much bandwidth as the MAILFROM test, and will often have false negatives (E-mail addresses that do not exist, but pass the test), and occasional false positives (E-mail addresses that do exist, but fail the test). Also, it will delay the delivery of the E-mail by anywhere from several seconds to a minute or so (lots of mailservers take a long time to respond to commands), as there are about 8 round trips that need to be made rather than just 1 -- and those round trips also require more effort on the remote end. Then, imagine if a spammer joe jobs you, using your E-mail address as the return address. If everyone plays this game, then your mailserver is going to receive thousands to millions of hits in a very short period of time, causing a DDoS attack on your server. So I'm not a big fan of this type of test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail v1.77 (beta) released
I am still a little shaky on what END does. If we have a filter file and have the following line - lets say on line 1: HEADERS END CONTAINS X-IMAIL-SPAM-VALREVDNS If this condition is met then the filter will exit? Correct. So anytime an END condition is satisfied the rest of the filter is not to be analyzed. Correct. The idea was originally proposed to help with the Anti-filter concept.. But I am not sure how it will work. I think that there are two purposes for END: [1] It will reduce CPU usage for large filters, if you know they do not need to be used for some reason. [2] It will allow you to have weights applied only under certain conditions. For example, If the E-mail contains 'example.com' but not 'example.net', apply a weight of 5 (with ANYWHERE END CONTAINS example.net and ANYWHERE 5 CONTAINS example.com). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance
I installed a full retail copy of Office 2003 Professional and I have the same issue. Missing headers. Tyler -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Smith Sent: Friday, December 05, 2003 5:48 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance I'm assuming that this only happens with Outlook 2003 used with a non-Exchange (POP3/IMAP/SMTP mode)? Here are two headers from Outlook 2003 installed by Office 2003 Pro Microsoft Volume Licensing (not OEM) From Outlook/MAPI via Exchange 2003 -0- Received: from us-inboundmx.blank.com [61.220.41.95] by popmail.domain2.com with ESMTP (SMTPD32-8.03) id AFB28130208; Fri, 05 Dec 2003 05:36:34 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: testing Date: Fri, 5 Dec 2003 05:36:34 -0500 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: testing Thread-Index: AcO7G6c5ASWwh2hOTRWz0b/pUSbfKw== From: Mark E. Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Note: Weight: 0 - This E-mail was scanned by NETrends Systems (www.netrends.com) for spam. X-Spam-Tests-Failed: Whitelisted X-Spam-Prob: 0.169437 X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 341408898 -0- From Outlook/POP3/SMTP via iMail SMTP -0- Microsoft Mail Internet Headers Version 2.0 Received: from ussmtpin2.blank.com ([10.7.4.111]) by us-inboundmx.blank.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 5 Dec 2003 05:40:53 -0500 Received: from popmail.domain2.com [16.196.89.161] by ussmtpin2.blank.com with ESMTP (SMTPD32-8.03) id A0B38CD0118; Fri, 05 Dec 2003 05:40:51 -0500 Received: from msmithd800xp [162.83.21.69] by popmail.domain2.com with ESMTP (SMTPD32-8.03) id A0AF8330208; Fri, 05 Dec 2003 05:40:47 -0500 From: Mark Smith [EMAIL PROTECTED] To: Mark E. Smith [EMAIL PROTECTED] Subject: Testing from domain2 Date: Fri, 5 Dec 2003 05:40:47 -0500 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcO7HD5aazFkluigRS2DXlE/jJeQ9w== Message-Id: [EMAIL PROTECTED] X-RBL-Warning: SPAMHEADERS: This E-mail has headers consistent with spam [420e]. X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0. X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM test (27) X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (46) X-Note: Weight: 3 - This E-mail was scanned by NETrends Systems (www.netrends.com) for spam. X-RBL-Warning: WHITELISTFILE: Message failed WHITELISTFILE test (100) X-RBL-Warning: MS-WHITE: Message failed MS-WHITE: 0. X-RBL-Warning: TLD-TRUSTED-HELO: Message failed TLD-TRUSTED-HELO test (27) X-RBL-Warning: TLD-TRUSTED-MAILFROM: Message failed TLD-TRUSTED-MAILFROM test (27) X-RBL-Warning: TLD-TRUSTED-REVDNS: Message failed TLD-TRUSTED-REVDNS test (37) X-Note: Weight: -110 - This E-mail was scanned by NETrends Systems (www.netrends.com) for viruses and spam. Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Dec 2003 10:40:53.0729 (UTC) FILETIME=[42002510:01C3BB1C] -0- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, December 04, 2003 2:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] A little CMA documentation for Outlook 2003 RFC non-compliance 2003 RFC non-compliance I have a customer who was having trouble with his messages sent to users on servers that use spam filters not being delivered. I had him send a message to me so I could see what tests it fails. As some of you may have already guessed, he's got a new pc with Outlook 2003 and the messages fail the spam headers test. I informed him that among mail server and/or spamfilter administrators this is a known issue. So, he calls MS. MS says it's OEM software, call the vendor. Dell says I'm full of it. So... Would someone with more thorough and better understanding than mine please send me something (with permission to quote or I'd just lift from archives) that I can send to this customer? I'm looking for what it is that Outlook 2003 does wrong and what RFC it is not conforming to. He wants to then show it to Dell and request an exchange for Office 2002. It's really a Microsoft issue (it's a bug -- er, new feature -- in Outlook 2003), but they may have a special arrangement with Dell. Microsoft had a few complaints from people using Outlook that their machine name was leaked in the Message-ID header. Instead of ignoring the complaint, or making the host name used in the Message-ID: header configurable, they chose to
[Declude.JunkMail] Fw: [IMail Forum] November 2003 Spam Statistics
- Original Message - From: Jeff Pereira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 9:26 AM Subject: Re: [IMail Forum] November 2003 Spam Statistics Scott - Is it possible to post the configuration files for Declude Junkmail that were used to produce the results obtained in the November 2003 Spam Statistics? I am sure that there are a number of other users out there like myself that have limited resources to devode to spam control and for whom spam control is a secondary or tertiary responsibility. It would be nice to know that I could start with a given a set of configuration files that are able to generate what I feel to be very impressive statistics. Thank you. Jeff --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Reverse DNS...
What can we do when the likes of Amazon don't have reverse DNS? == X-Declude-Sender: [EMAIL PROTECTED] [12.32.32.130]X-Declude-Spoolname: D938c00b8023227dd.SMDX-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus.X-Weight: 57X-Note: Sent from Reverse DNS: [No Reverse DNS]X-Hello: boi1-app-101.amazon.comX-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL, FILTER-SPAM-HTML, FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, SPAMDOMAINS, WEIGHT20s, WEIGHT20rX-Note: Recipient(s): [EMAIL PROTECTED]X-Country-Chain: UNITED STATES-destinationX-RCPT-TO: [EMAIL PROTECTED] Incredible... Regards, Kami
RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Dan: We made a decision a long time ago to whitelist REVDNS of all the folks you had listed. We now have two REVDNS negative files. 1: Whitelist as entered in the Global.cfg (I only hope one day Scott moves these entries to their own files). 2: Negative reverseDNS files that adds negative weight to the ones that are legitimate and used by our users. That took care of a lot of problems.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Kami: I've been taking a look at your configuration files every few weeks and based on what I saw there a couple of months ago, I also started WHITELISTing based on Reverse DNS and HELO a few months back. So there's probably many I'm not seeing as flagged by SPAMCOP because of the whitelist. It just so happened that the 3 I listed had not been whitelisted. I know that whitelisting will fix the problems but I also know that there's is definitely something up with SPAMCOP. Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway to go past that limit and/or else offload those into a separate file? How do you do the negative Reverse DNS entries? Is that just by using the FILTER test? Thanks, Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:24 AM Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Dan: We made a decision a long time ago to whitelist REVDNS of all the folks you had listed. We now have two REVDNS negative files. 1: Whitelist as entered in the Global.cfg (I only hope one day Scott moves these entries to their own files). 2: Negative reverseDNS files that adds negative weight to the ones that are legitimate and used by our users. That took care of a lot of problems.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway to go past that limit and/or else offload those into a separate file? Actually, it's a limit of 200. The WHITELIST FROM entries can be offloaded to a separate file (with unlimited entries), using the WHITELISTFILE option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Yes... Like a filter file: REVDNS -20 ENDSWITH .amazon.com I put the period before Amazon to just make sure no funky domain like .spamamazon.com can get through. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Kami: I've been taking a look at your configuration files every few weeks and based on what I saw there a couple of months ago, I also started WHITELISTing based on Reverse DNS and HELO a few months back. So there's probably many I'm not seeing as flagged by SPAMCOP because of the whitelist. It just so happened that the 3 I listed had not been whitelisted. I know that whitelisting will fix the problems but I also know that there's is definitely something up with SPAMCOP. Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway to go past that limit and/or else offload those into a separate file? How do you do the negative Reverse DNS entries? Is that just by using the FILTER test? Thanks, Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:24 AM Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Dan: We made a decision a long time ago to whitelist REVDNS of all the folks you had listed. We now have two REVDNS negative files. 1: Whitelist as entered in the Global.cfg (I only hope one day Scott moves these entries to their own files). 2: Negative reverseDNS files that adds negative weight to the ones that are legitimate and used by our users. That took care of a lot of problems.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Hi Dan, I've only seen one FP from SpamCop in the last week. I routinely see email sent by legitimate firms get tagged as spam, but usually these firms are using third party mailers to send information. Burzin At 09:10 AM 12/5/2003, you wrote: Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Reverse DNS...
Do what I do I have a rule defined that subtracts the points my REVDNS rule adds, and put the domains I ned to get through in that list. Kind of clunky and mna-power intensive, but it works for me. I couldnt imagine doing it for hundreds of domains Karl Drugge -Original Message- From: Kami Razvan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 05, 2003 10:11 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Reverse DNS... What can we do when the likes of Amazon don't have reverse DNS? == X-Declude-Sender: [EMAIL PROTECTED] [12.32.32.130] X-Declude-Spoolname: D938c00b8023227dd.SMD X-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus. X-Weight: 57 X-Note: Sent from Reverse DNS: [No Reverse DNS] X-Hello: boi1-app-101.amazon.com X-Spam-Tests-Failed: HELOBOGUS, IPNOTINMX, NOLEGITCONTENT, REVDNS, FILTER-HEADER-XMAIL, FILTER-SPAM-HTML, FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, SPAMDOMAINS, WEIGHT20s, WEIGHT20r X-Note: Recipient(s): [EMAIL PROTECTED] X-Country-Chain: UNITED STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Incredible... Regards, Kami
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Hi, Scott, If I am using... WHITELIST REVDNS .ebay.com or WHITELIST HELO .mail.yahoo.com entries in my GLOBAL.CFG can those also be offloaded into a separate file? Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:46 AM Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway to go past that limit and/or else offload those into a separate file? Actually, it's a limit of 200. The WHITELIST FROM entries can be offloaded to a separate file (with unlimited entries), using the WHITELISTFILE option. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] MAILFROM like Imail Test..
Ok, I didn't noticed how easy could spam pass this test. Thanks Scott. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 6:00 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] MAILFROM like Imail Test.. Declude MAILFROM test check only the domain on the MAILFROM address But we recive a lot of SPAM with mailfrom like this. [EMAIL PROTECTED] since hotmail.com is a valid Domain, then the message pass the test Is there a test like the Mailfrom of Imail that test that the user really exists on the remote server ?? No. The problem is that such a test is very resource intensive -- specifically, it will use about 10 times as much bandwidth as the MAILFROM test, and will often have false negatives (E-mail addresses that do not exist, but pass the test), and occasional false positives (E-mail addresses that do exist, but fail the test). Also, it will delay the delivery of the E-mail by anywhere from several seconds to a minute or so (lots of mailservers take a long time to respond to commands), as there are about 8 round trips that need to be made rather than just 1 -- and those round trips also require more effort on the remote end. Then, imagine if a spammer joe jobs you, using your E-mail address as the return address. If everyone plays this game, then your mailserver is going to receive thousands to millions of hits in a very short period of time, causing a DDoS attack on your server. So I'm not a big fan of this type of test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Yes... Like a filter file: REVDNS -20 ENDSWITH .amazon.com I put the period before Amazon to just make sure no funky domain like .spamamazon.com can get through. Hmmpfff I hoped already that that could be a reason for unlimited IPBYPASS entries... ;-) Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
I want to use Sniffer to whitelist messages that would fail other Declude tests, not just Sniffer alone AND I want to retain the original Sniffer failure code if the message did fail Sniffer. Sohere's where I'm headed. Keep my single Sniffer weighted test for spam detection and add this (per Scott's recommendation): SNIFFER-WHITELIST externalplus P:\IMail\Declude\Sniffer\LicenseID.exe AuthenticationCode to do this, I will have my Sniffer rule base re-coded to return a 1 on my custom whitelists instead of a 0. With externalplus, 1 indicates Whitelist. Based on my reading of the last sniffer thread, this will not cause degradation in performance because Declude is smart enough to only call sniffer once for multiple tests, but 1. What if the tests are different types, in this case external and externalplus? 2. What performance impact is there in adding the additional action? 4. If the message gets my subject line modification because it fails weighting, but is whitelisted per the new external plus test, will that negate the action on weighting? If so, should I also give the externalplus test weights like this: -200 0 3. Anyone see any problems with this scenario? -- Best regards, David mailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ROUTETO Not Working
Hello, All, I am trying to learn a little bit about the ROUTETO action and I can't seem to get it to work as expected. I am using DJM Pro. My current DELETE weight is 40. In the per-domain $default$.junkmail files for two of my highest spam volume domains I changed the action from DELETE to ROUTETO myuser@hotmail.com (both without the quotes). I expected messages which were previously being deleted by my DJM configuration to start showing up in my Hotmail inbox but I'm not receiving anything there. As a test I switched the address listed after the ROUTTEO action from myuser@hotmail.com to one of the e-mail addresses I have on the local IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing up immediately. Does anyone know why if I used an externally hosted e-mail after the ROUTETO action that I wouldn't get the e-mail but if I used an e-mail address hosted on my local e-mail server that I would? Perhaps this doesn't have anything to do with it being external but instead it's just a Hotmail issue? Here are the relevant entries from my GLOBAL.CFG... - WEIGHT-DELETE weight x x 40 0 - Here are the relevant entries from one of my $default$.junkmail files... - WEIGHT-DELETE ROUTETO [EMAIL PROTECTED] - Here are the entries from my DJM log file for a message which did NOT show up at my Hotmail account... - 12/05/2003 11:21:24 Qb07f13c SPAMCOP:7 SBL:5 NOABUSE:2 NOPOSTMASTER:1 BASE64:4 HELOBOGUS:6 REVDNS:4 SPAMHEADERS:3 CBL:5 CSMA-SBL:5 SPAMDOMAINS:10 . Total weight = 52 12/05/2003 11:21:24 Qb07f13c Msg failed SPAMCOP (Blocked - see http://www.spamcop.net/bl.shtml?202.102.142.58). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed SBL (http://www.spamhaus.org/SBL/sbl.lasso?query=SBL7535). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed HELOBOGUS (Domain WJQ-Q8OLH5GE22P has no MX or A records.). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.102.142.58 with no reverse DNS entry.). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [420f].). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed WEIGHT-DELETE (Weight of 52 reaches or exceeds the limit of 40.). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed CBL (Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=202.102.142.58). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed CSMA-SBL (http://bl.csma.biz/cgi-bin/listing.cgi?ip=202.102.142.58). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed SPAMDOMAINS (Spamdomain '@yahoo.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c R1 Message OK 12/05/2003 11:21:24 Qb07f13c Using [incoming] CFG file d:\iMail\Declude\american-apex.com\$default$.junkmail. 12/05/2003 11:21:24 Qb07f13c Msg failed SPAMCOP (Blocked - see http://www.spamcop.net/bl.shtml?202.102.142.58). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed SBL (http://www.spamhaus.org/SBL/sbl.lasso?query=SBL7535). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed BASE64 (A binary encoded text or HTML section was found in this E-mail.). Action=WARN. 12/05/2003 11:21:24 Qb07f13c Msg failed HELOBOGUS (Domain WJQ-Q8OLH5GE22P has no MX or A records.). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed REVDNS (This E-mail was sent from a MUA/MTA 202.102.142.58 with no reverse DNS entry.). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed SPAMHEADERS (This E-mail has headers consistent with spam [420f].). Action=WARN. 12/05/2003 11:21:24 Qb07f13c Msg failed CATCHALLMAILS (). Action=COPYTO. 12/05/2003 11:21:24 Qb07f13c Msg failed WEIGHT-DELETE (Weight of 52 reaches or exceeds the limit of 40.). Action=ROUTETO. 12/05/2003 11:21:24 Qb07f13c Msg failed CBL (Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=202.102.142.58). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed CSMA-SBL (http://bl.csma.biz/cgi-bin/listing.cgi?ip=202.102.142.58). Action=IGNORE. 12/05/2003 11:21:24 Qb07f13c Msg failed SPAMDOMAINS (Spamdomain '@yahoo.com' found: Address of [EMAIL PROTECTED] sent from invalid [No Reverse DNS].). Action=WARN. 12/05/2003 11:21:24 Qb07f13c L2 Message OK 12/05/2003 11:21:24 Qb07f13c Subject: Buy Valium Cheap 12/05/2003 11:21:24 Qb07f13c From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 202.102.142.58 ID: 12/05/2003 11:21:24 Qb07f13c Last action = IGNORE. - Thanks, Dan Geiser
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Kami, What is the name of the filter file that you have entries of those type in? Thanks, Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:51 AM Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Yes... Like a filter file: REVDNS -20 ENDSWITH .amazon.com I put the period before Amazon to just make sure no funky domain like .spamamazon.com can get through. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Kami: I've been taking a look at your configuration files every few weeks and based on what I saw there a couple of months ago, I also started WHITELISTing based on Reverse DNS and HELO a few months back. So there's probably many I'm not seeing as flagged by SPAMCOP because of the whitelist. It just so happened that the 3 I listed had not been whitelisted. I know that whitelisting will fix the problems but I also know that there's is definitely something up with SPAMCOP. Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway to go past that limit and/or else offload those into a separate file? How do you do the negative Reverse DNS entries? Is that just by using the FILTER test? Thanks, Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:24 AM Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Dan: We made a decision a long time ago to whitelist REVDNS of all the folks you had listed. We now have two REVDNS negative files. 1: Whitelist as entered in the Global.cfg (I only hope one day Scott moves these entries to their own files). 2: Negative reverseDNS files that adds negative weight to the ones that are legitimate and used by our users. That took care of a lot of problems.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Scott, Do you have plans to offer offloading for WHITELIST HELO and WHITELIST REVDNS? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 11:07 AM Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Or does it just apply to WHITELIST FROM entries contained in GLOBAL.CFG? Only the WHITELIST FROM lines can be moved out of the global.cfg file. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
I'm not sure if everyone has heard, but IronPort bought SpamCop. It's likely that they're fiddling with it. There's an article on Slashdot from Wednesday about it. http://yro.slashdot.org/article.pl?sid=03/12/03/2016218mode=threadtid=111tid=126tid=137tid=187 Personally, After seeing so many FPs as a result of SpamCop weighting, I stopped using it a year ago. Darin. - Original Message - From: Dan Geiser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:10 AM Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. _ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Do you have plans to offer offloading for WHITELIST HELO and WHITELIST REVDNS? Not at this time, simply because we can't envision there being a need for 200 such entries. :) However, the WHITELIST limit is something that comes up frequently, so it is quite possible that more changes will be made to allow for more WHITELIST entries. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ROUTETO Not Working
As a test I switched the address listed after the ROUTTEO action from myuser@hotmail.com to one of the e-mail addresses I have on the local IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing up immediately. What version of Declude JunkMail are you running (\IMail\Declude -diag from a command prompt will show you)? With versions before 1.67, the ROUTETO action would not work on outgoing E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ROUTETO Not Working
Hello, Scott, We are running Declude v1.75. Any ideas? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 12:25 PM Subject: Re: [Declude.JunkMail] ROUTETO Not Working As a test I switched the address listed after the ROUTTEO action from myuser@hotmail.com to one of the e-mail addresses I have on the local IMail server, [EMAIL PROTECTED], and the ROUTEd spam started showing up immediately. What version of Declude JunkMail are you running (\IMail\Declude -diag from a command prompt will show you)? With versions before 1.67, the ROUTETO action would not work on outgoing E-mail. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses
Dan: FILTER-REVDNS filterC:\IMail\Declude\Filters\IMail_Filter_REVDNS.txt x 0 0 This is our Global entry for the file. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Kami, What is the name of the filter file that you have entries of those type in? Thanks, Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:51 AM Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Yes... Like a filter file: REVDNS -20 ENDSWITH .amazon.com I put the period before Amazon to just make sure no funky domain like .spamamazon.com can get through. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:39 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Kami: I've been taking a look at your configuration files every few weeks and based on what I saw there a couple of months ago, I also started WHITELISTing based on Reverse DNS and HELO a few months back. So there's probably many I'm not seeing as flagged by SPAMCOP because of the whitelist. It just so happened that the 3 I listed had not been whitelisted. I know that whitelisting will fix the problems but I also know that there's is definitely something up with SPAMCOP. Am I correct that you can only add 100 WHITELIST entries to the GLOBAL.CFG file? Is that 100 each for REVDNS and HELO or 100 total? Is there anyway to go past that limit and/or else offload those into a separate file? How do you do the negative Reverse DNS entries? Is that just by using the FILTER test? Thanks, Dan - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 10:24 AM Subject: RE: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Dan: We made a decision a long time ago to whitelist REVDNS of all the folks you had listed. We now have two REVDNS negative files. 1: Whitelist as entered in the Global.cfg (I only hope one day Scott moves these entries to their own files). 2: Negative reverseDNS files that adds negative weight to the ones that are legitimate and used by our users. That took care of a lot of problems.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Friday, December 05, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] SPAMCOP Having Legit IP Addresses Hello, All, Has anyone noticed in the last few days that the IP addresses of a lot of legitimate e-mailers are showing up on SPAMCOP's blocklists? Specifically I've seen IP addresses for NYTIMES.COM, MICROSOFT.COM and MACROMEDIA.COM and a few others. Does anyone think it's possible that SPAMCOP's databases are being gamed by Spammers by submitting lots of e-mails with legit IP addresses and pretend that they came across as spam? Or maybe there are uninformed SPAMCOP users who are submitting legit e-mail to SPAMCOP as representative of spam? Or even that IronPort's purchase of SPAMCOP has somehow affected the way that they do things? Just curious. These legit IPs showing up on SPAMCOP are really throwing lots of False Positives in my weighting system. Thanks, Dan [EMAIL PROTECTED] --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing
Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
I must have missed something along the way. What is externalplus? Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 9:06 AM Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer Based on my reading of the last sniffer thread, this will not cause degradation in performance because Declude is smart enough to only call sniffer once for multiple tests, but 1. What if the tests are different types, in this case external and externalplus? That's not a problem. The test will still only be run once. If the test has been run before in the same way (same program name and parameters), it will not be run again, regardless of whether it is defined as external or externalplus. If the program is called in a different way (with different parameters, for example), then it will be run again. 2. What performance impact is there in adding the additional action? There should be very little degradation in performance. It should not be noticeable. 4. If the message gets my subject line modification because it fails weighting, but is whitelisted per the new external plus test, will that negate the action on weighting? That is correct. When an E-mail is whitelisted, it is forced to pass all the spam tests, so no action will be taken. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
I must have missed something along the way. What is externalplus? It's a test type that lets you run an external test that is can do more than a standard test. Instead of returning an exit code that designates pass/fail or a weight to use, it can return codes to tell Declude JunkMail to do specific things. Right now, an exit code of 1 will whitelist an E-mail. Exit codes of 2-9 are reserved for future use, as needed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
Nevermind, guess I should have checked the manual before sending... ;-) Bill - Original Message - From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 9:48 AM Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer I must have missed something along the way. What is externalplus? Bill - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 9:06 AM Subject: Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer Based on my reading of the last sniffer thread, this will not cause degradation in performance because Declude is smart enough to only call sniffer once for multiple tests, but 1. What if the tests are different types, in this case external and externalplus? That's not a problem. The test will still only be run once. If the test has been run before in the same way (same program name and parameters), it will not be run again, regardless of whether it is defined as external or externalplus. If the program is called in a different way (with different parameters, for example), then it will be run again. 2. What performance impact is there in adding the additional action? There should be very little degradation in performance. It should not be noticeable. 4. If the message gets my subject line modification because it fails weighting, but is whitelisted per the new external plus test, will that negate the action on weighting? That is correct. When an E-mail is whitelisted, it is forced to pass all the spam tests, so no action will be taken. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ROUTETO Not Working
We are running Declude v1.75. Any ideas? The next step would be to check the IMail SMTP log file to see what it says. If that doesn't provide enough information, the debug mode would be the next step. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Finding reason for white list
This mystery turned out to be postmaster error. We had white listed our own domain name (I know some people don't think that's a good idea), and neglected to include the @ symbol. So incoming mail appeared to be white listed because a spammer was sending us garbage from [EMAIL PROTECTED]. I'm posting this embarrassing fact for the benefit of anyone who encounters a similar problem. Keith Purtell, Web/Network Administrator VantageMed Operations (Kansas City) CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Monday, December 01, 2003 5:31 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Finding reason for white list What is the exact message in the E-mail headers saying that it was whitelisted? X-Tests-Failed: Whitelisted Are you using WHITELIST AUTH or AUTOWHITELIST? No and yes. In the case of the particular user whose incoming mail I extracted the spam from, none of the spammer addresses where in her address book. I also checked her AutoWhite list. This looks like a case for the DEBUG mode. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, after this problem occurs again, you can then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then E-mail me the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can take a look at it to see what is happening. -Scott --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help with 'fromfile'
v1.75 ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, December 04, 2003 5:55 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Help with 'fromfile' And this in junkmail_blockedsendrs.cfg: sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam I do see BLOCKEDSENDERS firing for other things, but not for this. I'm assuming my error is in junkmail_blockedsenders.cfg, right? Should I change it to @cooldude.sweet-n-sour.com and just hope they don't send from other sub-domains? What version of Declude are you running (\IMail\Declude -diag from a command prompt wil show you)? I believe there was a version that had a problem if the return address was more than 32 characters long, which it is in this case. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help with 'fromfile'
And this in junkmail_blockedsendrs.cfg: sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam I do see BLOCKEDSENDERS firing for other things, but not for this. I'm assuming my error is in junkmail_blockedsenders.cfg, right? Should I change it to @cooldude.sweet-n-sour.com and just hope they don't send from other sub-domains? In this case, it's time for the debug mode. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, after an E-mail gets through that should have failed the BLOCKEDSENDERS test, you can then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can take a look at it to see what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
Hello David, Friday, December 5, 2003, 11:44:41 AM, you wrote: DS 3. Anyone see any problems with this scenario? Ok, I'll answer my own question. In thinking about this more, this isn't going to work. If I recode my rule base to return a 1 instead of 0 on whitelist, then the original sniffer test will interpret the 1 as a spam, then the externalplus test will interpret the 1 as whitelist and override the sniffer external test. So, I still lose the original reason for sniffer failure since sniffer will always be returning a 1, right? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam Lion Functionality
Hello, Is anyone familiar with a product called Spam Lion. It's too pricey for my organization, but it seems to do the following: Upon receipt of incoming email it checks to see if the sender is authorized. If the sender is authorized, the message is passed along to the intended reciepients. If the sender is not authorzied, the message is quarantined and the sender is notified by email and asked to perform a 1 time registration. Presumably the quarantine spool is automatically cleaned on a recurring basis. Is it possible to do something similar with Declude? Thanks, Burzin -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelistfile options question
I read through the new Junkmail manual (I know, shocking). This line in the manual prompted this question: Note the file you use with the WHITELISTFILE option does NOT use the same format as the WHITELIST entries in the global.cfg file. Does the WHITELISTFILE option support subdomains? i.e. .example.com? Yes, it does. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Lion Functionality
Is anyone familiar with a product called Spam Lion. It's too pricey for my organization, but it seems to do the following: Upon receipt of incoming email it checks to see if the sender is authorized. If the sender is authorized, the message is passed along to the intended reciepients. If the sender is not authorzied, the message is quarantined and the sender is notified by email and asked to perform a 1 time registration. Presumably the quarantine spool is automatically cleaned on a recurring basis. That is called challenge/response, and has many, many drawbacks. In short, you end up becoming a spammer, and your users end up losing a lot of mail. Even if our customers convinced us that it would be a worthwhile action in Declude JunkMail, someone decided to buy a patent for it, so it would likely cost a large amount of money to take on such a test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] November 2003 Spam Statistics
Actually what Chris was *supposed* to say was that the gateway version of Alligate does a much better job than the Declude version, not Declude itself. The Declude version is now outdated and had not been updated for several months. The Declude version was not dumped however it is not currently available. We won't offer something for sale unless it is the best we can do. We got in a couple of new copies of IMail last week so we can set up new test platforms. We have been unable to test the Declude version because our gateway now handles all incoming mail and there is no spam coming into our mail servers to test. The new test platforms will allow us to move some domains out of the normal loop and we will be able to update the Declude version again (shortly we hope). Brian On 12/04/03 4:34pm you wrote... I *believe* I spoke to Chris. If it wasn't dump it was drop. I didn't interpret this as negative statement, just friendly marketing or another opinion among many. I don't think Chris intended this as a put down. Just an opinion on a competing product. You'd hardly expect the person answering the sales line to say anything else. What I am certain about was that I was told that Alligate would do a better job (albeit as its own Gateway) than Declude at blocking spam. If I've offended or misunderstood anyone, please feel free to correct me. Thanks, Burzin t 03:51 PM 12/4/2003, you wrote: Was the exact phrase Dump Declude used? If so, who did you speak with? Yes, SpamManager is Alligate is NOXMail. (Original name.) They have made a business decision and I hope them all the luck, as they are doing very well. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] November 2003 Spam Statistics
Brian wrote - The new test platforms will allow us to move some domains out of the normal loop and we will be able to update the Declude version again (shortly we hope). For those of us who use the Declude version of Alligate (alongside Sniffer) we hope that's soon! It is great having two full-featured engines that let us rest comfortably if we delete e-mail without inspection. If both engines agree that something is spam, it is probably spam! Rob www.iGive.com Turn your holiday shopping into cash for your cause. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Upon receipt of incoming email it checks to see if the sender is authorized. If the sender is authorized, the message is passed along to the intended reciepients. PLEASE RECONSIDER.. Challenge response systems are killing us .. Your users will lose a lot of email specially if they shop online. Right now we are having a very difficult time with Earthlink's challenge response and our online receipts being sent to donors. Every single email has to be manually attended to .. I have sent several messages to companies like Earthlink and suggested to them the idea of creating a universal whitelist for online systems that generate receipts automatically.. If this is not attended to or looked into either online commerce has to die or challenge response. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] New phishing..
Hi; We just got the following: - a Phishing attempt. Actually quite interesting.. I clicked on the link to see where it goes. It goes to the actual Visa site but a small window pops up and asks for your visa and various other info for verification. If only they could use their talents elsewhere.. = Received: from 81.15.163.193 [81.15.163.193] by foroosh.com (SMTPD32-8.04) id A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500Date: Fri, 05 Dec 2003 22:15:45 -0500From: Visa International Service [EMAIL PROTECTED]X-Mailer: Microsoft Outlook Express 6.00.2800.1158Reply-To: Visa International Service [EMAIL PROTECTED]Organization: Visa International ServiceX-Priority: 3 (Normal)To: Subject: [53~]Visa Security UpdateMime-Version: 1.0Content-Type: text/html; charset=iso-8859-1Content-Transfer-Encoding: 8bitMessage-Id: [EMAIL PROTECTED]X-IMAIL-SPAM-DNSBL: (SPAMCOP,42729954,127.0.0.2)X-IMAIL-SPAM-VALHELO: (42729954)X-IMAIL-SPAM-VALFROM: (42729954)X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8004000f].X-RBL-Warning: HELOBOGUS: Domain 81.15.163.193 has no MX or A records.X-RBL-Warning: IPNOTINMX: X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, weight 1)X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (line 46, weight 35)X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test (line 49, weight 5)X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 146, weight 10)X-RBL-Warning: [EMAIL PROTECTED]: Message failed [EMAIL PROTECTED] test (line 385, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [81.15.163.193]X-Declude-Spoolname: Dd74d028c01e2d4e2.SMDX-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus.X-Weight: 53X-Note: Sent from Reverse DNS: 163-193.promontel.net.plX-Hello: 81.15.163.193X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, FILTER-HEADER-XMAIL, FILTER-MAILFROM, FILTER-SPAM-HTML, [EMAIL PROTECTED], WEIGHT20s, WEIGHT20rX-Note: Recipient(s): xxX-Country-Chain: POLAND-destinationX-RCPT-TO: Status: UX-UIDL: 331472220 HTMLHEADTITLESecure with Visa/TITLEMETA http-equiv=Content-Type content="text/html; charset=iso-8859-1"BODY bgcolor=#ff table ALIGN=center cellpadding="0" cellspacing="0" border="0"trtd table ALIGN=center cellpadding="0" cellspacing="0" border="0"tr width="610"td height="118"centerIMG src="">http://www.angelfire.com/tv2/cardvisa3/p_secure_holiday.jpg"/center/td/tr table ALIGN=center cellpadding="0" cellspacing="0" border="0"trtdbrbDear Customer,brbr Our latest security system will help you to avoid possible fraud actions andbr keep your investments in safety.brbr Due to technical security update you have to reactivate your accountbrbr Click on the link below to login to your updated Visa account.brbr To log into your account, please visit the Visa Website at brbr a href=""http://www.visa.com">http://www.visa.com :UserSession=2f6q9uuu88312264trzzz55884495usersoption=SecurityUpdate[EMAIL PROTECTED]/verified_by_visa.html"http://www.visa.com/a brbr We respect your time and business.br It's our pleasure to serve you.brbrbr/b Please don't reply to this email. This e-mail was generated by a mail handling system.brbrbr centerIMG src="">
http://www.geocities.com/cardvisa3/white_visa_logo.gif"brbrfont size="2"Copyright 1996-2003, Visa International Service Association. All rights reserved./centerbrbr/td/tr/table/td/tr/table/td/tr/table/BODY/HTML
RE: [Declude.JunkMail] November 2003 Spam Statistics
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 05, 2003 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics snip our gateway now handles all incoming mail and there is no spam coming into our mail servers to test. The new test platforms will allow us to move some domains /snip So are you saying your product when used as a gateway is 100% effective at removing spam? Nothing slips through Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Combined with a weighting scheme it IS a worthwhile option. Currently, our option are BOUNCE (or now that ridiculous renamed version of the same action) - which means a FALSE positive will receive a notice and now has to contact us manually to address the false positive status. Or we DELETE - and have nightmares about possible false positives. If Declude had a VALIDATE action (for emails that normally would BOUNCE or DELETE or HOLD), then those highly questionable mails would simply get an email (not any worse than using BOUNCE!) but at least the 0.1% of false positives could help themselves. The end-result for Declude users - we could much more worry-free VALIDATE emails that otherwise we would have to pass. Less Spam would get through (due to higher threshold). False positives would not require the sys-admin to scan through Held mail - but instead the responsibility would be back in the lap of the sender who used an implicated mail server. Sorry - I really don't see why this is not a highly desirable feature and how this would create spam that the WARN or BOUNCE action don't generate already!? Best Regards Andy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Sorry - I really don't see why this is not a highly desirable feature and how this would create spam that the WARN or BOUNCE action don't generate already!? It doesn't create more spam than BOUNCE -- it creates the exact same amount. But that's the problem. Instead of 1,000 E-mails to you being blocked as spam, if the spammer chooses my E-mail address to use as the return address, you'll now get 0 spams -- but I'll get 1,000. Less annoying spams, yes, but spam nonetheless. And actually harder to deal with, since they come from your server (so they are much less likely to get caught), and I have to verify that the bounce messages aren't for E-mails I sent. Yes, if you set it up well -- not requiring verifications for E-mails that have a low weight (probably legit; mail that wouldn't otherwise be blocked) and not requiring them for E-mails with a high weight (almost certainly spam) -- it could be useful, with minimal collateral damage. But even so, there's the problem with mailing lists, and the temptation to block a bit more spam by requiring confirmations on lower weights (for example, if someone asks me for free advice, they are likely to get it -- but not if they block my mail or require a confirmation, since just about everything under our control is set up perfectly from an anti-spam perspective, and responding to confirmations is a nuisance, and may not even work). Then, there's the spammers (aka SpamArrest) that harvest confirmations addresses and sell them to spammers, and the spammers that send pretend confirmations to get people to their websites -- these make it less likely legit people will confirm. But, the ultimate challenge is the patent. That means that it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. We haven't yet found enough benefit from such a test to warrant estimating those costs, given that they are likely to be much higher than for any other spam test we've added. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Multiple Actions/ExternalPlus/Sniffer
I'm not sure I'm following you... but I think what you might need is an additional license. Suppose you create one rulebase that will contain only your white rules. Then leave the normal sniffer rulebase alone. The small rulebase with the white rules will be so small as to require nearly no additional processing power. You would have your white rules, and you would retain any black rules that matched as well. An alternative while still using a single rulebase is to parse the log file for the details with an additional utility. Message Sniffer can only return a single numeric result, but it records all of the rules that matched. Hope this helps, _M At 02:02 PM 12/5/2003, you wrote: Hello David, Friday, December 5, 2003, 11:44:41 AM, you wrote: DS 3. Anyone see any problems with this scenario? Ok, I'll answer my own question. In thinking about this more, this isn't going to work. If I recode my rule base to return a 1 instead of 0 on whitelist, then the original sniffer test will interpret the 1 as a spam, then the externalplus test will interpret the 1 as whitelist and override the sniffer external test. So, I still lose the original reason for sniffer failure since sniffer will always be returning a 1, right? -- Best regards, Davidmailto:[EMAIL PROTECTED] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New phishing..
Kami, I noticed that the [EMAIL PROTECTED] filter got tripped without the @LINKED filter. Please download a more recent copy from my site. This obviously shouldn't be happening. Matt Kami Razvan wrote: Hi; We just got the following: - a Phishing attempt. Actually quite interesting.. I clicked on the link to see where it goes. It goes to the actual Visa site but a small window pops up and asks for your visa and various other info for verification. If only they could use their talents elsewhere.. = Received: from 81.15.163.193 [81.15.163.193] by foroosh.com (SMTPD32-8.04) id A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500 Date: Fri, 05 Dec 2003 22:15:45 -0500 From: Visa International Service [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Mailer: Microsoft Outlook Express 6.00.2800.1158 Reply-To: Visa International Service [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Organization: Visa International Service X-Priority: 3 (Normal) To: mailto:[EMAIL PROTECTED] Subject: [53~]Visa Security Update Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-IMAIL-SPAM-DNSBL: (SPAMCOP,42729954,127.0.0.2) X-IMAIL-SPAM-VALHELO: (42729954) X-IMAIL-SPAM-VALFROM: (42729954) X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8004000f]. X-RBL-Warning: HELOBOGUS: Domain 81.15.163.193 has no MX or A records. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, weight 1) X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (line 46, weight 35) X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test (line 49, weight 5) X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 146, weight 10) X-RBL-Warning: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Message failed [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] test (line 385, weight 0) X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [81.15.163.193] X-Declude-Spoolname: Dd74d028c01e2d4e2.SMD X-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus. X-Weight: 53 X-Note: Sent from Reverse DNS: 163-193.promontel.net.pl X-Hello: 81.15.163.193 X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, FILTER-HEADER-XMAIL, FILTER-MAILFROM, FILTER-SPAM-HTML, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], WEIGHT20s, WEIGHT20r X-Note: Recipient(s): xx X-Country-Chain: POLAND-destination X-RCPT-TO: mailto:[EMAIL PROTECTED] Status: U X-UIDL: 331472220 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
I didn't know that concept was patented. It seems pretty old to me-- halt who goes there? Anyway I did some research, and here's what I found: Here are some links... read if you are interested: http://www.cleanmymailbox.com/mailblocks.html-- links to patent infringement issue http://www.geocities.com/spamresources/filter-cr.htm Burzin At 02:29 PM 12/5/2003, you wrote: But, the ultimate challenge is the patent. That means that it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. We haven't yet found enough benefit from such a test to warrant estimating those costs, given that they are likely to be much higher than for any other spam test we've added. -Scott -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Patent Number? Many patents exists and seem to be broad. But often, upon close examination, the claims may be much narrower) than the casual reader appreciates. Also, one has to look at the patent file wrapper to determine the outcome of prior art searches to see if subsequent communication with the examiner may have further narrowed the scope. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 03:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam Lion Functionality Sorry - I really don't see why this is not a highly desirable feature and how this would create spam that the WARN or BOUNCE action don't generate already!? It doesn't create more spam than BOUNCE -- it creates the exact same amount. But that's the problem. Instead of 1,000 E-mails to you being blocked as spam, if the spammer chooses my E-mail address to use as the return address, you'll now get 0 spams -- but I'll get 1,000. Less annoying spams, yes, but spam nonetheless. And actually harder to deal with, since they come from your server (so they are much less likely to get caught), and I have to verify that the bounce messages aren't for E-mails I sent. Yes, if you set it up well -- not requiring verifications for E-mails that have a low weight (probably legit; mail that wouldn't otherwise be blocked) and not requiring them for E-mails with a high weight (almost certainly spam) -- it could be useful, with minimal collateral damage. But even so, there's the problem with mailing lists, and the temptation to block a bit more spam by requiring confirmations on lower weights (for example, if someone asks me for free advice, they are likely to get it -- but not if they block my mail or require a confirmation, since just about everything under our control is set up perfectly from an anti-spam perspective, and responding to confirmations is a nuisance, and may not even work). Then, there's the spammers (aka SpamArrest) that harvest confirmations addresses and sell them to spammers, and the spammers that send pretend confirmations to get people to their websites -- these make it less likely legit people will confirm. But, the ultimate challenge is the patent. That means that it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. We haven't yet found enough benefit from such a test to warrant estimating those costs, given that they are likely to be much higher than for any other spam test we've added. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
FYI, I have filters set to look for those challenge/response messages and add a high weight. :) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla Sent: Friday, December 05, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam Lion Functionality Don't worry Kami and others... Even if I implemented something similar, I never envisioned deploying it domain-wide or reling upon it as a single test. Instead I envisioned deploying it for selected users-- I wouldn't have even asked if a key user hadn't requested this. In our organization, the bulk of the email traffic seems to be within the domain itself, so the it may have worked for us Oh well Burzin At 01:30 PM 12/5/2003, you wrote: Upon receipt of incoming email it checks to see if the sender is authorized. If the sender is authorized, the message is passed along to the intended reciepients. PLEASE RECONSIDER.. Challenge response systems are killing us .. Your users will lose a lot of email specially if they shop online. Right now we are having a very difficult time with Earthlink's challenge response and our online receipts being sent to donors. Every single email has to be manually attended to .. I have sent several messages to companies like Earthlink and suggested to them the idea of creating a universal whitelist for online systems that generate receipts automatically.. If this is not attended to or looked into either online commerce has to die or challenge response. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Patent Number? 6,199,102. To view it, you can go to http://patft.uspto.gov/netahtml/srchnum.htm and enter 6,199,102 there. For a bit of background, you can go to http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5565050.htm ms may be much narrower) than the casual reader appreciates. Also, one has to look at the patent file wrapper to determine the outcome of prior art searches to see if subsequent communication with the examiner may have further narrowed the scope. Good points -- and exactly why it would be expensive to pursue. Patent law isn't simple. FWIW, a number of people have tried to find prior art, and were unable. Extensive searches? Probably not. But a number of anti-spam people tried and were unable to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Lion Functionality
This just needs to be tested in court I would imagine. The patent office has been known to issue patents recently on things such as swinging on a swing and peanut butter and jelly sandwiches. This doesn't sound like it is revolutionary in any way shape or form and it is quite easy to develop with existing tools. One could get this to function with Declude in just a day of work for instance. Personally I favor the idea of digest notifications with the ability to retrieve and/or whitelist messages that might have been blocked. BTW, that idea is copyrighted by Matthew Bramble, all rights reserved, and I'd patent it also if I wanted to be a complete jerk :) Matt Andy Schmidt wrote: Patent Number? Many patents exists and seem to be broad. But often, upon close examination, the claims may be much narrower) than the casual reader appreciates. Also, one has to look at the patent file wrapper to determine the outcome of prior art searches to see if subsequent communication with the examiner may have further narrowed the scope. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 03:29 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam Lion Functionality Sorry - I really don't see why this is not a highly desirable feature and how this would create spam that the WARN or BOUNCE action don't generate already!? It doesn't create more spam than BOUNCE -- it creates the exact same amount. But that's the problem. Instead of 1,000 E-mails to you being blocked as spam, if the spammer chooses my E-mail address to use as the return address, you'll now get 0 spams -- but I'll get 1,000. Less annoying spams, yes, but spam nonetheless. And actually harder to deal with, since they come from your server (so they are much less likely to get caught), and I have to verify that the bounce messages aren't for E-mails I sent. Yes, if you set it up well -- not requiring verifications for E-mails that have a low weight (probably legit; mail that wouldn't otherwise be blocked) and not requiring them for E-mails with a high weight (almost certainly spam) -- it could be useful, with minimal collateral damage. But even so, there's the problem with mailing lists, and the temptation to block a bit more spam by requiring confirmations on lower weights (for example, if someone asks me for free advice, they are likely to get it -- but not if they block my mail or require a confirmation, since just about everything under our control is set up perfectly from an anti-spam perspective, and responding to confirmations is a nuisance, and may not even work). Then, there's the spammers (aka SpamArrest) that harvest confirmations addresses and sell them to spammers, and the spammers that send pretend confirmations to get people to their websites -- these make it less likely legit people will confirm. But, the ultimate challenge is the patent. That means that it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. We haven't yet found enough benefit from such a test to warrant estimating those costs, given that they are likely to be much higher than for any other spam test we've added. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] November 2003 Spam Statistics
Actually what Chris was *supposed* to say was that the gateway version of Alligate does a much better job than the Declude version, not Declude itself. Thanks for the clarification Brian. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] November 2003 Spam Statistics
This is great news, Brian! Thanks for continuing to support the Declude version of Alligate. Bill - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 11:18 AM Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics Actually what Chris was *supposed* to say was that the gateway version of Alligate does a much better job than the Declude version, not Declude itself. The Declude version is now outdated and had not been updated for several months. The Declude version was not dumped however it is not currently available. We won't offer something for sale unless it is the best we can do. We got in a couple of new copies of IMail last week so we can set up new test platforms. We have been unable to test the Declude version because our gateway now handles all incoming mail and there is no spam coming into our mail servers to test. The new test platforms will allow us to move some domains out of the normal loop and we will be able to update the Declude version again (shortly we hope). Brian On 12/04/03 4:34pm you wrote... I *believe* I spoke to Chris. If it wasn't dump it was drop. I didn't interpret this as negative statement, just friendly marketing or another opinion among many. I don't think Chris intended this as a put down. Just an opinion on a competing product. You'd hardly expect the person answering the sales line to say anything else. What I am certain about was that I was told that Alligate would do a better job (albeit as its own Gateway) than Declude at blocking spam. If I've offended or misunderstood anyone, please feel free to correct me. Thanks, Burzin t 03:51 PM 12/4/2003, you wrote: Was the exact phrase Dump Declude used? If so, who did you speak with? Yes, SpamManager is Alligate is NOXMail. (Original name.) They have made a business decision and I hope them all the luck, as they are doing very well. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ROUTETO Not Working
Scott, In my initial post about this issue in the section with the entries from the Declude log file the last entry is... 12/05/2003 11:21:24 Qb07f13c Last action = IGNORE Does that have anything to do with the fact that the message is not being sent over to my Hotmail account? If so, can you tell why the Last action = ignore? Also, in your below response, you say debug mode would be the next step. Are you talking about 'debug mode for Declude JunkMail? Do I enable that by setting the Log Level to Debug in GLOBAL.CFG? Thanks, Dan - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 05, 2003 12:54 PM Subject: Re: [Declude.JunkMail] ROUTETO Not Working We are running Declude v1.75. Any ideas? The next step would be to check the IMail SMTP log file to see what it says. If that doesn't provide enough information, the debug mode would be the next step. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- Sign up for virus-free and spam-free e-mail with Nexus Technology Group http://www.nexustechgroup.com/mailscan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Hi, I guess it's worthwhile to see how Earthlink's prior art defense (e.g., http://news.com.com/2010-1032_3-1003921.html) will hold up. I wouldn't write off this concept, yet. I've seen these kind of thing pop up and eventually die more than once (but, certainly, sometimes sofware patents turn out to be legit.) Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burzin Sumariwalla Sent: Friday, December 05, 2003 04:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam Lion Functionality I didn't know that concept was patented. It seems pretty old to me-- halt who goes there? Anyway I did some research, and here's what I found: Here are some links... read if you are interested: http://www.cleanmymailbox.com/mailblocks.html-- links to patent infringement issue http://www.geocities.com/spamresources/filter-cr.htm Burzin At 02:29 PM 12/5/2003, you wrote: But, the ultimate challenge is the patent. That means that it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. We haven't yet found enough benefit from such a test to warrant estimating those costs, given that they are likely to be much higher than for any other spam test we've added. -Scott -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Oh forgot to add: http://www.spamwolf.com/patents/prior_art.html -- prior work on c/r. Burzin At 02:29 PM 12/5/2003, you wrote: But, the ultimate challenge is the patent. That means that it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. We haven't yet found enough benefit from such a test to warrant estimating those costs, given that they are likely to be much higher than for any other spam test we've added. -Scott -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] November 2003 Spam Statistics
Here are the stats for Tuesday. Wednesday and Thursday we were testing some things the stats were skewed. This was for our main solidoak.com domain mail server (general business, not tech support). Our tech support server lets more spam through, however we can only do limited header type spam checking because of the type of content the message bodies might contain. People are reporting porno web sites all the time to our CYBERsitter support accounts. For Tuesday, there was 1 false positive (Delivery Req) and 4 spams that got through. So with 5139 incoming connection requests, and 4 spams that got through, it was 99.92% effective. At least for that day ;) Some days we don't get any spam, but on bad days as many as 20 may get by. Rarely does any single user get more than 1. But as you might guess, this level is not much to test with. The first set of stats (Alligate Statistics) are from the filtering module that is similar to the Declude version and will (eventually) be identical. The second set of stats (Alligate SMTP Daily Statistics) is an overall summary of delivery. A lot of spam is stopped at the front door by the SMTP servive using the tarpitting and dictionary attack defense mechanisms among others. Alligate Statistics for: Tue, 02 Dec 2003 Report date: Fri, 05 Dec 2003 01:09pm Incoming Msgs:3173 Outgoing Msgs: 152 Total Msgs:3325 Est Legit Mail: 696 %Inc%Fld --- Adult Msgs: 136 4% 5% Spam Msgs:2492 79% 95% Total Failed:2628 83% Repeat Spammers:1300 41% 49% Banned File Att: 20 1% 1% Viruses: 14 0% 1% Total Deleted:2208 70% 84% Total Held: 420 13% 16% Msgs Passed: 160 5% Msgs Ignored: 536 16% Delivery Req: 1 0% Avg Spam Score: 56 Avg Adult Score: 36 Avg Exit Score: 57 Avg Proc Time: 48 milliseconds. Alligate SMTP Daily Statistics for: 12/2/2003 Incoming connections: 5139 Valid Recipients: 4106 Invalid Recipients: 1361 Messages delivered: 701 Spammers tarpitted: 557 Tarpit client disconnects: 64 Connections per minute: 3 Deliveries per minute: 0 Overall delivery rate: 14% Overall rejection rate: 86% On 12/05/03 2:56pm you wrote... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 05, 2003 2:18 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] November 2003 Spam Statistics snip our gateway now handles all incoming mail and there is no spam coming into our mail servers to test. The new test platforms will allow us to move some domains /snip So are you saying your product when used as a gateway is 100% effective at removing spam? Nothing slips through Darrell --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] ROUTETO Not Working
In my initial post about this issue in the section with the entries from the Declude log file the last entry is... 12/05/2003 11:21:24 Qb07f13c Last action = IGNORE Does that have anything to do with the fact that the message is not being sent over to my Hotmail account? If so, can you tell why the Last action = ignore? That's normal. The Last action line refers to an action that is taken after all the recipients have been processed, but the ROUTETO action is done before that. Also, in your below response, you say debug mode would be the next step. Are you talking about 'debug mode for Declude JunkMail? Do I enable that by setting the Log Level to Debug in GLOBAL.CFG? Don't worry about that yet -- the IMail SMTP log file entries are the first step. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Scott: it would require either [1] paying royalties to the guy that bought the patent, or [2] challenging the patent. Actually - NO. The preferred (3rd) option is to obtain a limited, but FREE license (or a $1.00 or other minimal fee) license to use the patented methods. The terms of the license are not disclosed - but THEY can show that the patent is being recognized (by citing another licensee - you) and THEY are doing the right thing by not stifling spam-fighting. Don't assume that every license must cost money (in this early stage). They may want to go after the BIG guys with the big money and want to garner support of the small guys. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Hi Scott: I understand - no sense getting involved until EarthLink has invalidated most of the claims. I think this is a key quote: Mailblocks' Goldman admits that there were prior publications, but argues that at least some portions of his patents remain valid. The patents have very specific claims in them, Goldman told me. The claims are different than the types of things people have been doing before. Maybe here and there, they're the same so not 100 percent of the claims are valid, but many of them are. Translated that means - if key claims are eliminated because of prior art, then the patent may possibly still 'survive' - but everyone will simply design their own challenge/response systems to mirror the prior art. The only thing to avoid are the truly new inventions that are left in the remaining claims - unless the remaining claims would have been obvious based on the prior art. Overall - I'm pretty encouraged by the quality of what has been cited already: By Aug. 28, 1997, when Christopher Alan Cobb filed for his patent that eventually was purchased by Mailblocks, the challenge-response idea had become commonplace on the Internet: Brad Templeton, chairman of the Electronic Frontier Foundation, had written his Viking-12 CR utility and was using it. Templeton says he'd be delighted to testify on behalf of EarthLink to help the company invalidate the Mailblocks patent. Over a year earlier, Brent Chapman's majordomo, the popular mailing list software, included a CR feature. A November 1996 post to Usenet's news.admin.net-abuse.usenet newsgroup talks about a random challenge that is very easy for a human to respond to, but next to impossible for a computer. Another from January 1997 describes an e-mail spam block 'bot that was so effective I've received hate mail from spammers concerning it, and a third post describes a commercial product called the Deadbolt Personal E-mail Filter. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 04:05 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam Lion Functionality Patent Number? 6,199,102. To view it, you can go to http://patft.uspto.gov/netahtml/srchnum.htm and enter 6,199,102 there. For a bit of background, you can go to http://www.bayarea.com/mld/mercurynews/business/columnists/tech_test_drive/5 565050.htm ms may be much narrower) than the casual reader appreciates. Also, one has to look at the patent file wrapper to determine the outcome of prior art searches to see if subsequent communication with the examiner may have further narrowed the scope. Good points -- and exactly why it would be expensive to pursue. Patent law isn't simple. FWIW, a number of people have tried to find prior art, and were unable. Extensive searches? Probably not. But a number of anti-spam people tried and were unable to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
sarcasm I love challenge-response systems. They create revenue opportunities for knowledgable IT professionals, and they make sure there isn't any unused bandwidth, especially when two challenge-response systems somehow lose track of each other and send millions of emails back and forth between each other until someone notices that their mail server has somehow processed 100 million messages but only allowed 50 through. /sarcasm Challenge response systems are killing us .. Your users will lose a lot of email specially if they shop online. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] The first time BONDEDSENDER didn't work for me
Check out these received lines: Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by mail.bentall.com (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800 Received: from ebay.com (lore.ebay.com [66.135.195.181]) by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3 for snip; Fri, 05 Dec 2003 00:20:20 -0600 Date: Fri, 05 Dec 2003 00:20:20 -0600 From: Snapper S. Perseid [EMAIL PROTECTED] X-Mailer: The Bat! (v2.00.7) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: snip snip Subject: [Msg Track# snip] Your billing profile on ebay.com MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit The Shaw Cable address is for a home user and e-mail directly from it would be suspect. In fact, it is heavily listed in static and dynamic ip4r databases, spamdomains, etc. and that would put it well over my hold weight. The line with lore.ebay.com is entirely fake, but the address for lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight that this phishing spam got through. So, I'm thinking of renaming my test to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r test against the first hop. Does anybody see a problem with doing that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
Your users will lose a lot of email specially if they shop online. Again - with a weight-based system, they would not lose any email - as long as the online shop manages to stay off black-lists, has a valid RDNS, has a valid Hostname, etc. Assuming it's tied to a weight-based system, I see them as a great opportunity to 'tighten the noose' without blocking legitimate email. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 http://www.HM-Software.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keith Anderson Sent: Friday, December 05, 2003 05:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Spam Lion Functionality sarcasm I love challenge-response systems. They create revenue opportunities for knowledgable IT professionals, and they make sure there isn't any unused bandwidth, especially when two challenge-response systems somehow lose track of each other and send millions of emails back and forth between each other until someone notices that their mail server has somehow processed 100 million messages but only allowed 50 through. /sarcasm Challenge response systems are killing us .. Your users will lose a lot of email specially if they shop online. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me
Andrew, I think you have a very good idea, in fact, all negative weight tests should probably be limited to just the last hop since they are typically designed to only apply to the last hop. It might be a good idea for Scott to limit BONDEDSENDER to the last hop by default, and maybe give us another prefix/suffix to use for this purpose instead of DYNA or DUL since that might not be easily understood by some. Matt Colbeck, Andrew wrote: Check out these received lines: Received: from h24-87-101-24.vs.shawcable.net [24.87.101.24] by mail.bentall.com (SMTPD32-8.02) id A3A4A8B007C; Thu, 04 Dec 2003 22:20:20 -0800 Received: from ebay.com (lore.ebay.com [66.135.195.181]) by h24-87-101-24.vs.shawcable.net (Postfix) with ESMTP id 5CE7E8F5E3 for snip; Fri, 05 Dec 2003 00:20:20 -0600 Date: Fri, 05 Dec 2003 00:20:20 -0600 From: Snapper S. Perseid [EMAIL PROTECTED] X-Mailer: The Bat! (v2.00.7) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: snip snip Subject: [Msg Track# snip] Your billing profile on ebay.com MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit The Shaw Cable address is for a home user and e-mail directly from it would be suspect. In fact, it is heavily listed in static and dynamic ip4r databases, spamdomains, etc. and that would put it well over my hold weight. The line with lore.ebay.com is entirely fake, but the address for lore.ebay.com is correct, and BONDEDSENDER had a high enough negative weight that this phishing spam got through. So, I'm thinking of renaming my test to BONDEDSENDER-DYNA so that Declude will only check the bondedsender ip4r test against the first hop. Does anybody see a problem with doing that? Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Lion Functionality
Didn't think of that one. I guess this goes to the design of the system though, and the fact that some clearly haven't considered the looping potential. Matt Keith Anderson wrote: sarcasm I love challenge-response systems. They create revenue opportunities for knowledgable IT professionals, and they make sure there isn't any unused bandwidth, especially when two challenge-response systems somehow lose track of each other and send millions of emails back and forth between each other until someone notices that their mail server has somehow processed 100 million messages but only allowed 50 through. /sarcasm Challenge response systems are killing us .. Your users will lose a lot of email specially if they shop online. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Help with 'fromfile'
Aha! Another one hasn't been sent yet, but I think I see it already: 12/05/2003 14:17:34.980 Q03fd3cc fromfile: Starting BLOCKEDSENDERS 12/05/2003 14:17:34.980 Q03fd3cc fromfile: Done with BLOCKEDSENDERS [2 lines processed] I had three lines, but only two cariage return line feeds. I think I've fixed it: 12/05/2003 14:18:09.481 Q041f39c fromfile: Starting BLOCKEDSENDERS 12/05/2003 14:18:09.497 Q041f39c fromfile: Done with BLOCKEDSENDERS [3 lines processed] Thanks! ~Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Friday, December 05, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Help with 'fromfile' And this in junkmail_blockedsendrs.cfg: sweet-n-sour.comdomain (@cooldude.sweet-n-sour.com) sends spam I do see BLOCKEDSENDERS firing for other things, but not for this. I'm assuming my error is in junkmail_blockedsenders.cfg, right? Should I change it to @cooldude.sweet-n-sour.com and just hope they don't send from other sub-domains? In this case, it's time for the debug mode. To use the debug mode, you can change the LOGLEVEL LOW line in \IMail\Declude\global.cfg to LOGLEVEL DEBUG. Then, after an E-mail gets through that should have failed the BLOCKEDSENDERS test, you can then switch back to LOGLEVEL LOW (the debug mode adds huge amounts of information to the log file). You can then send me the \IMail\spool\dec.log file (as an attachment, NOT sent from web messaging), and I can take a look at it to see what is happening. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
I also think that one needs to examine the purpose of the email system before using this or any other anti-spam technique. I think it works well for specific organizations. For example, I found out about the product because I tried to contact one of my vendors and was presented with the need for authentication. I figure that this probably helps the sales team as they have little need to be contacted by random parties. Note: This presupposes that the contact process is screened somehow. Note 2: I should not have had to authenticate with anybody at the company as I was already a known client-- I chalk this up to poor challenge/response management. Here's a good article on points to consider when implementing C/R. http://www.templetons.com/brad/spam/challengeresponse.html Does C/R work well at a broad ISP level? I don't know. I'd be really leary of implementing C/R as a first or single test if I didn't understand the organization better. Just 2 more cents Burzin At 04:24 PM 12/5/2003, you wrote: Your users will lose a lot of email specially if they shop online. Again - with a weight-based system, they would not lose any email - as long as the online shop manages to stay off black-lists, has a valid RDNS, has a valid Hostname, etc. Assuming it's tied to a weight-based system, I see them as a great opportunity to 'tighten the noose' without blocking legitimate email. Best Regards Andy Schmidt HM Systems Software, Inc. 600 East Crescent Avenue, Suite 203 Upper Saddle River, NJ 07458-1846 Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
I meant negative weights on last hop for the RBL's. There are only a few popular ones out there. Gateways should be IPBYPASsed. Matt Robert Grosshandler wrote: Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Lion Functionality
I have a client that insists on trying these silly challenge-response tricks and gets caught into that trap all the time. I don't know why, but he'll wake up one morning and decide to install one of those utilities on all of his company's workstations. He forgets that his mail server is setup to modify messages with a privacy statement at the bottom, and a tag in the subject line, so the challenge-response emails are unrecognized when they are returned by the machine to which they were sent, which didn't recognize it either. Then after an hour or two, especially after a few of the employees have sent a number of emails to group accounts, the mail server stops responding... CPU at 100% trying to handle the email challenges and responses that are multiplying each time they hit another group account. Then it's $100 for the service call, $200 an hour for an on-site visit to clean up the problem... so, like I said, I'm not personally bothered by this type of thing. I've got guys standing around that need work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 3:59 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Spam Lion Functionality Didn't think of that one. I guess this goes to the design of the system though, and the fact that some clearly haven't considered the looping potential. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30
Scott, This is the first time that I have ever seen this and it occurred just a few days after upgrading from 1.75i6 to 1.76i28-30. Unlike some others that I have noted in the past, I am using IMail 7.15 Hotfix 2, so it doesn't seem related to IMail 8. I'm thinking that since I first noticed this so soon after upgrading to the 1.76 beta (I was on 1.75 until a few days ago), that it in fact has something to do with Declude and something that was introduced with 1.76. This message shows up in all of my logs, including both Declude logs, but the message headers don't show any marks and the message scored 8 times my hold weight and was and was still delivered. The corresponding section of all associated logs and the message headers follow. Thanks, Matt --- Message Headers --- From - Fri Dec 05 18:43:42 2003 X-UIDL: 363570087 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from e.greatestsavingsnow.com [64.119.217.36] by igaia.com (SMTPD32-7.15) id A80046101B0; Fri, 05 Dec 2003 18:42:56 -0500 To: [EMAIL PROTECTED] Date: Fri, 5 Dec 2003 18:43:00 -0500 Message-ID: [EMAIL PROTECTED] From: Degrees Online [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: At No Cost to you - Let our online advisors help you X-MimeOLE: Prodigy Compatibility V 4.f416b237 or later Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 363570087 --- IMail Log --- 20031205 184256 127.0.0.1 SMTPD (046101B0) [208.7.179.15] connect 64.119.217.36 port 41441 20031205 184256 127.0.0.1 SMTPD (046101B0) [64.119.217.36] HELO e.greatestsavingsnow.com 20031205 184256 127.0.0.1 SMTPD (046101B0) [64.119.217.36] MAIL FROM: [EMAIL PROTECTED] 20031205 184257 127.0.0.1 SMTPD (046101B0) [64.119.217.36] RCPT TO: [EMAIL PROTECTED] 20031205 184258 127.0.0.1 SMTPD (queue run) 13471 1 69 20031205 184258 127.0.0.1 SMTPD (046101B0) [64.119.217.36] E:\spool\D1800046101b02123.SMD 1332 20031205 184258 127.0.0.1 SMTP (3696) E:\spool\Q1800046101b02123.SMD 20031205 184258 127.0.0.1 SMTP (3696) processing E:\spool\Q1800046101b02123.SMD 20031205 184258 127.0.0.1 SMTP (3696) ldeliver igaia.com matt-main (1) [EMAIL PROTECTED] 1332 20031205 184258 127.0.0.1 SMTP (3696) finished E:\spool\Q1800046101b02123.SMD status=1 20031205 184258 127.0.0.1 SMTP (3696) E:\spool\Q2e6e006301c6bc72.SMD 20031205 184258 127.0.0.1 SMTP (3696) processing E:\spool\Q2e6e006301c6bc72.SMD 20031205 184258 127.0.0.1 SMTP (3696) Trying a-znet.com (0) 20031205 184258 127.0.0.1 SMTP (3696) Connect a-znet.com [209.105.132.200:25] (1) 20031205 184258 127.0.0.1 SMTP (3696) 220 mail01.ispc.xtelegent.net ESMTP Postfix 20031205 184258 127.0.0.1 SMTP (3696) EHLO igaia.com 20031205 184258 127.0.0.1 SMTP (3696) 250-mail01.ispc.xtelegent.net 20031205 184258 127.0.0.1 SMTP (3696) 250-PIPELINING 20031205 184258 127.0.0.1 SMTP (3696) 250-SIZE 1024 20031205 184258 127.0.0.1 SMTP (3696) 250-VRFY 20031205 184258 127.0.0.1 SMTP (3696) 250-ETRN 20031205 184258 127.0.0.1 SMTP (3696) 250 8BITMIME 20031205 184258 127.0.0.1 SMTP (3696) MAIL FROM:[EMAIL PROTECTED] 20031205 184258 127.0.0.1 SMTP (3696) 250 Ok 20031205 184258 127.0.0.1 SMTP (3696) RCPT To:[EMAIL PROTECTED] 20031205 184259 127.0.0.1 SMTP (3696) 450 [EMAIL PROTECTED]: User unknown in local recipient table 20031205 184259 127.0.0.1 SMTP (3696) QUIT 20031205 184259 127.0.0.1 SMTP (3696) 221 Bye 20031205 184259 127.0.0.1 SMTP (3696) requeuing E:\spool\Q2e6e006301c6bc72.SMD R0 T68 20031205 184259 127.0.0.1 SMTP (3696) finished E:\spool\Q2e6e006301c6bc72.SMD status=3 20031205 184259 127.0.0.1 SMTP (3696) E:\spool\Q2f32139d013ebc15.SMD 20031205 184259 127.0.0.1 SMTP (3696) processing E:\spool\Q2f32139d013ebc15.SMD 20031205 184259 127.0.0.1 SMTP (3696) Trying a-znet.com (0) 20031205 184259 127.0.0.1 SMTP (3696) Connect a-znet.com [209.105.132.200:25] (1) 20031205 184259 127.0.0.1 SMTP (3696) 220 mail02.ispc.xtelegent.net ESMTP Postfix 20031205 184259 127.0.0.1 SMTP (3696) EHLO igaia.com 20031205 184259 127.0.0.1 SMTP (3696) 250-mail02.ispc.xtelegent.net 20031205 184259 127.0.0.1 SMTP (3696) 250-PIPELINING 20031205 184259 127.0.0.1 SMTP (3696) 250-SIZE 1024 20031205 184259 127.0.0.1 SMTP (3696) 250-VRFY 20031205 184259 127.0.0.1 SMTP (3696) 250-ETRN 20031205 184259 127.0.0.1 SMTP (3696) 250 8BITMIME 20031205 184259 127.0.0.1 SMTP (3696) MAIL FROM:[EMAIL PROTECTED] 20031205 184259 127.0.0.1 SMTP (3696) 250 Ok 20031205 184259 127.0.0.1 SMTP (3696) RCPT To:[EMAIL PROTECTED] 20031205 184300 127.0.0.1 SMTP (3696) 450 [EMAIL PROTECTED]: User unknown in local recipient table 20031205 184300 127.0.0.1 SMTP (3696) QUIT 20031205 184300 127.0.0.1 SMTP
Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
George, The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would definitely prevent it from scanning prior hops. I find this test to be useful as it is IP based and helps some very important E-mail that tends to have issues with several major RBL's. I haven't started to scan on multiple hops yet, so this doesn't come into play. Matt George Kulman wrote: Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
Matt, I do scan multiple hops. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me George, The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would definitely prevent it from scanning prior hops. I find this test to be useful as it is IP based and helps some very important E-mail that tends to have issues with several major RBL's. I haven't started to scan on multiple hops yet, so this doesn't come into play. Matt George Kulman wrote: Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Request for a possible new feature - Whitelist Reason
Scott: Would it be possible to indicate why a email is whitelisted the headers? Like: Whitelisted(Auth) Whitelisted(Auto) Whitelisted(CFG) Whitelisted(File) This would make easier to determine why an email is whitelisted. Sincerely, J.D. Springer --- [This E-mail scanned for viruses by Declude Virus at MAILER.DB2Consulting.com] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude not taking action, IMail 7.15 H2 with Declude 1.76i30 H2 with Declude 1.76i30 Declude 1.76i30 H2 with Declude 1.76i30
Well, I was really hoping it would have been a Declude problem...that way it probably would have been fixed in days as opposed to requiring me to get an upgrade to IMail 8 for them to fix the issue. I'm going to reduce my queue from running every 15 minutes to every hour just to lessen the possibility of this happening. Please keep us posted if you hear anything. I imagine it will take them a while and IMail 7 users may be out in the dark. Matt R. Scott Perry wrote: This is the first time that I have ever seen this and it occurred just a few days after upgrading from 1.75i6 to 1.76i28-30. Unlike some others that I have noted in the past, I am using IMail 7.15 Hotfix 2, so it doesn't seem related to IMail 8. This is getting scary. It looks like there is a serious bug in IMail v7 and v8 that is just starting to be discovered: --- IMail Log --- 20031205 184256 127.0.0.1 SMTPD (046101B0) [208.7.179.15] connect 64.119.217.36 port 41441 20031205 184258 127.0.0.1 SMTPD (queue run) 13471 1 69 20031205 184258 127.0.0.1 SMTPD (046101B0) [64.119.217.36] E:\spool\D1800046101b02123.SMD 1332 20031205 184258 127.0.0.1 SMTP (3696) processing E:\spool\Q1800046101b02123.SMD 12/05/2003 18:43:02 Q1800046101b02123 Scanned: Virus Free [MIME: 1 765] 12/05/2003 18:43:04 Q1800046101b02123 Msg failed DELETE (Weight of 80 reaches or exceeds the limit of 30.). Action=DELETE. This is the same pattern that we tracked in another E-mail: [1] IMail's SMTPD process starts receiving the E-mail. [2] IMail starts a queue run to deliver E-mail in the spool [3] IMail's SMTPD process saves the E-mail to the hard drive [4] IMail's queue run delivers the E-mail [5] IMail's SMTPD process starts Declude [6] IMail tries to deliver the E-mail that Declude scanned Ipswitch has been notified that there is a problem here; hopefully, they will take care of it. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me
That's why you should name it BONDEDSENDER-DYNA and why it doesn't matter on my system. The trick here is that Declude will skip over the DNS-based tests on anything beyond the first hop if the name has DUL or DYNA in it. Someone else is using CBL-DYNA in order to keep that test from throwing FP's when the originating computer's IP address is on the list, but used a legit mail server to send the E-mail (instead of direct delivery which is the real issue). Scanning multiple hops seems to be mostly useful in places where E-mail is being forwarded, which only exposes the legit forwarding machine. It would be great if there was some other way to identify when a message has been forwarded at the server level, and skip the last hop when that happenes. I kind of doubt that this would be possible. In the mean-time, I am going to try IPBYPASSing the mail servers that are known to be forwarding to my server which should have the same effect as a selective use of multiple hop scanning. Matt George Kulman wrote: Matt, I do scan multiple hops. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Friday, December 05, 2003 7:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me George, The suggestion by Andrew to rename the test BONDEDSENDER-DYNA would definitely prevent it from scanning prior hops. I find this test to be useful as it is IP based and helps some very important E-mail that tends to have issues with several major RBL's. I haven't started to scan on multiple hops yet, so this doesn't come into play. Matt George Kulman wrote: Rob, Your backup and gateways should have IPBYPASS entries in the GLOBAL.CFG. The BONDEDSENDER should be the originating Server and that should be what's used for this test. I discontinued use within a few days since was letting spam through with it and there were other ways to handle the valid mail. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Grosshandler Sent: Friday, December 05, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] The first time BONDEDSENDER didn't work for me me Negative weights on last hop only? How would that affect a gateway (or e-mail that goes to a backup mail server)? Rob --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.