RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today. I am getting there. I know how it will be done, just need the time to set up the site. It will be accessible by HTTP and FTP. I am hoping by the weekend. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
I, for one, will definitely pass on a central repository George, the way I am going to be setting it up will make it easy to view what ever filters some one wants to share, and then you pick and choose which ones you want to use. You can then get those files via ftp. I am also going to set up a list specifically for this, so that if any one say changes the format or such of a file, they can announce it. It will also be used to discuss the various files. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.
Matt, Here are two analyses. The 11-15 to 11-30 covers the period from when I implemented your filters until I began using SKIPIFWEIGHT and MAXWEIGHT which obviously has some effect on the stats. The 11-15 to 12-21 expands the prior set to include the additional filters. There's also the weighting effect to consider. While I run the OBFUSCATION and Y!DIRECTED at hold weight (15), I use the GIBBERISH like the COMMENTS test and accumulate weight per hit. Since my SKIPIFWEIGHT is set to my DELETE weight (60), the filters will run until that's reached. These stats aren't a big deal to produce since its all in a SQL database. I'll be implementing your new filter versions this coming weekend (with new names to avoid commingling stats). I do strip out comments since they become meaningless as the filter contents are resequenced by my system. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality. George, I think that logic can get you 95% of the way there with something as convoluted as this, that is run only about 1/3 of the time, and considering that you are only battling for about 2% of the processing power required by this filter alone, which shouldn't be too terribly much. Removing the comment blocks would probably have a bigger effect :) Changing to the new version of the filter should definitely help, though this isn't by far my most weighty filter. Here's something that I've very curious about though...the Y!DIRECTED filter contains a bunch of BODY searches for obfuscated strings, something that is almost totally redundant with the OBFUSCATION filter. I would be very curious to see how often those lines are hit because they could be dumped for a measurable performance increase. Any chance you want to take a crack at that? I wouldn't be surprised to see them never hit. Matt George Kulman wrote: Matt, I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill pointed out, all hits are reflected. I've started to use SKIPIFWEIGHT. The result of course is that filters are bypassed and the statistics are skewed. For example on Friday 12/19, 15291 emails were processed by Declude on my system. Only 4604 were processed by the GIBBERISH filter. Of these 1328 had a total of 3854 hits. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. If I collect all of the data, then I gain no benefit, since all of the processing takes place. If I take advantage of the analysis data, I reduce my processing workload but effectively destroy the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well as what would be a faster search (BODY searches are slower than other things and will go lower in general, though a BODY search for base64 goes at the top because it is fairly common). Because of this and along with the above mentioned issue, the hit stats therefore aren't a perfect indication of what would save the most processing power, but it definitely helps if you just make some assumptions. I hadn't gathered any stats myself on the Auto-generated Codes that I added in about a month or so ago, and it's nice to see that they're getting hit since I was really just brainstorming about what types of things might be seen. I might remove some entries though if they aren't showing being hit since they are BODY searches and
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
Matt, I have no desire to get into an argument or flaming contest with you. We agree that standard filters have a valuable place in this environment and we both use standard filters. We agree that neither of us have the desire to spend countless hours tweaking filters and that automated solutions are the way to simplify this effort. We have each taken different approaches using different methodologies and tools to do this, based on our own skill sets, backgrounds, need perceptions and other factors. We are both appreciative of the effort that many people have put into developing and maintaining these products and freely sharing them with us, and I'm sure that we're both willing to contribute in any way we can to assist in these efforts. We happen to disagree regarding the extent that these standard filters can be applied to our own specific environments. So be it. We also disagree on the value of analysis. So be it. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Robertson Sent: Monday, December 22, 2003 10:08 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. I understand all that stuff, George, but I disagree completely that you can't apply global, updated rules to some aspects of the problem. As such a global filter repository can make a huge dent in virtually everyone's workload. Do we really all need to create our own filters to remove p.en1s pi11z from our inbox? Is having the ability to more quickly react to new spam bad? Think of this as a virus definitiion list, except given Declude's modularity individuals can decide which virii they will allow themselves to be infected with. Nothing in this world is going to be perfect, and certainly you can write your own filters until you're blue in the face. I've been tinkering constantly with Declude for something like two years, and I expect to continue. But I also expect to automate as much of this -- or any other job -- as possible. I have more profitable and less aggravating things to do than this. I'm sure you do too. The community can benefit from some standardization and shared effort. Some here have already gone miles toward this goal, as many on this list know. I'm saying a Next Step should be taken, and anyone who wants to ignore the initiative is welcome to do so. --Matt-- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYTO
Using %SENDER%, it is giving inserting [Unknown Var]. If I use %MAILFROM%, it is also inserting [Unknown Var}. Sorry, it should be actually %MAILFROM% -- there is no %SENDER% variable. Are you sure you are using %MAILFROM%? The only time you should see [Unknown Var] is if Declude is expanding variables (as is the case here), and the variable is one that Declude doesn't recognize (such as %SENDER%). But if Declude recognizes the variable (as has been the case with %MAILFROM% for a long time now), it should not return [Unknown Var]. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Update- Declude NOT being seen
Title: Update- Declude NOT being seen Hi; With Scott's help I finally think the reason Declude is not being seen in our case, in rare occasions, is understood. It just happened that we found a trend that matched exactly our update cycle for the filters. In our system we have an auto-update of filters from our database to the IMail directory. In the update process we copy all the filters to the filter directory and copy the Kill list to the IMail directory. Then (here is the problem..) we stop the SMTP and then start the SMTP all in one batch file. This is done every other hour at 1/2 past the hour. All spams that were not having Declude headers were somehow showing a x:30 in their time stamp.. So.. It seems like if an email is being processed and during the SPAM processing by IMail one stops the SMTP then all bets are off and the email will be delivered. Lesson learned: Too much automation could be hazardous to your spam fighting system. :) Regards, Kami
[Declude.JunkMail] Order of processing various filter types.
Scott, I know this has been discussed at least in pieces in the past, but I was hoping that maybe you could put it all together for me (and maybe also add the order to the manual when the new functionality finds its way into a full release). Could you give me an idea about the order of processing for the following, or indicate which ones might be run according to where they lie in the Global.cfg? This will of course make a difference in performance, and I would like to provide good guidance myself as I comment up my filters for sharing with others. The types that I can come up with off the top of my head are as follows - ipblacklist - fromblacklist - ipfile - fromfile - spamdomains - filter Also, if it's not that big of a deal in modifying the programming, would it be possible to add SKIPIFWEIGHT functionality to the non-filter types? I don't believe that MAXWEIGHT, MINWEIGHT and END though would provide any more functionality to non-filters, but SKIPIFWEIGHT still has potential for saving processing with these other types. Having that in the filter type though is of course 90% or more of the issue, so don't let me appear to be looking a gift horse in the mouth :) Thanks, Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Order of processing various filter types. types.
Could you give me an idea about the order of processing for the following, or indicate which ones might be run according to where they lie in the Global.cfg? This will of course make a difference in performance, and I would like to provide good guidance myself as I comment up my filters for sharing with others. The types that I can come up with off the top of my head are as follows - ipblacklist - fromblacklist - ipfile - fromfile - spamdomains - filter The very general order is that IP-based spam tests come first, and everything else is done later. You could try looking through debug log file entries to try to get a better understanding of the order the tests are run in. That is something that we do not keep track of, as the tests are not all run at the same time (meaning that other code runs between tests as needed). Also, if it's not that big of a deal in modifying the programming, would it be possible to add SKIPIFWEIGHT functionality to the non-filter types? That would start to get tricky. It works for the filters because each filter has many lines determining what should get caught. Some other tests do this (such as the sender blacklists), but other tests do not. Those that do would require a change in the way the files work (the sender blacklist just lists E-mail addresses or domains, and doesn't contain any commands). It's possible that we may work on this, but it would take a while (as we would have to add code for each test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail and Declude Virus Versions?
How can I tell what version I am running now? Thanks -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Monday, December 22, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude JunkMail and Declude Virus Versions? Where can I find the version of the declude products? I want to be sure I am at the current versions. You can find the latest version at http://www.declude.com/junkmail/manual.htm or http://www.declude.com/virus/manual.htm . Note that the same Declude.exe file is shared by both programs, so upgrading from either URL will update both programs. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.
Can we get a link to Kami's filters? Thanks.Neal MathewsNetwork Systems EngineerThe Carriage House Co.'s, Inc.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: "Matt Robertson" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 12/22/2003 06:13PMSubject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. I came into this thread late, so my comments may not be strictly on point, but it seems to me the solution to this is to only use filters that work. Duh, right? In other words let the community validate and update Filter X and you simply plug in what you please.That means a centralized filter storage, update and distribution site. We actually aren't so far off that mark now. Look at Kami Razvan's ftp site and you'll find a treasure trove of filters there. A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today.I implemented most of Kami's stuff last week (supplementing most of the filters already installed that came from Matt Bramble and the result is a massive surge in my attach-to-kill ratio (on the kill side). There are so many I had to aggressively reorganize my global.cfg, but the results have been splendid, with the most processor-intensive filters not kicking in unless needed.I wrote a ColdFusion routine that downloads my selected filters, alters them to suit my skip and max weights, and uploads them to my mail server (the filters are regularly updated). Anyone who wants a copy let me know.-Matt Robertson, [EMAIL PROTECTED]MSB Designs, Inc. http://mysecretbase.com[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude JunkMail and Declude Virus Versions?
How can I tell what version I am running now? If you type \IMail\Declude -diag from a command prompt, it will display the version you are running. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Order of processing various filter types. types.
Matt, On Dec 11th, Scott replied to John Tolmachoff: --- A while back, I had asked about the comparison in performance of a fromfile and a filter using MAILFROM ENDSWITH. But wouldn't Declude stop processing a fromfile as soon as a match is found, where in a filter to goes through the whole file? That will happen. :) In the current version, it will go through all entries. However, as you pointed out, there is no benefit in continuing processing with a fromfile after the first match is reached -- so the logic will be changed for the next release (and therefore giving the fromfile a slight performance advantage over filters -- but it would only be noticeable if there were a lot, perhaps 1000s, of entries). -Scott - This would indicate that using a MAILFROM filter rather than a fromfile and utilizing SKIPIFWEIGHT and END would provide the functional control without any performance loss. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Tuesday, December 23, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Order of processing various filter types. types. Could you give me an idea about the order of processing for the following, or indicate which ones might be run according to where they lie in the Global.cfg? This will of course make a difference in performance, and I would like to provide good guidance myself as I comment up my filters for sharing with others. The types that I can come up with off the top of my head are as follows - ipblacklist - fromblacklist - ipfile - fromfile - spamdomains - filter The very general order is that IP-based spam tests come first, and everything else is done later. You could try looking through debug log file entries to try to get a better understanding of the order the tests are run in. That is something that we do not keep track of, as the tests are not all run at the same time (meaning that other code runs between tests as needed). Also, if it's not that big of a deal in modifying the programming, would it be possible to add SKIPIFWEIGHT functionality to the non-filter types? That would start to get tricky. It works for the filters because each filter has many lines determining what should get caught. Some other tests do this (such as the sender blacklists), but other tests do not. Those that do would require a change in the way the files work (the sender blacklist just lists E-mail addresses or domains, and doesn't contain any commands). It's possible that we may work on this, but it would take a while (as we would have to add code for each test). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.
Hi; The filters are available for anyone who wishes to use it.. the challenge is to keep this link out of the hands of search engines. Imagine the keywords that our our company will be associated with. If you want to use the filters simply visit the ftp site: ftp://ftp.OUR DOMAIN/IMail OUR DOMAIN = ClickandPledge.com These filters are updated 4 times a day. There are also some timed filters. Like Blacklists- you can choose 30 days, 10 days, etc. the same goes with the URL in body filters. We soon will have the timed BlacklistinBody filters. Please make sure to read the README.txt file first. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 23, 2003 8:27 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality. Can we get a link to Kami's filters? Thanks. Neal Mathews Network Systems Engineer The Carriage House Co.'s, Inc.[EMAIL PROTECTED] wrote: - To: [EMAIL PROTECTED]From: "Matt Robertson" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 12/22/2003 06:13PMSubject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. I came into this thread late, so my comments may not be strictly on point, but it seems to me the solution to this is to only use filters that work. Duh, right? In other words let the community validate and update Filter X and you simply plug in what you please.That means a centralized filter storage, update and distribution site. We actually aren't so far off that mark now. Look at Kami Razvan's ftp site and you'll find a treasure trove of filters there. A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today.I implemented most of Kami's stuff last week (supplementing most of the filters already installed that came from Matt Bramble and the result is a massive surge in my attach-to-kill ratio (on the kill side). There are so many I had to aggressively reorganize my global.cfg, but the results have been splendid, with the most processor-intensive filters not kicking in unless needed.I wrote a ColdFusion routine that downloads my selected filters, alters them to suit my skip and max weights, and uploads them to my mail server (the filters are regularly updated). Anyone who wants a copy let me know.-Matt Robertson, [EMAIL PROTECTED]MSB Designs, Inc. http://mysecretbase.com[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question.
Scott, Am I coorect to assume ANYWHERE CONTAINS is the most expensive filter to run? [In lieu of having separate SUBJECT CONTAINS and BODY CONTAINS I have been using ANYWHERE CONTAINS.] -Nick Hayer -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] The combination of BODY CONTAINS or HEADERS CONTAINS (such as BODY 5 CONTAINS ThatDrugThatBeginsWithTheLetterV) are the only ones that will normally cause high CPU usage. Others can, by would require many more entries (for example, it may take 50,000 SUBJECT CONTAINS filter lines to use the same CPU usage as 1,000 BODY CONTAINS filter lines). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality. functionality. functionality. functionality. functionality.
Thanks, Kami!Neal Mathews Network Systems Engineer The Carriage House Co.'s, Inc.[EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: "Kami Razvan" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 12/23/2003 09:16AMSubject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality.Hi; The filters are available for anyone who wishes to use it.. the challenge is to keep this link out of the hands of search engines. Imagine the keywords that our our company will be associated with. If you want to use the filters simply visit the ftp site: ftp://ftp.OUR DOMAIN/IMail OUR DOMAIN = ClickandPledge.com These filters are updated 4 times a day. There are also some timed filters. Like Blacklists- you can choose 30 days, 10 days, etc. the same goes with the URL in body filters. We soon will have the timed BlacklistinBody filters. Please make sure to read the README.txt file first. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 8:27 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality. Can we get a link to Kami's filters? Thanks. Neal Mathews Network Systems Engineer The Carriage House Co.'s, Inc. [EMAIL PROTECTED] wrote: - To: [EMAIL PROTECTED] From: "Matt Robertson" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] Date: 12/22/2003 06:13PM Subject: RE: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. I came into this thread late, so my comments may not be strictly on point, but it seems to me the solution to this is to only use filters that work. Duh, right? In other words let the community validate and update Filter X and you simply plug in what you please. That means a centralized filter storage, update and distribution site. We actually aren't so far off that mark now. Look at Kami Razvan's ftp site and you'll find a treasure trove of filters there. A centralized filter repository would turn analysis of filter results into an academic exercise to satisfy curiosity, rather than the general necessity it is today. I implemented most of Kami's stuff last week (supplementing most of the filters already installed that came from Matt Bramble and the result is a massive surge in my attach-to-kill ratio (on the kill side). There are so many I had to aggressively reorganize my global.cfg, but the results have been splendid, with the most processor-intensive filters not kicking in unless needed. I wrote a ColdFusion routine that downloads my selected filters, alters them to suit my skip and max weights, and uploads them to my mail server (the filters are regularly updated). Anyone who wants a copy let me know. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus ( http://www.declude.com )] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Overflow
I seriously don't think they would bother with the code needed to detect the difference between accepting everything in the dictionary and bouncing some or all addresses. A spammer using dictionary attacks may not be harvesting addresses, they may just be spamming a dictionary of addresses. The best way to handle them is to have some sort of detection routine to temporarily block them with temp errors so that legit mailers will retry. Imail is not capable of doing this, so either process a buch of postmaster bounces or trashcan them. Big drawback to using nobody to trashcan, if someone typoed an important email, they would never know. Thank you, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow Nick, I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way. The theory here is that domains which accept every E-mail address in the HELO won't be dictionary attacked past a few attempts because the attacker's software will quickly determine that the attack isn't exposing any addresses due to a catch all situation. So maybe adding the nobody alias back in, and redirecting that E-mail to an account that deletes each E-mail automatically will resolve the issue of dictionary attacks? I see this stuff in my logs on occasion, but it never happens for a prolonged period of time. I'm thinking this is because 90% of my domains had nobody aliases. Unless someone only wants to DOS my server, dictionary attacking a domain with a nobody alias is a waste of their processing power just like it is a waste of mine. Matt Nick Hayer wrote: Hi Matt, Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed? Thanks, Yes. I get hammered everyday..; I got rid of the nobody alias, filter the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's... -Nick Hayer Matt Fritz Squib wrote: Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Filtering question.
Am I coorect to assume ANYWHERE CONTAINS is the most expensive filter to run? Correct. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] spamtrap
If anyone knows a good and fast way to publish a spamtrap address please let me know (off-list) Thanks Markus --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
These attacks can go on for hours and hours and hours. If you've seen this stuff in your logs, you would see strings like [EMAIL PROTECTED] 26^8 for instance equals ~210,000,000,000 addresses. If they've got a database of names, that could probably be brought down to around 100,000 attempts. The dictionary attacks don't send E-mail of any value, they are just used for harvesting addresses. So if the spammer only gets positive responses to every address, their harvesting time has been completely wasted. The only time when they dictionary attack a server that accepts everything would be when their software is not performing properly, or they are actually trying to DOS a server. So until IMail delivers functionality that can detect a dictionary attack, it seems crucial that we leave the nobody aliases on for every local domain. Personally, I find the drawbacks of having a nobody alias pointed at me to be more harm than good, which is why I would like to auto-delete these messages. You raise an important point though about not having the messages bounced back. I'll have to look into possibly having an auto response set up in addition to the delete action, which would probably require two accounts with a single alias directed at it, or maybe forwarding would work with an autoresponder??? Matt Charles Frolick wrote: I seriously don't think they would bother with the code needed to detect the difference between accepting everything in the dictionary and bouncing some or all addresses. A spammer using dictionary attacks may not be harvesting addresses, they may just be spamming a dictionary of addresses. The best way to handle them is to have some sort of detection routine to temporarily block them with temp errors so that legit mailers will retry. Imail is not capable of doing this, so either process a buch of postmaster bounces or trashcan them. Big drawback to using nobody to trashcan, if someone typoed an important email, they would never know. Thank you, Chuck Frolick ArgoLink.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Overflow Nick, I think I might have been asking the question the other way around, though I'm not positive it was taken the wrong way. The theory here is that domains which accept every E-mail address in the HELO won't be dictionary attacked past a few attempts because the attacker's software will quickly determine that the attack isn't exposing any addresses due to a catch all situation. So maybe adding the nobody alias back in, and redirecting that E-mail to an account that deletes each E-mail automatically will resolve the issue of dictionary attacks? I see this stuff in my logs on occasion, but it never happens for a prolonged period of time. I'm thinking this is because 90% of my domains had nobody aliases. Unless someone only wants to DOS my server, dictionary attacking a domain with a nobody alias is a waste of their processing power just like it is a waste of mine. Matt Nick Hayer wrote: Hi Matt, Is anyone getting dictionary attacked for long periods of time on a domain with a nobody alias or something that is gatewayed? Thanks, Yes. I get hammered everyday..; I got rid of the nobody alias, filter the log files for the ip's that connected - and add them to my Imail Access control list. Currently that list contains nearly 10,000 ip's... -Nick Hayer Matt Fritz Squib wrote: Hey guys, this sounds like same problem that I have been experiencing, however it has been a bunch of spam with c.c. 's to non-existant mail addresses on my server (dictionary attack style) ..My DNS is working fine. I spent the weekend returning mail from the old spool to a new spool that I had to create. I had around 67,000 of these buggers to deal with...no fun. All of the mail seems to be originating from dsl and cable modems with forged return addresses. My server is swamped again today - started again about 2-3 hours ago. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campaign - against html mail /\- against microsoft attachments --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality.
George, Thanks again for the stats. These do verify that spammers are obfuscating the Yahoo redirection code and those lines need to stay in the filter as a result. At least I wasn't wasting my time when I came up with that stuff :) I didn't get too much else out of the results though. Maybe I'll reorder the test types in the OBFUSCATION filter, and I did make a change to what will become the next version of GIBBERISH where I moved the Words, Acronyms and Stock Market Symbols section below the Auto-generated Codes section, but I don't yet see any need to tweak the files line for line, only section by section because management is important. Matt George Kulman wrote: Matt, Here are two analyses. The 11-15 to 11-30 covers the period from when I implemented your filters until I began using SKIPIFWEIGHT and MAXWEIGHT which obviously has some effect on the stats. The 11-15 to 12-21 expands the prior set to include the additional filters. There's also the weighting effect to consider. While I run the OBFUSCATION and Y!DIRECTED at hold weight (15), I use the GIBBERISH like the COMMENTS test and accumulate weight per hit. Since my SKIPIFWEIGHT is set to my DELETE weight (60), the filters will run until that's reached. These stats aren't a big deal to produce since its all in a SQL database. I'll be implementing your new filter versions this coming weekend (with new names to avoid commingling stats). I do strip out comments since they become meaningless as the filter contents are resequenced by my system. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 10:32 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. functionality. functionality. George, I think that logic can get you 95% of the way there with something as convoluted as this, that is run only about 1/3 of the time, and considering that you are only battling for about 2% of the processing power required by this filter alone, which shouldn't be too terribly much. Removing the comment blocks would probably have a bigger effect :) Changing to the new version of the filter should definitely help, though this isn't by far my most weighty filter. Here's something that I've very curious about though...the Y!DIRECTED filter contains a bunch of BODY searches for obfuscated strings, something that is almost totally redundant with the OBFUSCATION filter. I would be very curious to see how often those lines are hit because they could be dumped for a measurable performance increase. Any chance you want to take a crack at that? I wouldn't be surprised to see them never hit. Matt George Kulman wrote: Matt, I use LOGLEVEL HIGH for my data collection and analysis stuff and, as Bill pointed out, all hits are reflected. I've started to use SKIPIFWEIGHT. The result of course is that filters are bypassed and the statistics are skewed. For example on Friday 12/19, 15291 emails were processed by Declude on my system. Only 4604 were processed by the GIBBERISH filter. Of these 1328 had a total of 3854 hits. My quandary now is to decide whether to use the new control functions of SKIPIFWEIGHT, MAXWEIGHT and END to reduce processing overhead or to collect a full set of evaluation data by letting everything run. It's truly a catch-22 situation. If I collect all of the data, then I gain no benefit, since all of the processing takes place. If I take advantage of the analysis data, I reduce my processing workload but effectively destroy the validity of the statistical data which is now skewed by my filtering control. George -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Monday, December 22, 2003 3:17 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] GIBBERISH 2.0.1, single file filter with END functionality. functionality. George, That's good data to have. I would have to assume that something tagged as gibberish in the main test would be random, and that's fairly well indicated by the somewhat tight range of the two character strings. Unless you are using a logging feature that I'm not aware of, you are only showing the last hit that the filter produces, and that explains why the Z strings are mostly bunched at the top. I've got these ordered alphabetically and will probably leave them there for management purposes. The counterbalances though are definitely something that I will use your information for reordering them. I believe I made an attempt to order these in the 2.0 filter version according to what I thought would be more common as well
[Declude.JunkMail] Suggestion
Since old programmers never die, they just flip their bits...and Unix people...I won't go there... I have a suggestion for our declude creators out there. Underfilters you can use CONTAINS, STARTSWITH, ENDSWITH or IS on any of the pieces of an email. I wouldn't mind seeing a MATCHES qualifier which you could put a Full Regular _expression_in with. Then you use a statement like chat.with.me where the period is 'anycharacter' so chat.with me = true chat with me = true chat-with-me = true chat--with--me = false or in the same case chat.+with.+me where the period is 'anycharacter' and the + sign means 1 or more chat.with me = true chat with me = true chat-with-me = true chat--with--me = true It's just a suggestion
[Declude.JunkMail] declude program suggestion (wishlist)
Since old programmers never die, they just flip their bits...and Unix people...I won't go there... I have a suggestion for our declude creators out there. Underfilters you can use CONTAINS, STARTSWITH, ENDSWITH or IS on any of the pieces of an email. I wouldn't mind seeing a MATCHES qualifier which you could put a Full Regular _expression_in with. Then you use a statement like (for those not knowing regualar expressions) x.y.z where the period is 'anycharacter' so x.y z = true x y z = true x-y-z = true x--y--z = false x tz = false or in the same case x.+y.+z where the period is 'anycharacter' and the + sign means 1 or more x.y z = true x y z = true x-y-z = true x--y--z = true xy--z = false all someone would have to do is link in vbscript.dll to make it work.
RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..
I just wanted to provide a quick update regarding this issue, at least as it applies to me in my situation. I worked with Scott a bit and was able to determine that Declude was in fact placing all of it headers in messages we receive, however, it appears that our Exchange server does not like something about a few of these messages which causes it to strip out everything after the received headers. Bill, yes, for what ever reason (I have not been motivated to find out why,) Exchange does sometimes strip out the extra headers. (Of course, the 2 test messages I sent to addresses on 2 different E2K servers both had the Declude headers still intact.) John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..
John.. Have you setup an account with Outlook Express download the messages with OE? I am just curious if you see different headers with OE than with Outlook. I know the messages that we receive under Outlook do not show all headers. The same message received by OE has a lot more detailed header. Our SPAM account is setup in OE and going to File/Properties/Details/Message Source will show you everything. It is good to see if there are differences. Just curious.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, December 23, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen.. I just wanted to provide a quick update regarding this issue, at least as it applies to me in my situation. I worked with Scott a bit and was able to determine that Declude was in fact placing all of it headers in messages we receive, however, it appears that our Exchange server does not like something about a few of these messages which causes it to strip out everything after the received headers. Bill, yes, for what ever reason (I have not been motivated to find out why,) Exchange does sometimes strip out the extra headers. (Of course, the 2 test messages I sent to addresses on 2 different E2K servers both had the Declude headers still intact.) John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Overflow
- Original Message - From: Matthew Bramble [EMAIL PROTECTED] These attacks can go on for hours and hours and hours. If you've seen this stuff in your logs, you would see strings like [EMAIL PROTECTED] 26^8 for instance equals ~210,000,000,000 addresses. If they've got a database of names, that could probably be brought down to around 100,000 attempts. Why not write a script that parses the end of the IMail log looking for these attacks and adding the offending IP address to the IMail kill file. The only drawback to this is that I believe the IMail SMTP server needs to be restarted anytime IP addresses are added to the kill file (however, I could be wrong about this). In any case, this would allow you to immediated kill a connection to the IMail server from a dictionary attack leaving these resources available for legitimate mail. The dictionary attacks don't send E-mail of any value, they are just used for harvesting addresses. So if the spammer only gets positive responses to every address, their harvesting time has been completely wasted. The only time when they dictionary attack a server that accepts everything would be when their software is not performing properly, or they are actually trying to DOS a server. There time is also wasted if they cannot add any address because every attempt to connect to your server is blocked. Allowing them to build a database means that you may be setting yourself up for future spam runs to these bogus addresses. So until IMail delivers functionality that can detect a dictionary attack, it seems crucial that we leave the nobody aliases on for every local domain. Personally, I find the drawbacks of having a nobody alias pointed at me to be more harm than good, which is why I would like to auto-delete these messages. You raise an important point though about not having the messages bounced back. I'll have to look into possibly having an auto response set up in addition to the delete action, which would probably require two accounts with a single alias directed at it, or maybe forwarding would work with an autoresponder??? Ouch, that's as bad as sending bounces back to spammers, it does nothing but clog up you delivery queue or spam innocent people whose e-mail addresses were used by joe-jobbers. Killing the connection immediately saves on bandwidth and processing time on your server. You might possibly consider setting up a dedicated mail gateway that can very effectively handle these types of attacks, thus leaving IMail to do what it does best, deliver mail to valid recipients. A Linux/Postfix solution works very well in this regard. Anyway, just my 2 cents... Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..
- Original Message - From: Kami Razvan [EMAIL PROTECTED] John.. Have you setup an account with Outlook Express download the messages with OE? I use Outlook Express 6 and IMAP against this particular Exchange server and the headers are missing. I am just curious if you see different headers with OE than with Outlook. I know the messages that we receive under Outlook do not show all headers. The same message received by OE has a lot more detailed header. Actually, Outlook shows the same headers as OE. In Outlook, just right-mouse button click on the message and select Options to see the full Internet headers. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] spamtrap
- Original Message - From: Gufler Markus [EMAIL PROTECTED] If anyone knows a good and fast way to publish a spamtrap address please let me know (off-list) Posting messages to almost any public mailing list will get that e-mail address listed in many spam databases. Also, subscribing the spam-trap e-mail address to some of the more questionable websites will certainly expedite the listing in spam databases. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..
I am using Outlook 2002 SP2. In the 2 tests I sent to 2 different E2K servers, (of which both I have accounts on for testing and retrieve via POP3 directly) and both messages I have the entire headers. However, I have seen messages that Exchange stripped the extra lines out. Like I said, to date, I have had no reason to investigate. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Tuesday, December 23, 2003 9:15 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen.. John.. Have you setup an account with Outlook Express download the messages with OE? I am just curious if you see different headers with OE than with Outlook. I know the messages that we receive under Outlook do not show all headers. The same message received by OE has a lot more detailed header. Our SPAM account is setup in OE and going to File/Properties/Details/Message Source will show you everything. It is good to see if there are differences. Just curious.. Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Tuesday, December 23, 2003 12:01 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen.. I just wanted to provide a quick update regarding this issue, at least as it applies to me in my situation. I worked with Scott a bit and was able to determine that Declude was in fact placing all of it headers in messages we receive, however, it appears that our Exchange server does not like something about a few of these messages which causes it to strip out everything after the received headers. Bill, yes, for what ever reason (I have not been motivated to find out why,) Exchange does sometimes strip out the extra headers. (Of course, the 2 test messages I sent to addresses on 2 different E2K servers both had the Declude headers still intact.) John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Update- Declude NOT being seen
Title: Update- Declude NOT being seen Or just use automation that does not require the SMTP process to be restarted. We have seen emails with no Declue headers but verry rarly. We never stop and restart the SMTP unless there is a problem or update. As a matter of fact since 7.15 I have not restarted my SMTP unless there was an update to Imail. We are working on an automation scheme that will use a database and stats from the log files to reorganize the filters and create a private DSNBL on our dns servers so we do not have to use the Imail Kill file and continually restart the Imail SMTP process. It is only on papaer at this time. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Tuesday, December 23, 2003 4:50 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Update- Declude NOT being seen Hi; With Scott's help I finally think the reason Declude is not being seen in our case, in rare occasions, is understood. It just happened that we found a trend that matched exactly our update cycle for the filters. In our system we have an auto-update of filters from our database to the IMail directory. In the update process we copy all the filters to the filter directory and copy the Kill list to the IMail directory. Then (here is the problem..) we stop the SMTP and then start the SMTP all in one batch file. This is done every other hour at 1/2 past the hour. All spams that were not having Declude headers were somehow showing a x:30 in their time stamp.. So.. It seems like if an email is being processed and during the SPAM processing by IMail one stops the SMTP then all bets are off and the email will be delivered. Lesson learned: Too much automation could be hazardous to your spam fighting system. :) Regards, Kami
RE: [Declude.JunkMail] Update- Declude NOT being seen
Title: Update- Declude NOT being seen Kevin: If you update the Kill.lst (the SMTP kill list) you have to stop and start SMTP before it is used. At least that is why IPSwitch told me. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BilbeeSent: Tuesday, December 23, 2003 12:44 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Update- Declude NOT being seen Or just use automation that does not require the SMTP process to be restarted. We have seen emails with no Declue headers but verry rarly. We never stop and restart the SMTP unless there is a problem or update. As a matter of fact since 7.15 I have not restarted my SMTP unless there was an update to Imail. We are working on an automation scheme that will use a database and stats from the log files to reorganize the filters and create a private DSNBL on our dns servers so we do not have to use the Imail Kill file and continually restart the Imail SMTP process. It is only on papaer at this time. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Tuesday, December 23, 2003 4:50 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Update- Declude NOT being seen Hi; With Scott's help I finally think the reason Declude is not being seen in our case, in rare occasions, is understood. It just happened that we found a trend that matched exactly our update cycle for the filters. In our system we have an auto-update of filters from our database to the IMail directory. In the update process we copy all the filters to the filter directory and copy the Kill list to the IMail directory. Then (here is the problem..) we stop the SMTP and then start the SMTP all in one batch file. This is done every other hour at 1/2 past the hour. All spams that were not having Declude headers were somehow showing a x:30 in their time stamp.. So.. It seems like if an email is being processed and during the SPAM processing by IMail one stops the SMTP then all bets are off and the email will be delivered. Lesson learned: Too much automation could be hazardous to your spam fighting system. :) Regards, Kami
[Declude.JunkMail] Fw: NJABL changes for contributors
FYI... - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 8:23 AM Subject: NJABL changes for contributors It's recently come to my attention that some contributing sites may be running content filtering software (i.e. SpamAsssassin) on servers setup as DNS query contributors. Since recent versions of SpamAsssassin check IPs in more than just the last Received: header line against dnsbl.njabl.org, this was causing workstations and intermediate servers (systems that may never have talked directly to contributing servers) to be tested, which has generated some rather nasty complaints about NJABL. In order to solve this problem, two new zones have been setup: qwdnsbl.njabl.org qwdynablock.njabl.org qw = query watching These zones are 100% identical to dnsbl.njabl.org and dynablock.njabl.org. They've been setup so that contributing servers can have their MTA's setup to query qwdnsbl.njabl.org and qwdynablock.njabl.org, while content filters, such as SpamAssassin, should continue to use dnsbl.njabl.org and dynablock.njabl.org. If you are running a contributing server, your queries are no longer being watched unless they are for qwdnsbl.njabl.org or qwdynablock.njabl.org. Please update your MTA's to use these zones. If you have not coordinated with us to become a newer method i.e. query watching contributing server, this message does not apply to you. Sending queries for the qw zones will not get your queries watched unless we are already looking for queries from your IP. If you are not currently a contributor, and run a site that handles a large amount of email or gets unusually high volumes of spam, please have a look at the following pages http://njabl.org/contribute.html http://njabl.org/method.html and consider becoming a query watching contributor. We currently appear to have more than 30,000 systems using NJABL, but only a few dozen systems setup as query watching contributors...and until/unless those sites update their configs to use the qw zones, we're down to just a handful of contributors who've already been notified and have updated. For anyone unaware, dynablock.njabl.org is a new subzone created earlier this month. On Dec 1, 2003, the maintainer of dynablock.easynet.nl shut down his DNSBL of dynamic IP spaces. His list was a very comprehensive (far more comprehensive than NJABL's dynamic IP listings) dynamic IP DNSBL. Some people considered it too aggressive (too likely to generate false positives), so rather than import it into dnsbl.njabl.org, it was added as a separate sub-zone so that those who wanted to use it could, and those who did not, would not have it forced upon them. http://njabl.org/dynablock.html Please remember, this is a moderated announcement list. If you wish to respond to any of this, do not bother trying to send it to [EMAIL PROTECTED] to the sender instead. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYTO
Are you sure you are using %MAILFROM%? The only time you should see [Unknown Var] is if Declude is expanding variables (as is the case here), and the variable is one that Declude doesn't recognize (such as %SENDER%). But if Declude recognizes the variable (as has been the case with %MAILFROM% for a long time now), it should not return [Unknown Var]. Yep. Declude version 1.77 From the log: 12/23/2003 08:05:32 Q3d98134f028a76bc NOABUSE:3 NOPOSTMASTER:3 BASICFILTER:15 SPAMCHECK:13 . Total weight = 34. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed NOABUSE (Not supporting [EMAIL PROTECTED]). Action=LOG. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed NOPOSTMASTER (Not supporting [EMAIL PROTECTED]). Action=LOG. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed IPNOTINMX (). Action=LOG. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed NOLEGITCONTENT (No content unique to legitimate E-mail detected.). Action=LOG. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed BASICFILTER (Message failed BASICFILTER test (line 1, weight 15)). Action=WARN. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed BLANKSUBJECT1 (Message failed BLANKSUBJECT1 test (line 1, weight 0)). Action=SUBJECT. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed BLANKSUBJECT2 (Message failed BLANKSUBJECT2 test (line 1, weight 0)). Action=COPYTO. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed SPAMCHECK (Message failed SPAMCHECK: 13.). Action=WARN. 12/23/2003 08:05:32 Q3d98134f028a76bc Msg failed WEIGHTRANGE30-34 (Total weight between 30 and 34.). Action=HOLD. 12/23/2003 08:05:32 Q3d98134f028a76bc Subject: 12/23/2003 08:05:32 Q3d98134f028a76bc From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: 204.127.202.55 ID: 2003122313055301100ihq4ae From the Global.cfg file: BLANKSUBJECT1 filter D:\Imail\Declude\filters\BlankSubject.txt x 0 0 BLANKSUBJECT2 filter D:\Imail\Declude\filters\BlankSubject.txt x 0 0 From the .junkmail file: BLANKSUBJECT1 SUBJECT ADDED BY SPAM REVIEW: PLEASE USE A SUBJECT LINE! BLANKSUBJECT2 COPYTO %MAILFROM% The Q file: Qg:\IMail\spool\D3d98134f028a76bc.SMD Hmail.localdomain.moc Wf:\IMail\sunline_net E0, S[EMAIL PROTECTED] NRCPT TO:[EMAIL PROTECTED] R[EMAIL PROTECTED] NRCPT TO: [Unknown Var] R[Unknown Var] John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Update- Declude NOT being seen
Title: Update- Declude NOT being seen That is correct. That is why we do not use the kill. W euse our gateway servers and our firewall to block at this time. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Tuesday, December 23, 2003 9:59 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Update- Declude NOT being seen Kevin: If you update the Kill.lst (the SMTP kill list) you have to stop and start SMTP before it is used. At least that is why IPSwitch told me. Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BilbeeSent: Tuesday, December 23, 2003 12:44 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] Update- Declude NOT being seen Or just use automation that does not require the SMTP process to be restarted. We have seen emails with no Declue headers but verry rarly. We never stop and restart the SMTP unless there is a problem or update. As a matter of fact since 7.15 I have not restarted my SMTP unless there was an update to Imail. We are working on an automation scheme that will use a database and stats from the log files to reorganize the filters and create a private DSNBL on our dns servers so we do not have to use the Imail Kill file and continually restart the Imail SMTP process. It is only on papaer at this time. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kami RazvanSent: Tuesday, December 23, 2003 4:50 AMTo: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Update- Declude NOT being seen Hi; With Scott's help I finally think the reason Declude is not being seen in our case, in rare occasions, is understood. It just happened that we found a trend that matched exactly our update cycle for the filters. In our system we have an auto-update of filters from our database to the IMail directory. In the update process we copy all the filters to the filter directory and copy the Kill list to the IMail directory. Then (here is the problem..) we stop the SMTP and then start the SMTP all in one batch file. This is done every other hour at 1/2 past the hour. All spams that were not having Declude headers were somehow showing a x:30 in their time stamp.. So.. It seems like if an email is being processed and during the SPAM processing by IMail one stops the SMTP then all bets are off and the email will be delivered. Lesson learned: Too much automation could be hazardous to your spam fighting system. :) Regards, Kami
RE: [Declude.JunkMail] COPYTO
From the Global.cfg file: BLANKSUBJECT1 filter D:\Imail\Declude\filters\BlankSubject.txt x 0 0 BLANKSUBJECT2 filter D:\Imail\Declude\filters\BlankSubject.txt x 0 0 From the .junkmail file: BLANKSUBJECT1 SUBJECT ADDED BY SPAM REVIEW: PLEASE USE A SUBJECT LINE! BLANKSUBJECT2 COPYTO %MAILFROM% Is there any chance that you still have a file with %SENDER% in it (which would cause the [Unknown Var])? I tried reproducing this here, and was unable to. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] COPYTO
Is there any chance that you still have a file with %SENDER% in it (which would cause the [Unknown Var])? HANDING HEAD IN SHAME I updated the $default$.junkmail. I then have a batch file to update the various other .junkmail files. I forgot to run the batch file. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Rope.net
Scott, I don't know if you want to list this on your listing of ip4r db's but the admin of the rope.net says they aren't valid anymore. snip NOTE: If your email is being blocked due to rbl.rope.net or rbl.apluslock.com, complain to the administrators of the sites blocking you, not us. Those blacklists have not been used since early 2002 and are not valid, and we do not maintain them any longer. /snip Just a thought...I doubt many people use them but I thought I would bring it up since I'm listed in that and have no way of getting unlisted. Andy Ognenoff Online Systems Administrator [EMAIL PROTECTED] - Cousins Submarines, Inc. http://www.cousinssubs.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Additional IP4R RHSBL tests
I have been running these tests for a while (as well as other that were producing little or not results), and they have been producing good results for me. However, my philosophy is different from some others on this list in that I like to test lots of IP4R and RHSBL databases and apply relatively low weights to many tests. I feel that you get a better balance and fewer FPs this way. The more tests that flag the source the more likely it is to be spam and the higher weight that gets applied to the message. Also, since all DNS based tests get spanned simultaneously (rather than consecutively), there is no performance nor latency hit (unless one of the test sites is not responding - Scott, are you still planning to add a configurable time-out setting for the DNS based tests?). Anyway, here are the additional DNS based tests I've been using, in case you are interested in trying any of them out: * These IP4R test sites are listed on Scott's spam databases site, but without the test info: BORDERWORLD ip4r bl.borderworlds.dk * 2 0 BRAINERD ip4r blackholes.brainerd.net * 2 0 * These IP4R test sites are not yet listed on Scott's spam databases site: COMPLETEWHOIS ip4r bogons.dnsiplists.completewhois.com * 2 0 INTRUDERS ip4r intruders.docs.uu.se * 2 0 NJABL-DYNA ip4r dynablock.njabl.org * 2 0 REDHAWK ip4r access.redhawk.org * 2 0 SNARK ip4r rbl.snark.net* 2 0 SOLID ip4r dnsbl.solid.net* 2 0 SPAMRBL ip4r map.spam-rbl.com * 2 0 SPAMSOURCES ip4r spamsources.dnsbl.info * 2 0 * These RHSBL test sites are not yet listed on Scott's spam databases site: ISOC-RHSBL rhsbl dnsbl.isoc.bg* 2 0 ZONEEDIT rhsbl zebl.zoneedit.com * 2 0 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Rope.net
I don't know if you want to list this on your listing of ip4r db's but the admin of the rope.net says they aren't valid anymore. Thanks for pointing this out. We've updated the list of spam databases at http://www.declude.com/junkmail/support/ip4r.htm . snip NOTE: If your email is being blocked due to rbl.rope.net or rbl.apluslock.com, complain to the administrators of the sites blocking you, not us. Those blacklists have not been used since early 2002 and are not valid, and we do not maintain them any longer. /snip In other words, We got fed up with providing a spam database, and want people to think it's other people's faults that we're stopping it. Early 2002 is interesting, since we verified that it was working when we added it to our list in April, 2002. Even more interesting is that as of February, 2003, they were still claiming to be running the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Additional IP4R RHSBL tests
Bill, Thanks for this additl list. I too agree to run lots of tests scored low sooo here are two more: PSBLip4rpsbl.surriel.com* 1 0 DNSBL-T1ip4rt1.dnsbl.net.au * 2 0 -Nick Hayer From: Bill Landry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:[Declude.JunkMail] Additional IP4R RHSBL tests Date sent: Tue, 23 Dec 2003 11:21:45 -0800 Send reply to: [EMAIL PROTECTED] I have been running these tests for a while (as well as other that were producing little or not results), and they have been producing good results for me. However, my philosophy is different from some others on this list in that I like to test lots of IP4R and RHSBL databases and apply relatively low weights to many tests. I feel that you get a better balance and fewer FPs this way. The more tests that flag the source the more likely it is to be spam and the higher weight that gets applied to the message. Also, since all DNS based tests get spanned simultaneously (rather than consecutively), there is no performance nor latency hit (unless one of the test sites is not responding - Scott, are you still planning to add a configurable time-out setting for the DNS based tests?). Anyway, here are the additional DNS based tests I've been using, in case you are interested in trying any of them out: * These IP4R test sites are listed on Scott's spam databases site, but without the test info: BORDERWORLD ip4r bl.borderworlds.dk * 2 0 BRAINERD ip4r blackholes.brainerd.net * 2 0 * These IP4R test sites are not yet listed on Scott's spam databases site: COMPLETEWHOIS ip4r bogons.dnsiplists.completewhois.com * 2 0 INTRUDERS ip4r intruders.docs.uu.se * 2 0 NJABL-DYNA ip4r dynablock.njabl.org * 2 0 REDHAWK ip4r access.redhawk.org * 2 0 SNARK ip4r rbl.snark.net* 2 0 SOLID ip4r dnsbl.solid.net * 2 0 SPAMRBL ip4r map.spam-rbl.com * 2 0 SPAMSOURCES ip4r spamsources.dnsbl.info * 2 0 * These RHSBL test sites are not yet listed on Scott's spam databases site: ISOC-RHSBL rhsbl dnsbl.isoc.bg* 2 0 ZONEEDIT rhsbl zebl.zoneedit.com * 2 0 Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Additional IP4R RHSBL tests
- Original Message - From: Nick Hayer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:40 AM Subject: Re: [Declude.JunkMail] Additional IP4R RHSBL tests Bill, Thanks for this additl list. I too agree to run lots of tests scored low sooo here are two more: PSBL ip4r psbl.surriel.com * 1 0 DNSBL-T1 ip4r t1.dnsbl.net.au * 2 0 These are both listed on Scott's spam database site (t1.dnsbl.net.au is the same as t1.bl.reynolds.net.au). I run many of the tests on Scott's site, I just wanted to provide a list of some of the test sites that do not appear on Scott's site yet. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] UNKNOWN entries in spf.log
Scott, just and FYI. Like Andy, I am still see a few UNKNOWN entries in the spf.log file, rather than just PASS FAIL entries. I am running Declude v1.77i8. Here are a few samples from today: 64.94.104.161[EMAIL PROTECTED] [sm1.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all 211.243.120.160 [EMAIL PROTECTED] [cn.ca]: UNKNOWN: v=spf1 mx a:mx0.rambler.ru a:mxb.rambler.ru a:mxc.rambler.ru ?all 64.94.104.165[EMAIL PROTECTED] [sm5.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all 211.220.194.234 [EMAIL PROTECTED] [sjktv.in2tv.com]: UNKNOWN: v=spf1 mx a:mx0.rambler.ru a:mxb.rambler.ru a:mxc.rambler.ru ?all Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Additional IP4R RHSBL tests
I just wanted to provide a list of some of the test sites that do not appear on Scott's site yet. FYI, we list *all* known spam databases at http://www.declude.com/junkmail/support/ip4r.htm . However, since most spam databases are run by individuals and small organizations, and often know little about spam control, it's quite common for them to appear very, very slowly. Typically it starts by someone posting about their DNSBL to a mailing list, which gets largely ignored since nobody is using it, and then someone finds it and reports it to one of the 2-3 main lists of spam databases, and so on. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Additional IP4R RHSBL tests
Also, since all DNS based tests get spanned simultaneously (rather than consecutively), there is no performance nor latency hit (unless one of the test sites is not responding - Scott, are you still planning to add a configurable time-out setting for the DNS based tests?). Yes, that is still something we plan to add. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] UNKNOWN entries in spf.log
64.94.104.161[EMAIL PROTECTED] [sm1.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all This one should return an UNKNOWN -- the PTR for 64.94.104.161 doesn't contain email.cooking.com, so it defaults to the ?all, returning an UNKNOWN response. 211.243.120.160 [EMAIL PROTECTED] [cn.ca]: UNKNOWN: v=spf1 mx a:mx0.rambler.ru a:mxb.rambler.ru a:mxc.rambler.ru ?all This, too, ends up going with the default ?all, producing the UNKNOWN response. The spf.log file is used when a domain has an SPF string; the spf.none is used when there is no SPF string for the domain. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Message Sniffer and weighting
Hello, I just purchased the sniffer product and everything seems to be working (I think)... I am a little confused on how the weights are assigned. I searched the archives and the following listing: SNIFFER-WHITELIST external 000 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode -5 0 SNIFFER-TRAVEL external 047 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-INSURANCE external 048 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-AV-PUSH external 049 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-WAREZ external 050 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SPAMWARE external 051 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SNAKEOIL external 052 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCAMS external 053 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-PORN external 054 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-MALWARE external 055 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-ADVERTISING external 056 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-SCHEMES external 057 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-CREDIT external 058 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GAMBLING external 059 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 10 0 SNIFFER-GREYMAIL external 060 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-OBFUSCATION external 061 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 SNIFFER-SPAM external 062 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 07 0 SNIFFER-GENERAL external 063 M:\IMail\Declude\TPA\Sniffer\LicenseID.exe AuthenticationCode 12 0 Does this mean I should list the tests out individually and assigned weights? Or if I enter: SNIFFER external nonzero d:\imail\declude\sniffer\xx.exe code Will this assign the defaults weights and what are the default weights? Thanks, Adam --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Bonded Sender
Greetings All! I've been involved in a discussion with Dave Doherty regarding Bonded Sender and he invited me to the Declude list. I hope that I can help address any questions that you may have. If I don't have the answers, I will find someone here who does and we'll help out in any way we can. I look forward to being part of your community. Cyan Callihan Bonded Sender Standards and Compliance Manager IronPort Systems www.bondedsender.com - Guaranteed Delivery of Legitimate Email www.ironport.com - Email Infrastructure Products and Services www.senderbase.com - The Leading Email Reputation Service www.etcevent.com - Email Technology Conference sponsored by IronPort --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] UNKNOWN entries in spf.log
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] This, too, ends up going with the default ?all, producing the UNKNOWN response. The spf.log file is used when a domain has an SPF string; the spf.none is used when there is no SPF string for the domain. Ah, okay, this makes perfect sense. Thanks for the clarification! Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bonded Sender
Welcome to the list. Cyan! I have been using the bondedsender IP4R database with good success. However, I was just looking at you senderbase site today and was wondering how I might be able to us it with Declude JunkMail. Thoughts? Regards, Bill - Original Message - From: Cyan Callihan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 12:57 PM Subject: [Declude.JunkMail] Bonded Sender Greetings All! I've been involved in a discussion with Dave Doherty regarding Bonded Sender and he invited me to the Declude list. I hope that I can help address any questions that you may have. If I don't have the answers, I will find someone here who does and we'll help out in any way we can. I look forward to being part of your community. Cyan Callihan Bonded Sender Standards and Compliance Manager IronPort Systems www.bondedsender.com - Guaranteed Delivery of Legitimate Email www.ironport.com - Email Infrastructure Products and Services www.senderbase.com - The Leading Email Reputation Service www.etcevent.com - Email Technology Conference sponsored by IronPort --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message Sniffer and weighting
- Original Message - From: Adam Hobach [EMAIL PROTECTED] I just purchased the sniffer product and everything seems to be working (I think)... I am a little confused on how the weights are assigned. I searched the archives and the following listing: Adam, good purchase decision! You can either list the tests out separately so that you can control the weight of the individual test results or, as you show below, enter it as a single test in the global.cfg with a single result weight. So it just depends on how detailed you want to get and how much control you want to exersize over each possible Sniffer result code. Does this mean I should list the tests out individually and assigned weights? Or if I enter: SNIFFER external nonzero d:\imail\declude\sniffer\xx.exe code Will this assign the defaults weights and what are the default weights? Declude will assign whatever weight you define for the test. Just an FYI, no matter which way you define the test (once or multiple times), Declude will still only call Sniffer once, so you will not see and additional overhead by listing the test multiple time in your global.cfg file. HTH, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] ColdFusion-based filter updater
For those who have asked, here's a link to the ColdFusion-based updater that takes advantage of Kami Razvan's filter repository, along with a copy of my global.cfg. http://mysecretbase.com/deliver.cfm?FN=2247B5E2198F464BA033DD5312D09F69 The app displays its progress onscreen via cfflush, which renders it incompatible with versions of CF prior to CF5. Just remove the cfflush commands and it'll be compatible back to at least v4.5 and probably 4.01. The app updates and uploads one filter at a time, so uploads of individual filters are nearly instant on a fast connection. My server isn't particularly busy and I can get away with uploading directly to my Declude filters folder, but you may not. Set all parameters in application.cfm, including your ftp account info and the list of files you want to revise. I use 32 of Kami's filters and fromfiles. When I get around to scheduling it (I run this manually now) I'll do twice-daily updates. All the routine does at present is revise skipifweight and maxweight settings in filter files. If the file has 'filter' in its filename the weight setting update routine is triggered. One thing I've noticed is that maybe the individual weight settings might need to be adjusted as well. I'm thinking over how to create a generic method doing this to any filter file. Cheers, -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Filter Actions - WHITELIST?
Filter actions have so many nice basic functions, IGNORE, WARN, DELETE, HOLD etc. Looking at new filters today and observing logs, it just seems one of these actions naturally should be WHITELIST. Does this make sense? -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] UNKNOWN entries in spf.log
Hi Bill: For what it's worth, MY problem was clearly due to a rogue DNS zone. I am using multiple includes - one of them to a zone that really has no use, but it came handy to 'document' the SPF records. Unfortunately, I had not verified the proper configuration of that zone and there had been some recent changes. So - my problem was self-made and at this moment, SPF seems to function as advertised. Best Regards Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Landry Sent: Tuesday, December 23, 2003 03:32 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] UNKNOWN entries in spf.log Scott, just and FYI. Like Andy, I am still see a few UNKNOWN entries in the spf.log file, rather than just PASS FAIL entries. I am running Declude v1.77i8. Here are a few samples from today: 64.94.104.161[EMAIL PROTECTED] [sm1.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all 211.243.120.160 [EMAIL PROTECTED] [cn.ca]: UNKNOWN: v=spf1 mx a:mx0.rambler.ru a:mxb.rambler.ru a:mxc.rambler.ru ?all 64.94.104.165[EMAIL PROTECTED] [sm5.mail.cooking.com]: UNKNOWN: v=spf1 ptr ?all 211.220.194.234 [EMAIL PROTECTED] [sjktv.in2tv.com]: UNKNOWN: v=spf1 mx a:mx0.rambler.ru a:mxb.rambler.ru a:mxc.rambler.ru ?all Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Message Sniffer and weighting
Thanks for the info... I have updated the global config with the individual codes and weights. My next question is, does Message Sniffer use alot of processor time? My server is pegged at 100%. It normally operated around 30-50% processor usage. Is this normal? The sniffer log file was 8.7MB after 10 minutes of running it. Thanks, Adam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bill Landry Sent: Tuesday, December 23, 2003 3:12 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Message Sniffer and weighting - Original Message - From: Adam Hobach [EMAIL PROTECTED] I just purchased the sniffer product and everything seems to be working (I think)... I am a little confused on how the weights are assigned. I searched the archives and the following listing: Adam, good purchase decision! You can either list the tests out separately so that you can control the weight of the individual test results or, as you show below, enter it as a single test in the global.cfg with a single result weight. So it just depends on how detailed you want to get and how much control you want to exersize over each possible Sniffer result code. Does this mean I should list the tests out individually and assigned weights? Or if I enter: SNIFFER external nonzero d:\imail\declude\sniffer\xx.exe code Will this assign the defaults weights and what are the default weights? Declude will assign whatever weight you define for the test. Just an FYI, no matter which way you define the test (once or multiple times), Declude will still only call Sniffer once, so you will not see and additional overhead by listing the test multiple time in your global.cfg file. HTH, Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Filter Actions - WHITELIST?
Filter actions have so many nice basic functions, IGNORE, WARN, DELETE, HOLD etc. Looking at new filters today and observing logs, it just seems one of these actions naturally should be WHITELIST. Does this make sense? We are planning on adding a WHITELIST action. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Bonded Sender
Welcome to the list. Cyan! I have been using the bondedsender IP4R database with good success. Awesome! However, I was just looking at you senderbase site today and was wondering how I might be able to us it with Declude JunkMail. Thoughts? The person who could best answer this question is out on vacation until after the New Year. I've forwarded your query on to an engineer and I'll contact you when I have an answer. Cyan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Message Sniffer and weighting
- Original Message - From: Adam Hobach [EMAIL PROTECTED] Thanks for the info... I have updated the global config with the individual codes and weights. My next question is, does Message Sniffer use alot of processor time? My server is pegged at 100%. It normally operated around 30-50% processor usage. Is this normal? The sniffer log file was 8.7MB after 10 minutes of running it. Wow, what kind of message load are you processing per day? Also, if you have not already, I would recommend that you update the Sniffer executable to the beta (soon to be GA) that can be found at the bottom of the page at http://www.sortmonster.com/MessageSniffer/Try-It.html Rename the file to your License ID. This version provides much greater optimization in that it reuses existing processes instead of spanning the sniffer executable with each new message. You should see a drop in your processor load with this version. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Filter Actions - WHITELIST?
Reply to: R. Scott Perry Re: [Declude.JunkMail] Filter Actions - WHITELIST? on Tuesday 4:04:36 PM Thanks! This will relieve the limit on the Global file as well... If these filters could be processed first, it might give back a lot of processor if all other actions were performed afterwards, but only if the whitelist filters did not engage... ;) -- Roger Heath [EMAIL PROTECTED] www.rleeheath.com - Copy of Original Message(s): - Filter actions have so many nice basic functions, IGNORE, WARN, DELETE, HOLD etc. Looking at new filters today and observing logs, it just seems one of these actions naturally should be WHITELIST. Does this make sense? R We are planning on adding a WHITELIST action. :) R -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bonded Sender
Bill, This is my line for using BONDEDSENDER with Declude. It is in the Global.cfg file: BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 We have been pleased with it so far. I think we have been using it since last spring sometime. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bonded Sender
- Original Message - From: Sheldon Koehler [EMAIL PROTECTED] Bill, This is my line for using BONDEDSENDER with Declude. It is in the Global.cfg file: BONDEDSENDER ip4r query.bondedsender.org 127.0.0.10 -10 0 We have been pleased with it so far. I think we have been using it since last spring sometime. Yep, been using BondedSender here for a long time, as well. I was asking about how we might use SenderBase: www.senderbase.com Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Bonded Sender
Yep, been using BondedSender here for a long time, as well. I was asking about how we might use SenderBase: www.senderbase.com OK. I missed that part... I will wait for Cyan's reply then too... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Shut down outgoing scanning?
Is there some way to stop Declude from doing outgoing mail scanning? I have Pro and don't need this functionality. Its really kicking my mail server's butt. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Shut down outgoing scanning?
- Original Message - From: Matt Robertson [EMAIL PROTECTED] Is there some way to stop Declude from doing outgoing mail scanning? I have Pro and don't need this functionality. Its really kicking my mail server's butt. Sure, don't list any tests actions (or comment them out) in your global.cfg file. This will not affect incoming scanning, because that is controlled by the $default$.junkmail file. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Shut down outgoing scanning?
Is there some way to stop Declude from doing outgoing mail scanning? I have Pro and don't need this functionality. Its really kicking my mail server's butt. Not directly. But if you are using lots of filters, you may want to consider something like WHITELIST IP 192.0.2.0/24 and use PREWHITELIST ON to bypass scanning of E-mails from your local users. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS
Hi, I've added the entry v=spf1 -all to a zone file for iii.slcl.org (wild card domain). When I run the SPF tester at http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21 I get the following results. What am I doing wrong? The part that is really confusing me is that I see n1-v=spf1 -all, but I've entered v=spf1 -all Thanks, Burzin SPF lookup of sender [EMAIL PROTECTED] from IP 199.181.178.21: SPF string used: . Error: I could not get the SPF string [SPF not supported: showme.slcl.org. [j=0 an=1 type=TXT rr=iii.slcl.org. dom=iii.slcl.org n1=v=spf1 -all]]. Result: UNKNOWN Known Issues: * None. At 02:08 PM 12/19/2003, you wrote: Burzin, it doesn't matter where in the zone file the txt record goes. You could simply added it via the GUI, as well, since txt records are supported by W2K DNS. Bill --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Shut down outgoing scanning?
Yep, I'm trying to stop Declude from performing the tests at all on system-generated outgoing mail, so I can indeed determine the originating IP. I had already commented out the tests long ago (thanks for trying to help, Bill). Wasn't aware of prewhitelist. This should really save my bacon. --Matt-- -- Original Message -- From: R. Scott Perry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 23 Dec 2003 18:26:47 -0500 Is there some way to stop Declude from doing outgoing mail scanning? I have Pro and don't need this functionality. Its really kicking my mail server's butt. Not directly. But if you are using lots of filters, you may want to consider something like WHITELIST IP 192.0.2.0/24 and use PREWHITELIST ON to bypass scanning of E-mails from your local users. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS
I've added the entry v=spf1 -all to a zone file for iii.slcl.org (wild card domain). When I run the SPF tester at http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21 I get the following results. What am I doing wrong? The part that is really confusing me is that I see n1-v=spf1 -all, but I've entered v=spf1 -all You can better see the issue with http://www.dnsstuff.com/tools/lookup.ch?name=iii.slcl.orgtype=TXT -- iii.slcl.org has 1 TXT record, but it consists of 2 parts -- v=spf1 and -all. For some reason, your DNS server is using an obscure technique to split a single TXT record into several strings. As a result, it will probably not be properly processed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS
- Original Message - From: Burzin Sumariwalla [EMAIL PROTECTED] I've added the entry v=spf1 -all to a zone file for iii.slcl.org (wild card domain). When I run the SPF tester at http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21 I get the following results. What am I doing wrong? The part that is really confusing me is that I see n1-v=spf1 -all, but I've entered v=spf1 -all I got a good response when querying your domain for a txt record: dig txt iii.slcl.org = ; DiG 9.2.3 txt iii.slcl.org ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39449 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;iii.slcl.org. IN TXT ;; ANSWER SECTION: iii.slcl.org. 3600IN TXT v=spf1 -all ;; AUTHORITY SECTION: iii.slcl.org. 3600IN NS showme.slcl.org. ;; Query time: 539 msec ;; SERVER: 165.226.198.66#53(165.226.198.66) ;; WHEN: Tue Dec 23 15:58:08 2003 ;; MSG SIZE rcvd: 75 = Also got a good response from: http://www.infinitepenguins.net/SPF/check.php?action=spfcheckipv4=206.114.137.37helo=mail.iii.slcl.org+[EMAIL PROTECTED] Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 3:45 PM Subject: Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS I've added the entry v=spf1 -all to a zone file for iii.slcl.org (wild card domain). When I run the SPF tester at http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.17 8.21 I get the following results. What am I doing wrong? The part that is really confusing me is that I see n1-v=spf1 -all, but I've entered v=spf1 -all You can better see the issue with http://www.dnsstuff.com/tools/lookup.ch?name=iii.slcl.orgtype=TXT -- iii.slcl.org has 1 TXT record, but it consists of 2 parts -- v=spf1 and -all. For some reason, your DNS server is using an obscure technique to split a single TXT record into several strings. As a result, it will probably not be properly processed. I just followed your link, Scott, and it looks like I got a valid response: How I am searching: Searching for TXT record for iii.slcl.org at f.root-servers.net: Got referral to TLD1.ULTRADNS.NET. [took 70 ms] Searching for TXT record for iii.slcl.org at TLD1.ULTRADNS.NET.: Got referral to showme.slcl.org. [took 51 ms] Searching for TXT record for iii.slcl.org at showme.slcl.org.: Reports v=spf1 -all [took 561 ms] Answer: Domain Type Class TTL Answer iii.slcl.org. TXT IN 3600 v=spf1 -all Isn't this a valid response? Maybe the txt extry got fixed?Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OT SPF and Windows 2000 DNS
Fixed! Thanks for another lesson Scott. Burzin At 05:45 PM 12/23/2003, you wrote: I've added the entry v=spf1 -all to a zone file for iii.slcl.org (wild card domain). When I run the SPF tester at http://www.dnsstuff.com/tools/[EMAIL PROTECTED]ip=199.181.178.21 I get the following results. What am I doing wrong? The part that is really confusing me is that I see n1-v=spf1 -all, but I've entered v=spf1 -all You can better see the issue with http://www.dnsstuff.com/tools/lookup.ch?name=iii.slcl.orgtype=TXT -- iii.slcl.org has 1 TXT record, but it consists of 2 parts -- v=spf1 and -all. For some reason, your DNS server is using an obscure technique to split a single TXT record into several strings. As a result, it will probably not be properly processed. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] -- Burzin Sumariwalla Phone: (314) 994-9411 x291 [EMAIL PROTECTED] Fax: (314) 997-7615 Pager: (314) 407-3345 Networking and Telecommunications Manager Information Technology Services St. Louis County Library District 1640 S. Lindbergh Blvd. St. Louis, MO 63131 --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] [IMail Forum] 8.05- Declude not seen..
- Original Message - From: R. Scott Perry [EMAIL PROTECTED] Also, I am noticing more often situations where Declude headers are missing from delivered messages, and from several different senders. So I still believe this is a Declude issue and not a corrupted or malformed mail issue. The problem with IMail usurping E-mails from Declude is a very complex issue to debug. Please contact me directly off-list about this, and I can work with you to determine why this is happening. *** (Cross-Posted to IMail and Declude lists) *** I just wanted to provide a quick update regarding this issue, at least as it applies to me in my situation. I worked with Scott a bit and was able to determine that Declude was in fact placing all of it headers in messages we receive, however, it appears that our Exchange server does not like something about a few of these messages which causes it to strip out everything after the received headers. I am still looking into this, but just wanted to report that all is well with Declude. BTW, thanks Scott for you help with this! Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Files locked but not processed
All, I have seen, twice in the past week for two different users at a single client, messages locked (_~) in the spool that do not appear anywhere in the Declude log--and, of course, do not go out. Both messages had 20n50 recipients and were 1K in size. No other users reported any issues in this period of time. Anybody seen anything similar? This is not what I would consider a queue backup issue, since mail processes around these messages just fine, including mail from the same senders. All outgoing mail is gatewayed and entire queue cycle is basically instantaneous. These same messages are processed by the QM without error once renamed. Declude 1.70, IMail 8.04. -Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Files locked but not processed
- Original Message - From: Sanford Whiteman [EMAIL PROTECTED] All, I have seen, twice in the past week for two different users at a single client, messages locked (_~) in the spool that do not appear anywhere in the Declude log--and, of course, do not go out. Both messages had 20n50 recipients and were 1K in size. No other users reported any issues in this period of time. Anybody seen anything similar? This is not what I would consider a queue backup issue, since mail processes around these messages just fine, including mail from the same senders. All outgoing mail is gatewayed and entire queue cycle is basically instantaneous. These same messages are processed by the QM without error once renamed. Declude 1.70, IMail 8.04. Sandy, could this be related to one of the issue IPSwitch resolved with the 8.05 patch: o Queuemgr: Decreased the possibility that during a queue run the queuemgr might process files before a third party process locks the message. Several of us on this list were experiencing issues like this where IMail would deliver a message before Declude could process it, and were seeing file locking issues being reported in our JunkMail and Virus logs. Sounds like this is also possibly some kind of file contention issue that could be resolved by upgrading to 8.05. I don't think anyone has reported any issues since upgrading IMail to this latest patch release. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Files locked but not processed
I have seen, twice in the past week for two different users at a single client, messages locked (_~) in the spool that do not appear anywhere in the Declude log--and, of course, do not go out. Actually, they should go out -- IMail is designed to deliver the locked E-mails after 1-2 hours (unless perhaps this behavior changed for v8). Both messages had 20n50 recipients and were 1K in size. No other users reported any issues in this period of time. ... Declude 1.70, IMail 8.04. Actually, there was an issue with Declude Virus in v1.70 where an E-mail with too many recipients could cause Declude processing to stop -- I would recommend upgrading to 1.75. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Files locked but not processed
Sandy, could this be elated to one of the issue IPSwitch resolved with the 8.05 patch: I really don't think so, since it's a matter of the file being locked by Declude, rather than usurped, and IMail is not processing the file...it'd be especially unexpected to have the issues you guys were discussing given that the load on this server has actually gone down substantially over the past couple of months with the addition of more gateways and processors (none of these changes coincided with the errors). Several of us on this list were experiencing issues like this where IMail would deliver a message before Declude could process it, and were seeing file locking issues being reported in our JunkMail and Virus logs. Yes, I followed that discussion closely. There's nothing logged here by Declude at all, so again it seems distant from that particular set of symptoms. And I'd be delighted if IMail had delivered the message (it's from a whitelisted IP, anyway), but no such luck! Sounds like this is also possibly some kind of file contention issue that could be resolved by upgrading to 8.05. I don't think anyone has reported any issues since upgrading IMail to this latest patch release. Thanks for the suggestion. I have nothing against doing the upgrade, but since my symptoms appeared different from the others, I thought I'd post to see if this variant was elsewhere in the wild. Thanks for the help. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Files locked but not processed
Actually, they should go out -- IMail is designed to deliver the locked E-mails after 1-2 hours (unless perhaps this behavior changed for v8). Nope, doesn't happen (queued at 8:00 a.m., still locked at 8:00 p.m.). Actually, there was an issue with Declude Virus in v1.70 where an E-mail with too many recipients could cause Declude processing to stop... Now, that sounds more like it! -- I would recommend upgrading to 1.75. That'll happen in a moment. :) --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SKIPIFWEIGHT
Does the SKIPIFWEIGHT or MAXWEIGHT show up in the log if it is triggered? Doing a search I don't see it. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] SKIPIFWEIGHT
- Original Message - From: Danny Klopfer [EMAIL PROTECTED] Does the SKIPIFWEIGHT or MAXWEIGHT show up in the log if it is triggered? Doing a search I don't see it. I don't know if they get recorded in the logs at log level low or mid, but the do get recorder at log level high. Bill --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] SpamCop listing Webtv.net IP
Great, SpamCop is listing WebTV.net mail server IP falsely. Looking at the samples, they look legit to me. Has anyone actually seen spam come from a WebTV.net server? John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Unclear/truncated warning message in logs
i get the near the same errors 12/24/2003 00:46:17 Q281302b000d850e9 Unknown Var: %X-RBL-Warning: %TES 12/24/2003 00:46:17 Q281302b000d850e9 Unknown Var: %: %WARNING% i will email private my debug log Sincerely, William J. Baumbach II [EMAIL PROTECTED] 9975 Pennsylvania Ave. Manassas, Va. 20110-2028 Ph: 703-367-7900 ext:1708 Fax: 703-691-0946 - - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, December 21, 2003 8:51 AM Subject: Re: [Declude.JunkMail] Unclear/truncated warning message in logs I turned on debug logging and it only added one line to the log in reference to this warning: == 12/20/2003 18:14:09 Q01c71fa300a21de2 Unknown Var: %TESTNAMEX-RBL-Warni 12/20/2003 18:14:09 Q01c71fa300a21de2 Unknown Var: %: %WARNING% 12/20/2003 18:14:10.015 Q01c71fa300a21de2 X-RBL-Warning: [Unknown Var]TESTNAME[Unknown Var]WARNING == Could you E-mail me (off-list) the complete debug log file entries for one of the E-mails this is happening to? That will give me a better idea of where in the code this problem is occurring. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. [ scanned for spam to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 12/21/2003 at 08:56:06-0500et. ] [ scanned for viruses to: [EMAIL PROTECTED] incoming http://www.DcMetroNet.com on 12/21/2003 at 08:56:09-0500et. ] [ scanned for spam to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 12/24/2003 at 00:49:08-0500et. ] This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email is prohibited. If you are not the intended recipient, please contact the sender and destroy all paper and electronic copies of this message. [ scanned for viruses to: [EMAIL PROTECTED] outgoing http://www.DcMetroNet.com on 12/24/2003 at 00:49:11-0500et. ] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
